AC-1 - ACCESS CONTROL POLICY AND PROCEDURES
AC-2 - ACCOUNT MANAGEMENT
AC-3 - ACCESS ENFORCEMENT
AC-4 - INFORMATION FLOW ENFORCEMENT
AC-5 - SEPARATION OF DUTIES
AC-6 - LEAST PRIVILEGE
AC-7 - UNSUCCESSFUL LOGON ATTEMPTS
AC-8 - SYSTEM USE NOTIFICATION
AC-9 - PREVIOUS LOGON (ACCESS) NOTIFICATION
AC-10 - CONCURRENT SESSION CONTROL
AC-11 - SESSION LOCK
AC-12 - SESSION TERMINATION
AC-13 - SUPERVISION AND REVIEW - ACCESS CONTROL
AC-14 - PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION
AC-15 - AUTOMATED MARKING
AC-16 - SECURITY ATTRIBUTES
AC-17 - REMOTE ACCESS
AC-18 - WIRELESS ACCESS
AC-19 - ACCESS CONTROL FOR MOBILE DEVICES
AC-20 - USE OF EXTERNAL INFORMATION SYSTEMS
AC-21 - INFORMATION SHARING
AC-22 - PUBLICLY ACCESSIBLE CONTENT
AC-23 - DATA MINING PROTECTION
AC-24 - ACCESS CONTROL DECISIONS
AC-25 - REFERENCE MONITOR
AU-1 - AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES
AU-2 - AUDIT EVENTS
AU-3 - CONTENT OF AUDIT RECORDS
AU-4 - AUDIT STORAGE CAPACITY
AU-5 - RESPONSE TO AUDIT PROCESSING FAILURES
AU-6 - AUDIT REVIEW, ANALYSIS, AND REPORTING
AU-7 - AUDIT REDUCTION AND REPORT GENERATION
AU-8 - TIME STAMPS
AU-9 - PROTECTION OF AUDIT INFORMATION
AU-10 - NON-REPUDIATION
AU-11 - AUDIT RECORD RETENTION
AU-12 - AUDIT GENERATION
AU-13 - MONITORING FOR INFORMATION DISCLOSURE
AU-14 - SESSION AUDIT
AU-15 - ALTERNATE AUDIT CAPABILITY
AU-16 - CROSS-ORGANIZATIONAL AUDITING
AT-1 - SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES
AT-2 - SECURITY AWARENESS TRAINING
AT-3 - ROLE-BASED SECURITY TRAINING
AT-4 - SECURITY TRAINING RECORDS
AT-5 - CONTACTS WITH SECURITY GROUPS AND ASSOCIATIONS
CM-1 - CONFIGURATION MANAGEMENT POLICY AND PROCEDURES
CM-2 - BASELINE CONFIGURATION
CM-3 - CONFIGURATION CHANGE CONTROL
CM-4 - SECURITY IMPACT ANALYSIS
CM-5 - ACCESS RESTRICTIONS FOR CHANGE
CM-6 - CONFIGURATION SETTINGS
CM-7 - LEAST FUNCTIONALITY
CM-8 - INFORMATION SYSTEM COMPONENT INVENTORY
CM-9 - CONFIGURATION MANAGEMENT PLAN
CM-10 - SOFTWARE USAGE RESTRICTIONS
CM-11 - USER-INSTALLED SOFTWARE
CP-1 - CONTINGENCY PLANNING POLICY AND PROCEDURES
CP-2 - CONTINGENCY PLAN
CP-3 - CONTINGENCY TRAINING
CP-4 - CONTINGENCY PLAN TESTING
CP-5 - CONTINGENCY PLAN UPDATE
CP-6 - ALTERNATE STORAGE SITE
CP-7 - ALTERNATE PROCESSING SITE
CP-8 - TELECOMMUNICATIONS SERVICES
CP-9 - INFORMATION SYSTEM BACKUP
CP-10 - INFORMATION SYSTEM RECOVERY AND RECONSTITUTION
CP-11 - ALTERNATE COMMUNICATIONS PROTOCOLS
CP-12 - SAFE MODE
CP-13 - ALTERNATIVE SECURITY MECHANISMS
IA-1 - IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES
IA-2 - IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS)
IA-3 - DEVICE IDENTIFICATION AND AUTHENTICATION
IA-4 - IDENTIFIER MANAGEMENT
IA-5 - AUTHENTICATOR MANAGEMENT
IA-6 - AUTHENTICATOR FEEDBACK
IA-7 - CRYPTOGRAPHIC MODULE AUTHENTICATION
IA-8 - IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS)
IA-9 - SERVICE IDENTIFICATION AND AUTHENTICATION
IA-10 - ADAPTIVE IDENTIFICATION AND AUTHENTICATION
IA-11 - RE-AUTHENTICATION
IR-1 - INCIDENT RESPONSE POLICY AND PROCEDURES
IR-2 - INCIDENT RESPONSE TRAINING
IR-3 - INCIDENT RESPONSE TESTING
IR-4 - INCIDENT HANDLING
IR-5 - INCIDENT MONITORING
IR-6 - INCIDENT REPORTING
IR-7 - INCIDENT RESPONSE ASSISTANCE
IR-8 - INCIDENT RESPONSE PLAN
IR-9 - INFORMATION SPILLAGE RESPONSE
IR-10 - INTEGRATED INFORMATION SECURITY ANALYSIS TEAM
MA-1 - SYSTEM MAINTENANCE POLICY AND PROCEDURES
MA-2 - CONTROLLED MAINTENANCE
MA-3 - MAINTENANCE TOOLS
MA-4 - NONLOCAL MAINTENANCE
MA-5 - MAINTENANCE PERSONNEL
MA-6 - TIMELY MAINTENANCE
MP-1 - MEDIA PROTECTION POLICY AND PROCEDURES
MP-2 - MEDIA ACCESS
MP-3 - MEDIA MARKING
MP-4 - MEDIA STORAGE
MP-5 - MEDIA TRANSPORT
MP-6 - MEDIA SANITIZATION
MP-7 - MEDIA USE
MP-8 - MEDIA DOWNGRADING
PS-1 - PERSONNEL SECURITY POLICY AND PROCEDURES
PS-2 - POSITION RISK DESIGNATION
PS-3 - PERSONNEL SCREENING
PS-4 - PERSONNEL TERMINATION
PS-5 - PERSONNEL TRANSFER
PS-6 - ACCESS AGREEMENTS
PS-7 - THIRD-PARTY PERSONNEL SECURITY
PS-8 - PERSONNEL SANCTIONS
PE-1 - PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES
PE-2 - PHYSICAL ACCESS AUTHORIZATIONS
PE-3 - PHYSICAL ACCESS CONTROL
PE-4 - ACCESS CONTROL FOR TRANSMISSION MEDIUM
PE-5 - ACCESS CONTROL FOR OUTPUT DEVICES
PE-6 - MONITORING PHYSICAL ACCESS
PE-7 - VISITOR CONTROL
PE-8 - VISITOR ACCESS RECORDS
PE-9 - POWER EQUIPMENT AND CABLING
PE-10 - EMERGENCY SHUTOFF
PE-11 - EMERGENCY POWER
PE-12 - EMERGENCY LIGHTING
PE-13 - FIRE PROTECTION
PE-14 - TEMPERATURE AND HUMIDITY CONTROLS
PE-15 - WATER DAMAGE PROTECTION
PE-16 - DELIVERY AND REMOVAL
PE-17 - ALTERNATE WORK SITE
PE-18 - LOCATION OF INFORMATION SYSTEM COMPONENTS
PE-19 - INFORMATION LEAKAGE
PE-20 - ASSET MONITORING AND TRACKING
PL-1 - SECURITY PLANNING POLICY AND PROCEDURES
PL-2 - SYSTEM SECURITY PLAN
PL-3 - SYSTEM SECURITY PLAN UPDATE
PL-4 - RULES OF BEHAVIOR
PL-5 - PRIVACY IMPACT ASSESSMENT
PL-6 - SECURITY-RELATED ACTIVITY PLANNING
PL-7 - SECURITY CONCEPT OF OPERATIONS
PL-8 - INFORMATION SECURITY ARCHITECTURE
PL-9 - CENTRAL MANAGEMENT
PM-1 - INFORMATION SECURITY PROGRAM PLAN
PM-2 - SENIOR INFORMATION SECURITY OFFICER
PM-3 - INFORMATION SECURITY RESOURCES
PM-4 - PLAN OF ACTION AND MILESTONES PROCESS
PM-5 - INFORMATION SYSTEM INVENTORY
PM-6 - INFORMATION SECURITY MEASURES OF PERFORMANCE
PM-7 - ENTERPRISE ARCHITECTURE
PM-8 - CRITICAL INFRASTRUCTURE PLAN
PM-9 - RISK MANAGEMENT STRATEGY
PM-10 - SECURITY AUTHORIZATION PROCESS
PM-11 - MISSION/BUSINESS PROCESS DEFINITION
PM-12 - INSIDER THREAT PROGRAM
PM-13 - INFORMATION SECURITY WORKFORCE
PM-14 - TESTING, TRAINING, AND MONITORING
PM-15 - CONTACTS WITH SECURITY GROUPS AND ASSOCIATIONS
PM-16 - THREAT AWARENESS PROGRAM
RA-1 - RISK ASSESSMENT POLICY AND PROCEDURES
RA-2 - SECURITY CATEGORIZATION
RA-3 - RISK ASSESSMENT
RA-4 - RISK ASSESSMENT UPDATE
RA-5 - VULNERABILITY SCANNING
RA-6 - TECHNICAL SURVEILLANCE COUNTERMEASURES SURVEY
CA-1 - SECURITY ASSESSMENT AND AUTHORIZATION POLICY AND PROCEDURES
CA-2 - SECURITY ASSESSMENTS
CA-3 - SYSTEM INTERCONNECTIONS
CA-4 - SECURITY CERTIFICATION
CA-5 - PLAN OF ACTION AND MILESTONES
CA-6 - SECURITY AUTHORIZATION
CA-7 - CONTINUOUS MONITORING
CA-8 - PENETRATION TESTING
CA-9 - INTERNAL SYSTEM CONNECTIONS
SC-1 - SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURES
SC-2 - APPLICATION PARTITIONING
SC-3 - SECURITY FUNCTION ISOLATION
SC-4 - INFORMATION IN SHARED RESOURCES
SC-5 - DENIAL OF SERVICE PROTECTION
SC-6 - RESOURCE AVAILABILITY
SC-7 - BOUNDARY PROTECTION
SC-8 - TRANSMISSION CONFIDENTIALITY AND INTEGRITY
SC-9 - TRANSMISSION CONFIDENTIALITY
SC-10 - NETWORK DISCONNECT
SC-11 - TRUSTED PATH
SC-12 - CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT
SC-13 - CRYPTOGRAPHIC PROTECTION
SC-14 - PUBLIC ACCESS PROTECTIONS
SC-15 - COLLABORATIVE COMPUTING DEVICES
SC-16 - TRANSMISSION OF SECURITY ATTRIBUTES
SC-17 - PUBLIC KEY INFRASTRUCTURE CERTIFICATES
SC-18 - MOBILE CODE
SC-19 - VOICE OVER INTERNET PROTOCOL
SC-20 - SECURE NAME / ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE)
SC-21 - SECURE NAME / ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER)
SC-22 - ARCHITECTURE AND PROVISIONING FOR NAME / ADDRESS RESOLUTION SERVICE
SC-23 - SESSION AUTHENTICITY
SC-24 - FAIL IN KNOWN STATE
SC-25 - THIN NODES
SC-26 - HONEYPOTS
SC-27 - PLATFORM-INDEPENDENT APPLICATIONS
SC-28 - PROTECTION OF INFORMATION AT REST
SC-29 - HETEROGENEITY
SC-30 - CONCEALMENT AND MISDIRECTION
SC-31 - COVERT CHANNEL ANALYSIS
SC-32 - INFORMATION SYSTEM PARTITIONING
SC-33 - TRANSMISSION PREPARATION INTEGRITY
SC-34 - NON-MODIFIABLE EXECUTABLE PROGRAMS
SC-35 - HONEYCLIENTS
SC-36 - DISTRIBUTED PROCESSING AND STORAGE
SC-37 - OUT-OF-BAND CHANNELS
SC-38 - OPERATIONS SECURITY
SC-39 - PROCESS ISOLATION
SC-40 - WIRELESS LINK PROTECTION
SC-41 - PORT AND I/O DEVICE ACCESS
SC-42 - SENSOR CAPABILITY AND DATA
SC-43 - USAGE RESTRICTIONS
SC-44 - DETONATION CHAMBERS
SI-1 - SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES
SI-2 - FLAW REMEDIATION
SI-3 - MALICIOUS CODE PROTECTION
SI-4 - INFORMATION SYSTEM MONITORING
SI-5 - SECURITY ALERTS, ADVISORIES, AND DIRECTIVES
SI-6 - SECURITY FUNCTION VERIFICATION
SI-7 - SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY
SI-8 - SPAM PROTECTION
SI-9 - INFORMATION INPUT RESTRICTIONS
SI-10 - INFORMATION INPUT VALIDATION
SI-11 - ERROR HANDLING
SI-12 - INFORMATION HANDLING AND RETENTION
SI-13 - PREDICTABLE FAILURE PREVENTION
SI-14 - NON-PERSISTENCE
SI-15 - INFORMATION OUTPUT FILTERING
SI-16 - MEMORY PROTECTION
SI-17 - FAIL-SAFE PROCEDURES
SA-1 - SYSTEM AND SERVICES ACQUISITION POLICY AND PROCEDURES
SA-2 - ALLOCATION OF RESOURCES
SA-3 - SYSTEM DEVELOPMENT LIFE CYCLE
SA-4 - ACQUISITION PROCESS
SA-5 - INFORMATION SYSTEM DOCUMENTATION
SA-6 - SOFTWARE USAGE RESTRICTIONS
SA-7 - USER-INSTALLED SOFTWARE
SA-8 - SECURITY ENGINEERING PRINCIPLES
SA-9 - EXTERNAL INFORMATION SYSTEM SERVICES
SA-10 - DEVELOPER CONFIGURATION MANAGEMENT
SA-11 - DEVELOPER SECURITY TESTING AND EVALUATION
SA-12 - SUPPLY CHAIN PROTECTION
SA-13 - TRUSTWORTHINESS
SA-14 - CRITICALITY ANALYSIS
SA-15 - DEVELOPMENT PROCESS, STANDARDS, AND TOOLS
SA-16 - DEVELOPER-PROVIDED TRAINING
SA-17 - DEVELOPER SECURITY ARCHITECTURE AND DESIGN
SA-18 - TAMPER RESISTANCE AND DETECTION
SA-19 - COMPONENT AUTHENTICITY
SA-20 - CUSTOMIZED DEVELOPMENT OF CRITICAL COMPONENTS
SA-21 - DEVELOPER SCREENING
SA-22 - UNSUPPORTED SYSTEM COMPONENTS