Scribd Logo
Upload

Welcome to Scribd!

  • 86 views

    Gap Assessment Template ISO 27001 ISO 27002

    Uploaded by

    santuchetu1
    The document contains a list of control titles related to cybersecurity and privacy governance. The summary describes that mechanisms exist to facilitate governance controls and establish security policies, but are performed informally. Mechanisms also exist to review policies periodically or after changes, assign security responsibilities, and develop performance measures, though these are also performed informally or planned and tracked. Asset inventories exist and include necessary information, but are only planned and tracked.

    Copyright:

    © All Rights Reserved
    Download as XLSX, PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    Gap Assessment Template ISO 27001 ISO 27002

    Uploaded by

    santuchetu1
    86 views145 pages
    The document contains a list of control titles related to cybersecurity and privacy governance. The summary describes that mechanisms exist to facilitate governance controls and establish security policies, but are performed informally. Mechanisms also exist to review policies periodically or after changes, assign security responsibilities, and develop performance measures, though these are also performed informally or planned and tracked. Asset inventories exist and include necessary information, but are only planned and tracked.

    Original Description:

    Copyright

    © © All Rights Reserved

    Available Formats

    XLSX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document contains a list of control titles related to cybersecurity and privacy governance. The summary describes that mechanisms exist to facilitate governance controls and establish security policies, but are performed informally. Mechanisms also exist to review policies periodically or after changes, assign security responsibilities, and develop performance measures, though these are also performed informally or planned and tracked. Asset inventories exist and include necessary information, but are only planned and tracked.

    Copyright:

    © All Rights Reserved
    Download as XLSX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as xlsx, pdf, or txt
    86 views145 pages

    Gap Assessment Template ISO 27001 ISO 27002

    Uploaded by

    santuchetu1
    The document contains a list of control titles related to cybersecurity and privacy governance. The summary describes that mechanisms exist to facilitate governance controls and establish security policies, but are performed informally. Mechanisms also exist to review policies periodically or after changes, assign security responsibilities, and develop performance measures, though these are also performed informally or planned and tracked. Asset inventories exist and include necessary information, but are only planned and tracked.

    Copyright:

    © All Rights Reserved
    Download as XLSX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as xlsx, pdf, or txt
    of 145

    Reference Control Title

    GOV-01 Security & Privacy Governance


    Program

    GOV-02 Publishing Security Policies

    Periodic Review & Update of


    GOV-03 Security Documentation

    GOV-04 Assigned Security Responsibilities

    GOV-05 Measures of Performance

    GOV-06 Contacts With Authorities

    Contacts With Groups &


    GOV-07
    Associations

    AST-02 Asset Inventories

    AST-02.7 Software Licensing Restrictions

    AST-03 Assigning Ownership of Assets


    AST-04 Network Diagrams & Data Flow
    Diagrams (DFDs)

    AST-05 Security of Assets & Media

    AST-06 Unattended End-User Equipment

    Secure Disposal or Re-Use of


    AST-09
    Equipment

    AST-10 Return of Assets

    AST-11 Removal of Assets

    BCD-01 Contingency Plan

    BCD-04 Contingency Plan Testing &


    Exercises

    BCD-08 Alternate Storage Site

    BCD-09 Alternate Processing Site

    BCD-11 Data Backups


    CAP-01 Capacity & Performance
    Management

    CHG-01 Change Management Program

    CHG-02 Configuration Change Control

    CHG-02.2 Test, Validate & Document Changes

    Statutory, Regulatory & Contractual


    CPL-01
    Compliance

    CPL-02 Security Controls Oversight

    CPL-03 Security Assessments

    CPL-03.1 Independent Assessors

    Functional Review Of Security


    CPL-03.2
    Controls

    CPL-04 Audit Activities

    System Hardening Through Baseline


    CFG-02
    Configurations
    CFG-03.1 Periodic Review

    MON-01 Continuous Monitoring

    MON-03.3 Privileged Functions Logging

    MON-08 Protection of Audit Information

    CRY-01 Use of Cryptographic Controls

    CRY-01.2 Export-Controlled Technology

    CRY-03 Transmission Confidentiality

    CRY-04 Transmission Integrity

    CRY-05 Encrypting Data At Rest

    CRY-09 Cryptographic Key Management

    DCH-01 Data Protection


    DCH-02 Data & Asset Classification

    DCH-04 Media Marking

    DCH-07.1 Custodians

    DCH-08 Physical Media Disposal

    DCH-10 Media Use

    DCH-12 Removable Media Security

    DCH-14 Information Sharing

    DCH-18 Media & Data Retention

    END-01 Endpoint Security

    Prohibit Installation Without


    END-03
    Privileged Status

    END-03.2 Access Restriction for Change


    END-04 Malicious Code Protection (Anti-
    Malware)

    END-05 Software Firewall

    END-16 Security Function Isolation

    HRS-03 Roles & Responsibilities

    HRS-04 Personnel Screening

    HRS-05 Terms of Employment

    HRS-05.1 Rules of Behavior

    HRS-06 Access Agreements

    HRS-07 Personnel Sanctions

    HRS-09 Personnel Termination

    HRS-12 Incompatible Roles


    IAC-01 Identity & Access Management
    (IAM)

    IAC-06 Multi-Factor Authentication (MFA)

    IAC-07 User Provisioning & De-Provisioning

    IAC-07.1 Change of Roles & Duties

    IAC-07.2 Termination of Employment

    IAC-09.1 User Identity (ID) Management

    IAC-10 Authenticator Management


    (Passwords)

    IAC-16 Privileged Account Management


    (PAM)

    User Responsibilities for Account


    IAC-18
    Management

    IAC-20 Access Enforcement

    IAC-20.3 Use of Privileged Utility Programs


    IAC-21 Least Privilege

    IAC-22 Account Lockout

    IRO-01 Management of Security Incidents

    IRO-02 Incident Handling

    IRO-04 Incident Response Plan (IRP)

    Integrated Security Incident


    IRO-07
    Response Team (ISIRT)

    IRO-08 Chain of Custody & Forensics

    IRO-10 Incident Reporting

    Root Cause Analysis (RCA) & Lessons


    IRO-13
    Learned

    Regulatory & Law Enforcement


    IRO-14
    Contacts

    IAO-02 Assessments
    IAO-03 System Security Plans (SSP)

    Threat Analysis & Flaw Remediation


    IAO-04
    During Development

    IAO-07 Security Authorization

    MNT-01 Maintenance Operations

    MDM-02 Access Control For Mobile Devices

    MDM-04 Mobile Device Tampering

    MDM-05 Remote Purging

    NET-01 Network Security Management

    Data Flow Enforcement – Access


    NET-04
    Control Lists (ACLs)

    Deny Traffic by Default & Allow


    NET-04.1
    Traffic by Exception

    NET-13 Electronic Messaging


    NET-14 Remote Access

    NET-14.5 Telecommuting

    NET-16 Intranets

    NET-17 Data Loss Prevention (DLP)

    Physical & Environmental


    PES-01
    Protections

    PES-02 Physical Access Authorizations

    PES-03 Physical Access Control

    PES-04 Physical Security of Offices, Rooms


    & Facilities

    PES-04.1 Working in Secure Areas

    PES-07 Supporting Utilities

    PES-07.1 Automatic Voltage Controls


    PES-10 Delivery & Removal

    PES-12 Equipment Siting & Protection

    Access Control for Transmission


    PES-12.1
    Medium

    PRI-01.1 Chief Privacy Officer (CPO)

    PRI-08 Testing, Training & Monitoring

    PRM-01 Security Portfolio Management

    PRM-02 Information Security Resource


    Management

    PRM-03 Allocation of Resources

    PRM-04 Security In Project Management

    PRM-05 Security Requirements Definition

    Secure Development Life Cycle


    PRM-07
    (SDLC) Management
    RSK-01 Risk Management Program

    RSK-03 Risk Identification

    RSK-04 Risk Assessment

    RSK-04.1 Risk Register

    RSK-05 Risk Ranking

    RSK-06 Risk Remediation

    RSK-06.1 Risk Response

    RSK-07 Risk Assessment Update

    RSK-08 Business Impact Analysis (BIA)

    RSK-09.1 Supply Chain Risk Assessment

    Data Protection Impact Assessment


    RSK-10
    (DPIA)
    SEA-01 Secure Engineering Principles

    Alignment With Enterprise


    SEA-02
    Architecture

    SEA-17 Secure Log-On Procedures

    SEA-20 Clock Synchronization

    OPS-01 Operations Security

    Standardized Operating Procedures


    OPS-01.1
    (SOP)

    OPS-02 Security Concept Of Operations


    (CONOPS)

    SAT-01 Security & Privacy-Minded


    Workforce

    SAT-02 Security & Privacy Awareness

    TDA-04 Documentation Requirements

    TDA-06 Secure Coding


    TDA-07 Secure Development Environments

    Separation of Development, Testing


    TDA-08
    and Operational Environments

    Security & Privacy Testing


    TDA-09
    Throughout Development

    TDA-10 Use of Live Data

    Developer Configuration
    TDA-14
    Management

    Developer Threat Analysis & Flaw


    TDA-15
    Remediation

    TDA-20 Access to Program Source Code

    TPM-01 Third-Party Management

    TPM-03 Supply Chain Protection

    TPM-04 Third-Party Services

    TPM-05 Third-Party Contract Requirements


    TPM-08 Review of Third-Party Services

    TPM-09 Third-Party Deficiency Remediation

    Managing Changes To Third-Party


    TPM-10
    Services

    Vulnerability & Patch Management


    VPM-01
    Program (VPMP)

    VPM-02 Vulnerability Remediation Process

    Continuous Vulnerability
    VPM-04
    Remediation Activities

    VPM-04.2 Flaw Remediation with Personal


    Information (PI)

    VPM-05 Software Patching

    WEB-01 Web Security

    WEB-02 Use of Demilitarized Zones (DMZ)


    Control Description Status

    Mechanisms exist to facilitate the implementation of cybersecurity and Performed Informally [1/5]
    privacy governance controls.

    Mechanisms exist to establish, maintain and disseminate cybersecurity Performed Informally [1/5]
    and privacy policies, standards and procedures.

    Mechanisms exist to review cybersecurity and privacy policies, standards


    and procedures at planned intervals or if significant changes occur to Planned & Tracked [2.5/5]
    ensure their continuing suitability, adequacy and effectiveness.

    Mechanisms exist to assign a qualified individual with the mission and


    resources to centrally-manage, coordinate, develop, implement and Performed Informally [1.5/5]
    maintain an enterprise-wide cybersecurity and privacy program.

    Mechanisms exist to develop, report and monitor cybersecurity and


    privacy program measures of performance. Planned & Tracked [2/5]

    Mechanisms exist to identify and document appropriate contacts within Performed Informally [1/5]
    relevant law enforcement and regulatory bodies.
    Mechanisms exist to establish contact with selected groups and
    associations within the cybersecurity & privacy communities to:
    ▪ Facilitate ongoing cybersecurity and privacy education and training for
    organizational personnel;
    Performed Informally [1.5/5]
    ▪ Maintain currency with recommended cybersecurity and privacy
    practices, techniques and technologies; and
    Mechanisms
    ▪ Share currentexist to inventory system
    security-related components
    information that:
    including threats,
    ▪ Accurately reflects
    vulnerabilities the current system;
    and incidents.
    ▪ Is at the level of granularity deemed necessary for tracking and
    reporting; Planned & Tracked [2/5]
    ▪ Includes organization-defined information deemed necessary to
    achieve effective property accountability; and
    ▪ Is available for review and audit by designated organizational officials.
    Mechanisms exist to ensure compliance with software licensing
    Planned & Tracked [2.5/5]
    restrictions.

    Mechanisms exist to assign asset ownership to a department, team or


    Not Performed [0/5]
    individual.
    Mechanisms exist to maintain network architecture diagrams that:
    ▪ Contain sufficient detail to assess the security of the network's
    architecture; Performed Informally [1/5]
    ▪ Reflect the current state of the network environment; and
    ▪ Document all sensitive data flows.

    Mechanisms exist to maintain strict control over the internal or external


    Performed Informally [1/5]
    distribution of any kind of sensitive media.

    Mechanisms exist to implement enhanced protection measures for


    unattended systems to protect against tampering and unauthorized Planned & Tracked [2.5/5]
    access.

    Mechanisms exist to securely destroy media when it is no longer needed


    Performed Informally [1.5/5]
    for business or legal reasons.

    Mechanisms exist to ensure that employees and third-party users return


    all organizational assets in their possession upon termination of Planned & Tracked [2/5]
    employment, contract or agreement.

    Mechanisms exist to authorize, control and track systems entering and


    Performed Informally [1/5]
    exiting organizational facilities.

    Mechanisms exist to facilitate the implementation of contingency Performed Informally [1.5/5]


    planning controls.

    Mechanisms exist to conduct tests and/or exercises to determine the


    contingency plan's effectiveness and the organization’s readiness to Planned & Tracked [2/5]
    execute the plan.

    Mechanisms exist to establish an alternate storage site that includes both


    the assets and necessary agreements to permit the storage and recovery Planned & Tracked [2.5/5]
    of system backup information.

    Mechanisms exist to establish an alternate processing site that provides


    Not Performed [0/5]
    security measures equivalent to that of the primary site.

    Mechanisms exist to create recurring backups of data, software and


    Performed Informally [1/5]
    system images to ensure the availability of the data.
    Mechanisms exist to facilitate the implementation of capacity
    management controls to ensure optimal system performance for future Performed Informally [1/5]
    capacity requirements.

    Mechanisms exist to facilitate the implementation of change


    Planned & Tracked [2.5/5]
    management controls.

    Mechanisms exist to govern the technical configuration change control


    Performed Informally [1.5/5]
    processes.

    Mechanisms exist to test and document proposed changes in a non-


    production environment before changes are implemented in a Planned & Tracked [2/5]
    production environment.

    Mechanisms exist to facilitate the implementation of relevant legislative


    Performed Informally [1/5]
    statutory, regulatory and contractual controls.

    Mechanisms exist to provide a security controls oversight function. Performed Informally [1.5/5]

    Mechanisms exist to ensure managers regularly review the processes and


    documented procedures within their area of responsibility to adhere to Planned & Tracked [2/5]
    appropriate security policies, standards and other applicable
    requirements.

    Mechanisms exist to utilize independent assessors at planned intervals or Planned & Tracked [2.5/5]
    when the system, service or project undergoes significant changes.

    Mechanisms exist to regularly review assets for compliance with the


    Not Performed [0/5]
    organization’s cybersecurity and privacy policies and standards.

    Mechanisms exist to plan audits that minimize the impact of audit


    Performed Informally [1/5]
    activities on business operations.

    Mechanisms exist to develop, document and maintain secure baseline


    configurations for technology platform that are consistent with industry- Performed Informally [1/5]
    accepted system hardening standards.
    Mechanisms exist to periodically review system configurations to identify
    and disable unnecessary and/or non-secure functions, ports, protocols Planned & Tracked [2.5/5]
    and services.

    Mechanisms exist to facilitate the implementation of enterprise-wide


    Performed Informally [1.5/5]
    monitoring controls.

    Mechanisms exist to log and review the actions of users and/or services
    Planned & Tracked [2/5]
    with elevated privileges.

    Mechanisms exist to protect event logs and audit tools from


    Performed Informally [1/5]
    unauthorized access, modification and deletion.

    Mechanisms exist to facilitate the implementation of cryptographic


    protections controls using known public standards and trusted Performed Informally [1.5/5]
    cryptographic technologies.

    Mechanisms exist to address the exporting of cryptographic technologies Planned & Tracked [2/5]
    in compliance with relevant statutory and regulatory requirements.

    Cryptographic mechanisms are utilized to protect the confidentiality of Planned & Tracked [2.5/5]
    data being transmitted.

    Cryptographic mechanisms are utilized to protect the integrity of data Not Performed [0/5]
    being transmitted.

    Cryptographic mechanisms are utilized on systems to prevent


    Performed Informally [1/5]
    unauthorized disclosure of information at rest.

    Mechanisms exist to facilitate cryptographic key management controls to


    Performed Informally [1/5]
    protect the confidentiality, integrity and availability of keys.

    Mechanisms exist to facilitate the implementation of data protection


    Planned & Tracked [2.5/5]
    controls.
    Mechanisms exist to ensure data and assets are categorized in
    accordance with applicable statutory, regulatory and contractual Performed Informally [1.5/5]
    requirements.

    Mechanisms exist to mark media in accordance with data protection


    requirements so that personnel are alerted to distribution limitations, Planned & Tracked [2/5]
    handling caveats and applicable security requirements.

    Mechanisms exist to identify custodians throughout the transport of


    Performed Informally [1/5]
    system media.

    Mechanisms exist to securely dispose of media when it is no longer


    Performed Informally [1.5/5]
    required, using formal procedures.

    Mechanisms exist to restrict the use of types of digital media on systems


    Planned & Tracked [2/5]
    or system components.

    Mechanisms exist to restrict removable media in accordance with data


    Planned & Tracked [2.5/5]
    handling and acceptable usage parameters.

    Mechanisms exist to utilize a process to assist users in making Not Performed [0/5]
    information sharing decisions to ensure data is appropriately protected.

    Mechanisms exist to retain media and data in accordance with applicable Performed Informally [1/5]
    statutory, regulatory and contractual obligations.

    Mechanisms exist to facilitate the implementation of endpoint security


    Performed Informally [1/5]
    controls.

    Mechanisms exist to prohibit user installation of software without


    Planned & Tracked [2.5/5]
    explicitly assigned privileged status.

    Mechanism exist to define, document, approve, and enforce access


    Performed Informally [1.5/5]
    restrictions associated with changes to systems.
    Mechanisms exist to utilize antimalware technologies to detect and Planned & Tracked [2/5]
    eradicate malicious code.

    Mechanisms exist to utilize a host-based firewall software on all laptop


    computers and other portable workstations capable of implementing a Performed Informally [1/5]
    host-based firewall.

    Mechanisms exist to ensure system configurations isolate security


    Performed Informally [1.5/5]
    functions from non-security functions.

    Mechanisms exist to define cybersecurity responsibilities for all


    Planned & Tracked [2/5]
    personnel.

    Mechanisms exist to manage personnel security risk by screening


    Planned & Tracked [2.5/5]
    individuals prior to authorizing access.

    Mechanisms exist to require all employees and contractors to apply


    Not Performed [0/5]
    security and privacy principles in their daily work.

    Mechanisms exist to define acceptable and unacceptable rules of


    behavior for the use of technologies, including consequences for Performed Informally [1/5]
    unacceptable behavior.

    Mechanisms exist to require internal and third-party users to sign Performed Informally [1/5]
    appropriate access agreements prior to being granted access.

    Mechanisms exist to sanction personnel failing to comply with


    Planned & Tracked [2.5/5]
    established security policies, standards and procedures.

    Mechanisms exist to govern the termination of individual employment. Performed Informally [1.5/5]

    Mechanisms exist to avoid incompatible development-specific roles


    through limiting and reviewing developer privileges to change hardware,
    Planned & Tracked [2/5]
    software, and firmware components within a production/operational
    environment.
    Mechanisms exist to facilitate the implementation of identification and Performed Informally [1/5]
    access management controls.

    Mechanisms exist to require Multi-Factor Authentication (MFA) for


    Performed Informally [1.5/5]
    remote network access.

    Mechanisms exist to utilize a formal user registration and de-registration


    Planned & Tracked [2/5]
    process that governs the assignment of access rights.

    Mechanisms exist to revoke user access rights following changes in


    Planned & Tracked [2.5/5]
    personnel roles and duties, if no longer necessary or permitted.

    Mechanisms exist to revoke user access rights in a timely manner, upon


    Not Performed [0/5]
    termination of employment or contract.

    Mechanisms exist to ensure proper user identification management for


    Performed Informally [1/5]
    non-consumer users and administrators.

    Mechanisms exist to securely manage passwords for users and devices. Performed Informally [1/5]

    Mechanisms exist to restrict and control privileged access rights for users Planned & Tracked [2.5/5]
    and services.

    Mechanisms exist to compel users to follow accepted practices in the use


    of authentication mechanisms (e.g., passwords, passphrases, physical or Performed Informally [1.5/5]
    logical security tokens, smart cards, certificates, etc.).

    Mechanisms exist to enforce logical access permissions through the


    Planned & Tracked [2/5]
    principle of "least privilege."

    Mechanisms exist to restrict and tightly control utility programs that are
    Performed Informally [1/5]
    capable of overriding system and application controls.
    Mechanisms exist to utilize the concept of least privilege, allowing only
    authorized access to processes necessary to accomplish assigned tasks in Performed Informally [1.5/5]
    accordance with organizational business functions.

    Mechanisms exist to enforce a limit for consecutive invalid login attempts


    by a user during an organization-defined time period and automatically
    Planned & Tracked [2/5]
    locks the account when the maximum number of unsuccessful attempts
    is exceeded.

    Mechanisms exist to facilitate the implementation of incident response


    Planned & Tracked [2.5/5]
    controls.

    Incident handling mechanisms exist to cover preparation, detection and


    Not Performed [0/5]
    analysis, containment, eradication and recovery.

    Mechanisms exist to maintain and make available a current and viable


    Performed Informally [1/5]
    Incident Response Plan (IRP) to all stakeholders.

    Mechanisms exist to establish an integrated team of cybersecurity, IT


    and business function representatives that are capable of addressing Performed Informally [1/5]
    cybersecurity and privacy incident response operations.

    Mechanisms exist to perform digital forensics and maintain the integrity Planned & Tracked [2.5/5]
    of the chain of custody.

    Mechanisms exist to report incidents:


    ▪ Internally to organizational incident response personnel within Performed Informally [1.5/5]
    organization-defined time-periods; and
    ▪ Externally to regulatory authorities and affected parties, as necessary.

    Mechanisms exist to incorporate lessons learned from analyzing and


    resolving cybersecurity and privacy incidents to reduce the likelihood or Planned & Tracked [2/5]
    impact of future incidents.

    Mechanisms exist to maintain incident response contacts with applicable


    Performed Informally [1/5]
    regulatory and law enforcement agencies.

    Mechanisms exist to formally assess the cybersecurity and privacy


    controls in systems, applications and services through Control Validation
    Testing (CVT) activities to determine the extent to which the controls are Performed Informally [1.5/5]
    implemented correctly, operating as intended and producing the desired
    outcome with respect to meeting expected requirements.
    System Security Plans (SSPs) or similar Mechanisms, are used to identify
    and maintain key architectural information on each critical system, Planned & Tracked [2/5]
    application or service.

    Mechanisms exist to require system developers and integrators to create


    and execute a Security Test and Evaluation (ST&E) plan to identify and Planned & Tracked [2.5/5]
    remediate flaws during development.

    Mechanisms exist to ensure systems, projects and services are officially


    Not Performed [0/5]
    authorized prior to "go live" in a production environment.

    Mechanisms exist to develop, disseminate, review & update procedures


    to facilitate the implementation of maintenance controls across the Performed Informally [1/5]
    enterprise.

    Access control mechanisms for mobile devices exist to enforce


    requirements for the connection of mobile devices to organizational Performed Informally [1/5]
    systems.

    Mechanisms exist to protect mobile devices from tampering through


    inspecting devices returning from locations that the organization deems
    Planned & Tracked [2.5/5]
    to be of significant risk, prior to the device being connected to the
    organization’s network.

    Mechanisms exist to remotely purge selected information from mobile Performed Informally [1.5/5]
    devices.

    Mechanisms exist to develop, govern & update procedures to facilitate Planned & Tracked [2/5]
    the implementation of network security controls.

    Mechanisms exist to design, implement and review firewall and router


    configurations to restrict connections between untrusted networks and Performed Informally [1/5]
    internal systems.

    Mechanisms exist to configure firewall and router configurations to deny


    network traffic by default and allow network traffic by exception (e.g., Performed Informally [1.5/5]
    deny all, permit by exception).

    Mechanisms exist to protect information involved in electronic messaging


    Planned & Tracked [2/5]
    communications.
    Mechanisms exist to define, control and review remote access methods. Planned & Tracked [2.5/5]

    Mechanisms exist to govern remote access to systems and data for


    Not Performed [0/5]
    remote workers.

    Mechanisms exist to establish trust relationships with other organizations


    owning, operating, and/or maintaining intranet systems, allowing
    authorized individuals to:
    Performed Informally [1/5]
    ▪ Access the intranet from external systems; and
    ▪ Process, store, and/or transmit organization-controlled information
    using the external systems.

    Data Loss Prevention (DLP) mechanisms exist to protect sensitive


    Performed Informally [1/5]
    information as it is stored, transmitted and processed.

    Mechanisms exist to facilitate the operation of physical and


    Planned & Tracked [2.5/5]
    environmental protection controls.

    Physical access control mechanisms exist to maintain a current list of


    personnel with authorized access to organizational facilities (except for Performed Informally [1.5/5]
    those areas within the facility officially designated as publicly accessible).

    Physical access control mechanisms exist to enforce physical access


    authorizations for all physical access points (including designated Planned & Tracked [2/5]
    entry/exit points) to facilities (excluding those areas within the facility
    officially designated as publicly accessible).

    Physical access control mechanisms are designed and implemented for Performed Informally [1/5]
    offices, rooms and facilities.

    Physical access control mechanisms ensure that only authorized


    Performed Informally [1.5/5]
    personnel are allowed access to secure areas.

    Facility security mechanisms exist to protect power equipment and


    Planned & Tracked [2/5]
    power cabling for the system from damage and destruction.

    Facility security mechanisms exist to utilize automatic voltage controls for


    Planned & Tracked [2.5/5]
    critical system components.
    Physical security mechanisms exist to isolate information processing
    facilities from points such as delivery and loading areas and other points Not Performed [0/5]
    to avoid unauthorized access.

    Physical security mechanisms exist to locate system components within


    the facility to minimize potential damage from physical and
    Performed Informally [1/5]
    environmental hazards and to minimize the opportunity for unauthorized
    access.

    Physical security mechanisms exist to protect power and


    telecommunications cabling carrying data or supporting information Performed Informally [1/5]
    services from interception, interference or damage.

    Mechanisms exist to appoints a Chief Privacy Officer (CPO) or similar role,


    with the authority, mission, accountability and resources to coordinate,
    Planned & Tracked [2.5/5]
    develop and implement, applicable privacy requirements and manage
    privacy risks through the organization-wide privacy program.

    Mechanisms exist to implement a process for ensuring that


    organizational plans for conducting security and privacy testing, training
    Performed Informally [1.5/5]
    and monitoring activities associated with organizational systems are
    developed and performed.

    Mechanisms exist to facilitate the implementation of security and


    Planned & Tracked [2/5]
    privacy-related resource planning controls.

    Mechanisms exist to address all capital planning and investment


    requests, including the resources needed to implement the security & Performed Informally [1/5]
    privacy programs and documents all exceptions to this requirement.

    Mechanisms exist to identify and allocate resources for management,


    operational, technical and privacy requirements within business process Performed Informally [1.5/5]
    planning for projects / initiatives.

    Mechanisms exist to assess security and privacy controls in system


    project development to determine the extent to which the controls are
    implemented correctly, operating as intended and producing the desired Planned & Tracked [2/5]
    outcome with respect to meeting the requirements.

    Mechanisms exist to identify critical system components and functions by


    performing a criticality analysis for critical systems, system components
    Planned & Tracked [2.5/5]
    or services at pre-defined decision points in the Secure Development Life
    Cycle (SDLC).

    Mechanisms exist to ensure changes to systems within the Secure


    Development Life Cycle (SDLC) are controlled through formal change Not Performed [0/5]
    control procedures.
    Mechanisms exist to facilitate the implementation of risk management Performed Informally [1/5]
    controls.

    Mechanisms exist to identify and document risks, both internal and


    Performed Informally [1/5]
    external.

    Mechanisms exist to conduct an annual assessment of risk that includes


    the likelihood and magnitude of harm, from unauthorized access, use,
    Planned & Tracked [2.5/5]
    disclosure, disruption, modification or destruction of the organization's
    systems and data.

    Mechanisms exist to maintain a risk register that facilitates monitoring


    Performed Informally [1.5/5]
    and reporting of risks.

    Mechanisms exist to identify and assign a risk ranking to newly


    discovered security vulnerabilities that is based on industry-recognized Planned & Tracked [2/5]
    practices.

    Mechanisms exist to remediate risks to an acceptable level. Performed Informally [1/5]

    Mechanisms exist to respond to findings from security and privacy


    assessments, incidents and audits to ensure proper remediation has been Performed Informally [1.5/5]
    performed.

    Mechanisms exist to routinely update risk assessments and react


    accordingly upon identifying new security vulnerabilities, including using Planned & Tracked [2/5]
    outside sources for security vulnerability information.

    Mechanisms exist to conduct a Business Impact Analysis (BIA). Planned & Tracked [2.5/5]

    Mechanisms exist to assess supply chain risks associated with systems,


    Not Performed [0/5]
    system components and services.

    Mechanisms exist to conduct a Data Protection Impact Assessment (DPIA)


    Performed Informally [1/5]
    on systems, applications and services to evaluate privacy implications.
    Mechanisms exist to facilitate the implementation of industry-recognized
    security and privacy practices in the specification, design, development, Performed Informally [1/5]
    implementation and modification of systems and services.

    Mechanisms exist to develop an enterprise architecture, aligned with


    industry-recognized leading practices, with consideration for
    Planned & Tracked [2.5/5]
    cybersecurity and privacy principles that addresses risk to organizational
    operations, assets, individuals, other organizations.

    Mechanisms exist to utilize a trusted communications path between the


    Performed Informally [1.5/5]
    user and the security functions of the system.

    Mechanisms exist to utilize time-synchronization technology to


    Planned & Tracked [2/5]
    synchronize all critical system clocks.

    Mechanisms exist to facilitate the implementation of operational security


    Performed Informally [1/5]
    controls.

    Standardized Operating Procedures (SOP) or similar mechanisms, are


    used to identify and document day-to-day procedures to enable the Performed Informally [1.5/5]
    proper execution of assigned tasks.

    Mechanisms exist to develop a security Concept of Operations (CONOPS)


    that documents management, operational and technical measures Planned & Tracked [2/5]
    implemented to apply defense-in-depth techniques.

    Mechanisms exist to facilitate the implementation of security workforce Planned & Tracked [2.5/5]
    development and awareness controls.

    Mechanisms exist to provide all employees and contractors appropriate


    Not Performed [0/5]
    awareness education and training that is relevant for their job function.

    Mechanisms exist to obtain, protect and distribute administrator


    documentation for systems that describe:
    ▪ Secure configuration, installation and operation of the system;
    Performed Informally [1/5]
    ▪ Effective use and maintenance of security features/functions; and
    ▪ Known vulnerabilities regarding configuration and use of administrative
    (e.g., privileged) functions.

    Mechanisms exist to develop applications based on secure coding


    Performed Informally [1/5]
    principles.
    Mechanisms exist to maintain a segmented development network to Planned & Tracked [2.5/5]
    ensure a secure development environment.

    Mechanisms exist to manage separate development, testing, and


    operational environments to reduce the risks of unauthorized access or
    Performed Informally [1.5/5]
    changes to the operational environment and to ensure no impact to
    production
    Mechanismssystems.
    exist to require system developers/integrators consult with
    cybersecurity and privacy personnel to:
    ▪ Create and implement a Security Test and Evaluation (ST&E) plan;
    ▪ Implement a verifiable flaw remediation process to correct weaknesses
    Planned & Tracked [2/5]
    and deficiencies identified during the security testing and evaluation
    process; and
    ▪ Document the results of the security testing/evaluation and flaw
    remediation processes.
    Mechanisms exist to approve, document and control the use of live data
    Performed Informally [1/5]
    in development and test environments.

    Mechanisms exist to require system developers and integrators to


    perform configuration management during system design, development, Performed Informally [1.5/5]
    implementation and operation.

    Mechanisms exist to require system developers and integrators to create


    a Security Test and Evaluation (ST&E) plan and implement the plan under Planned & Tracked [2/5]
    the witness of an independent party.

    Mechanisms exist to limit privileges to change software resident within Planned & Tracked [2.5/5]
    software libraries.

    Mechanisms exist to facilitate the implementation of third-party Not Performed [0/5]


    management controls.

    Mechanisms exist to evaluate security risks associated with the services


    Performed Informally [1/5]
    and product supply chain.

    Mechanisms exist to mitigate the risks associated with third-party access


    Performed Informally [1/5]
    to the organization’s systems and data.

    Mechanisms exist to identify, regularly review and document third-party


    confidentiality, Non-Disclosure Agreements (NDAs) and other contracts Planned & Tracked [2.5/5]
    that reflect the organization’s needs to protect systems and data.
    Mechanisms exist to monitor, regularly review and audit supplier service Performed Informally [1.5/5]
    delivery for compliance with established contract agreements.

    Mechanisms exist to address weaknesses or deficiencies in supply chain


    elements identified during independent or organizational assessments of Planned & Tracked [2/5]
    such elements.

    Mechanisms exist to control changes to services by suppliers, taking into


    account the criticality of business information, systems and processes Performed Informally [1/5]
    that are in scope by the third-party.

    Mechanisms exist to facilitate the implementation and monitoring of


    Performed Informally [1.5/5]
    vulnerability management controls.

    Mechanisms exist to ensure that vulnerabilities are properly identified,


    Planned & Tracked [2/5]
    tracked and remediated.

    Mechanisms exist to address new threats and vulnerabilities on an


    Planned & Tracked [2.5/5]
    ongoing basis and ensure assets are protected against known attacks.

    Mechanisms exist to identify and correct flaws related to the collection, Performed Informally [1.5/5]
    usage, processing or dissemination of Personal Information (PI).

    Mechanisms exist to conduct software patching for all deployed Planned & Tracked [2/5]
    operating systems, applications, and firmware.

    Mechanisms exist to facilitate the implementation of an enterprise-wide


    web management policy, as well as associated standards, controls and Planned & Tracked [2.5/5]
    procedures.

    Mechanisms exist to utilize a Demilitarized Zone (DMZ) to restrict


    inbound traffic to authorized devices on certain services, protocols and Well Defined [3/5]
    ports.
    SCF Control Question SP-CMM 0 Not Performed

    Does the organization staff a function to - There is no evidence of a capability to facilitate


    centrally-govern cybersecurity and privacy the implementation of cybersecurity and privacy
    controls? governance controls.

    Does the organization establish, maintain and - There is no evidence of a capability to establish,
    disseminate cybersecurity and privacy policies, maintain and disseminate cybersecurity and
    standards and procedures? privacy policies, standards and procedures.
    - There is no evidence of a capability to review
    Does the organization review cybersecurity and the cybersecurity and privacy program, including
    privacy policies, standards and procedures at
    policies, standards and procedures, at planned
    planned intervals or if significant changes occur intervals or if significant changes occur to ensure
    to ensure their continuing suitability, adequacy
    their continuing suitability, adequacy and
    and effectiveness?
    effectiveness.
    Does the organization assign a qualified - There is no evidence of a capability to assign a
    individual with the mission and resources to qualified individual with the mission and
    centrally-manage coordinate, develop, resources to centrally-manage, coordinate,
    implement and maintain an enterprise-wide develop, implement and maintain an enterprise-
    cybersecurity and privacy program? wide cybersecurity and privacy program.

    Does the organization develop, report and - There is no evidence of a capability to develop,
    monitor cybersecurity and privacy program report and monitor cybersecurity and privacy
    measures of performance? program measures of performance.

    Does the organization identify and document - There is no evidence of a capability to identify
    appropriate contacts within relevant lawwith -and
    There is no evidence
    document of a capability
    appropriate to establish
    contacts within
    Does the organization establish contact
    enforcement and regulatory bodies? contact
    relevantwith selected groups
    law enforcement andand associations
    regulatory bodies.
    selected groups and associations within the
    within the cybersecurity & privacy communities
    cybersecurity & privacy communities to:
    to:
    ▪ Facilitate ongoing cybersecurity and privacy ▪ Facilitate ongoing cybersecurity and privacy
    education and training for organizational
    education and training for organizational
    personnel;
    Does the organization
    ▪ Maintain currency with inventory system
    recommended personnel;
    - There is no evidence of a capability to
    components ▪ Maintainsystem
    currency with recommended
    cybersecuritythat:
    and privacy practices, techniques inventory components that:
    ▪ Accurately reflects cybersecurity and privacy practices, techniques
    and technologies; andthe current system; ▪ Accurately reflects the current system;
    ▪ Is at the level of granularity deemed necessary and technologies;
    ▪ Is at the level of and
    granularity deemed necessary
    Share current security-related information
    for tracking and reporting; ▪ Share
    for current
    tracking and security-related
    reporting; information
    including threats, vulnerabilities and incidents? including threats, vulnerabilities and incidents.
    ▪ Includes organization-defined information ▪ Includes organization-defined information
    deemed necessary to achieve effective property deemed necessary to achieve effective property
    accountability; and accountability; and
    ▪ Is available for review and audit by designated ▪ Is available for review and audit by designated
    organizational officials?ensure compliance with
    Does the organization organizational officials.of a capability to ensure
    - There is no evidence
    software licensing restrictions? compliance with software licensing restrictions.

    - There is no evidence of a capability to assign


    asset ownership responsibilities to a
    Does the organization assign asset ownership to
    department, team or individual that establishes
    a department, team or individual?
    a common understanding of requirements to
    protect assets.
    Does the organization maintain network - There is no evidence of a capability to maintain
    architecture diagrams that: network architecture diagrams that:
    ▪ Contain sufficient detail to assess the security ▪ Contain sufficient detail to assess the security
    of the network's architecture; of the network's architecture;
    ▪ Reflect the current state of the network ▪ Reflect the current state of the network
    environment; and environment; and
    ▪ Document all sensitive data flows? ▪ Document all sensitive data flows.
    Does the organization maintain strict control - There is no evidence of a capability to maintain
    over the internal or external distribution of any strict control over the internal or external
    kind of sensitive media? distribution of any kind of sensitive media.

    Does the organization implement enhanced - There is no evidence of a capability to


    protection measures for unattended systems to implement enhanced protection measures for
    protect against tampering and unauthorized unattended systems to protect against
    access? tampering and unauthorized access.
    Does the organization securely dispose of, - There is no evidence of a capability to dispose
    destroy or repurpose system components using
    of, destroy or repurpose system components
    organization-defined techniques and methods to
    when it is no longer needed for business or legal
    prevent such components from entering the
    reasons.
    gray market?
    - There is no evidence of a capability to ensure
    Does the organization ensure that employees
    that employees and third-party users return all
    and third-party users return all organizational
    organizational assets in their possession upon
    assets in their possession upon termination of
    termination of employment, contract or
    employment, contract or agreement?
    agreement.

    Does the organization authorize, control and - There is no evidence of a capability to


    track systems entering and exiting organizational authorize, control and track systems entering
    facilities? and exiting organizational facilities.

    - There is no evidence of a capability to facilitate


    Does the organization facilitate the
    implementation of contingency planning the implementation of contingency planning
    controls to help ensure resilient assets and
    controls?
    services.

    Does the organization conduct tests and/or - There is no evidence of a capability to conduct
    exercises to determine the contingency plan's tests and/or exercises to determine the
    effectiveness and the organization’s readiness to contingency plan's effectiveness and the
    execute the plan? organization’s readiness to execute the plan.
    - There is no evidence of a capability to establish
    Does the organization establish an alternate
    an alternate storage site that includes both the
    storage site that includes both the assets and
    assets and necessary agreements to permit the
    necessary agreements to permit the storage and
    storage and recovery of system backup
    recovery of system backup information?
    information.
    - There is no evidence of a capability to establish
    Does the organization establish an alternate
    an alternate processing site that provides
    processing site that provides security measures
    security measures equivalent to that of the
    equivalent to that of the primary site?
    primary site.

    Does the organization create recurring backups - There is no evidence of a capability to create
    of data, software and system images to ensure recurring backups of data, software and system
    the availability of the data? images to ensure the availability of the data.
    Does the organization facilitate the - There is no evidence of a capability to facilitate
    implementation of capacity management the implementation of capacity management
    controls to ensure optimal system performance controls to ensure optimal system performance
    for future capacity requirements? for future capacity requirements.

    Does the organization facilitate the - There is no evidence of a capability to facilitate


    implementation of change management the implementation of change management
    controls? controls.

    - There is no evidence of a capability to govern


    Does the organization govern the technical
    the technical configuration change control
    configuration change control processes?
    processes.

    Does the organization test and document - There is no evidence of a capability to test and
    proposed changes in a non-production document proposed changes in a non-
    environment before changes are implemented in production environment before changes are
    a production environment? implemented in a production environment.

    - There is no evidence of a capability to facilitate


    Does the organization facilitate the
    the identification and implementation of
    implementation of relevant legislative statutory, relevant legislative statutory, regulatory and
    regulatory and contractual controls?
    contractual controls.

    Does the organization provide a security controls - There is no evidence of a capability to provide a
    oversight function? security controls oversight function.

    - There is no evidence of a capability to ensure


    Does the organization ensure managers regularly
    managers regularly review the processes and
    review the processes and documented
    procedures within their area of responsibility to documented procedures within their area of
    responsibility to adhere to appropriate security
    adhere to appropriate security policies,
    policies, standards and other applicable
    standards and other applicable requirements? requirements.
    Does the organization utilize independent - There is no evidence of a capability to utilize
    assessors at planned intervals or when the independent assessors at planned intervals or
    system, service or project undergoes significant when the system, service or project undergoes
    changes? significant changes.

    - There is no evidence of a capability to regularly


    Does the organization regularly review assets for review assets for compliance with the
    compliance with the organization’s cybersecurity organization’s cybersecurity and privacy policies
    and privacy policies and standards?
    and standards.

    Does the organization plan audits that minimize - There is no evidence of a capability to plan
    the impact of audit activities on business audits that minimize the impact of audit
    operations? activities on business operations.

    - There is no evidence of a capability to develop,


    Does the organization develop, document and document and maintain secure baseline
    maintain secure baseline configurations for
    configurations for technology platform that are
    technology platform that are consistent with
    consistent with industry-accepted system
    industry-accepted system hardening standards?
    hardening standards.
    Does the organization periodically review system - There is no evidence of a capability to
    configurations to identify and disable periodically review system configurations to
    unnecessary and/or non-secure functions, ports, identify and disable unnecessary and/or non-
    protocols and services? secure functions, ports, protocols and services.

    Does the organization facilitate the - There is no evidence of a capability to facilitate


    implementation of enterprise-wide monitoring the implementation of enterprise-wide
    controls? monitoring controls.

    Does the organization log and review the actions - There is no evidence of a capability to log and
    of users and/or services with elevated review the actions of users and/or services with
    privileges? elevated privileges.

    Does the organization protect event logs and - There is no evidence of a capability to protect
    audit tools from unauthorized access, event logs and audit tools from unauthorized
    modification and deletion? access, modification and deletion.

    Does the organization facilitate the - There is no evidence of a capability to facilitate


    implementation of cryptographic protections the implementation of cryptographic protections
    controls using known public standards and controls using known public standards and
    trusted cryptographic technologies? trusted cryptographic technologies.

    - There is no evidence of a capability to address


    Does the organization address the exporting of
    cryptographic technologies in compliance with the exporting of cryptographic technologies in
    compliance with relevant statutory and
    relevant statutory and regulatory requirements? regulatory requirements.

    Are cryptographic mechanisms utilized to


    protect the confidentiality of data being - There is no evidence of a capability to protect
    the confidentiality of data being transmitted.
    transmitted?

    Are cryptographic mechanisms utilized to - There is no evidence of a capability to protect


    protect the integrity of data being transmitted? the integrity of data being transmitted.

    Are cryptographic mechanisms utilized on


    - There is no evidence of a capability to prevent
    systems to prevent unauthorized disclosure of
    unauthorized disclosure of information at rest.
    information at rest?

    - There is no evidence of a capability to facilitate


    Does the organization facilitate cryptographic
    cryptographic key management controls to
    key management controls to protect the
    protect the confidentiality, integrity and
    confidentiality, integrity and availability of keys? availability of keys.

    Does the organization facilitate the - There is no evidence of a capability to facilitate


    implementation of data protection controls? the implementation of data protection controls.
    Does the organization ensure data and assets - There is no evidence of a capability to ensure
    are categorized in accordance with applicable data and assets are categorized in accordance
    statutory, regulatory and contractual with applicable statutory, regulatory and
    requirements? contractual requirements.
    Does the organization mark media in accordance - There is no evidence of a capability to mark
    with data protection requirements so that media in accordance with data protection
    personnel are alerted to distribution limitations, requirements so that personnel are alerted to
    handling caveats and applicable security distribution limitations, handling caveats and
    requirements? applicable security requirements.

    - There is no evidence of a capability to identify


    Does the organization identify custodians
    custodians throughout the transport of system
    throughout the transport of system media?
    media.

    Does the organization securely dispose of media - There is no evidence of a capability to securely
    when it is no longer required, using formal dispose of media when it is no longer required,
    procedures? using formal procedures.

    - There is no evidence of a capability to restrict


    Does the organization restrict the use of types of
    digital media on systems or system components? the use of types of digital media on systems or
    system components.

    Does the organization restrict removable media - There is no evidence of a capability to restrict
    in accordance with data handling and acceptable removable media in accordance with data
    usage parameters? handling and acceptable usage parameters.

    - There is no evidence of a capability to utilize a


    Does the organization utilize a process to assist
    users in making information sharing decisions to process to assist users in making information
    sharing decisions to ensure data is appropriately
    ensure data is appropriately protected?
    protected.

    Does the organization retain media and data in - There is no evidence of a capability to retain
    accordance with applicable statutory, regulatory media and data in accordance with applicable
    and contractual obligations? statutory, regulatory and contractual obligations.

    - There is no evidence of a capability to facilitate


    Does the organization facilitate the
    the implementation of endpoint security
    implementation of endpoint security controls?
    controls.

    Does the organization prohibit user installation - There is no evidence of a capability to prohibit
    of software without explicitly assigned privileged user installation of software without explicitly
    status? assigned privileged status.

    Does the organization define, document, - There is no evidence of a capability to define,


    approve and enforce access restrictions document, approve and enforce access
    associated with changes to systems? restrictions associated with changes to systems.
    Does the organization utilize antimalware - There is no evidence of a capability to utilize
    technologies to detect and eradicate malicious antimalware technologies to detect and
    code? eradicate malicious code.

    Does the organization utilize a host-based - There is no evidence of a capability to utilize a


    firewall software on all laptop computers and host-based firewall software on all laptop
    other portable workstations capable of computers and other portable workstations
    implementing a host-based firewall? capable of implementing a host-based firewall.

    Does the organization ensure system - There is no evidence of a capability to ensure


    configurations isolate security functions from system configurations isolate security functions
    non-security functions? from non-security functions.

    Does the organization define cybersecurity - There is no evidence of a capability to define


    responsibilities for all personnel? cybersecurity responsibilities for all personnel.

    Does the organization manage personnel - There is no evidence of a capability to manage


    security risk by screening individuals prior to personnel security risk by screening individuals
    authorizing access? prior to authorizing access.

    Does the organization require all employees and - There is no evidence of a capability to require
    contractors to apply security and privacy all employees and contractors to apply security
    principles in their daily work? and privacy principles in their daily work.

    Does the organization define acceptable and - There is no evidence of a capability to define
    unacceptable rules of behavior for the use of acceptable and unacceptable rules of behavior
    technologies, including consequences for for the use of technologies, including
    unacceptable behavior? consequences for unacceptable behavior.

    Does the organization require internal and third- - There is no evidence of a capability to require
    party users to sign appropriate access internal and third-party users to sign appropriate
    agreements prior to being granted access? access agreements prior to being granted access.

    Does the organization sanction personnel failing - There is no evidence of a capability to sanction
    to comply with established security policies, personnel failing to comply with established
    standards and procedures? security policies, standards and procedures.

    Does the organization govern the termination of - There is no evidence of a capability to govern
    individual employment? the termination of individual employment.

    - There is no evidence of a capability to avoid


    Does the organization avoid incompatible
    incompatible development-specific roles
    development-specific roles through limiting and
    through limiting and reviewing developer
    reviewing developer privileges to change
    privileges to change hardware, software and
    hardware, software and firmware components
    firmware components within a
    within a production/operational environment?
    production/operational environment.
    Does the organization facilitate the - There is no evidence of a capability to facilitate
    implementation of identification and access the implementation of identification and access
    management controls? management controls.
    - There is no evidence of a capability to enforce
    Multi-Factor Authentication (MFA) for:
    Does the organization require Multi-Factor
    ▪ Remote network access; and/ or
    Authentication (MFA) for remote network
    ▪ Non-console access to critical systems or
    access?
    systems that store, transmit and/or process
    sensitive data.
    - There is no evidence of a capability to utilize a
    Does the organization utilize a formal user
    formal user registration and de-registration
    registration and de-registration process that
    process that governs the assignment of access
    governs the assignment of access rights?
    rights.

    - There is no evidence of a capability to revoke


    Does the organization revoke user access rights user access rights following changes in personnel
    following changes in personnel roles and duties, roles and duties, if no longer necessary or
    if no longer necessary or permitted?
    permitted.

    Does the organization revoke user access rights - There is no evidence of a capability to revoke
    in a timely manner, upon termination of user access rights in a timely manner, upon
    employment or contract? termination of employment or contract.

    Does the organization ensure proper user - There is no evidence of a capability to ensure
    identification management for non-consumer proper user identification management for non-
    users and administrators? consumer users and administrators.

    Does the organization securely manage - There is no evidence of a capability to securely


    passwords for users and devices? manage passwords for users and devices.

    - There is no evidence of a capability to restrict


    Does the organization restrict and control and control privileged access rights for users and
    privileged access rights for users and services?
    services.

    Does the organization compel users to follow - There is no evidence of a capability to compel
    accepted practices in the use of authentication users to follow accepted practices in the use of
    mechanisms (e.g.?, passwords, passphrases, authentication mechanisms (e.g., passwords,
    physical or logical security tokens, smart cards, passphrases, physical or logical security tokens,
    certificates, etc.??)? smart cards, certificates, etc.).

    Does the organization enforce logical access - There is no evidence of a capability to enforce
    permissions through the principle of "least logical access permissions through the principle
    privilege?" of "least privilege."

    Does the organization restrict and tightly control - There is no evidence of a capability to restrict
    and tightly control utility programs that are
    utility programs that are capable of overriding capable of overriding system and application
    system and application controls?
    controls.
    Does the organization utilize the concept of least - There is no evidence of a capability to utilize
    privilege, allowing only authorized access to the concept of least privilege, allowing only
    processes necessary to accomplish assigned authorized access to processes necessary to
    tasks in accordance with organizational business accomplish assigned tasks in accordance with
    functions? organizational business functions.
    Does the organization enforce a limit for - There is no evidence of a capability to enforce a
    consecutive invalid login attempts by a user limit for consecutive invalid login attempts by a
    during an organization-defined time period and user during an organization-defined time period
    automatically locks the account when the and automatically locks the account when the
    maximum number of unsuccessful attempts is maximum number of unsuccessful attempts is
    exceeded? exceeded.
    - There is no evidence of a capability to
    implement and govern processes and
    Does the organization facilitate the
    documentation to facilitate an organization-wide
    implementation of incident response controls?
    response capability for security and privacy-
    related incidents.
    - There is no evidence of a capability to cover the
    Does the organization's incident handling
    preparation, automated detection or intake of
    processes cover preparation, detection and
    incident reporting, analysis, containment,
    analysis, containment, eradication and recovery?
    eradication and recovery.

    Does the organization maintain and make - There is no evidence of a capability to maintain
    available a current and viable Incident Response and make available a current and viable Incident
    Plan (IRP) to all stakeholders? Response Plan (IRP) to all stakeholders.

    Does the organization establish an integrated - There is no evidence of a capability to establish


    team of cybersecurity, IT and business function an integrated team of cybersecurity, IT and
    representatives that are capable of addressing business function representatives that are
    cybersecurity and privacy incident response capable of addressing cybersecurity and privacy
    operations? incident response operations.
    - There is no evidence of a capability to perform
    Does the organization perform digital forensics digital forensics and maintain the integrity of the
    and maintain the integrity of the chain of chain of custody, in accordance with applicable
    custody? laws, regulations and industry-recognized secure
    practices.
    Does the organization report incidents:
    ▪ Internally to organizational incident response - There is no evidence of a capability to timely-
    report incidents to applicable:
    personnel within organization-defined time- ▪ Internal stakeholders ;
    periods; and
    ▪ Affected clients & third-parties; and
    ▪ Externally to regulatory authorities and ▪ Regulatory authorities.
    affected parties, as necessary?
    - There is no evidence of a capability to
    Does the organization incorporate lessons
    incorporate lessons learned from analyzing and
    learned from analyzing and resolving
    resolving cybersecurity and privacy incidents to
    cybersecurity and privacy incidents to reduce
    reduce the likelihood or impact of future
    the likelihood or impact of future incidents?
    incidents.

    Does the organization maintain incident - There is no evidence of a capability to maintain


    response contacts with applicable regulatory and incident response contacts with applicable
    law enforcement agencies? regulatory and law enforcement agencies.
    Does the organization formally assess the - There is no evidence of a capability to formally
    cybersecurity and privacy controls in systems, assess the cybersecurity and privacy controls in
    applications and services through Information systems, applications and services through
    Assurance Program (IAP) activities to determine Information Assurance Program (IAP) activities
    the extent to which the controls are to determine the extent to which the controls
    implemented correctly, operating as intended are implemented correctly, operating as
    and producing the desired outcome with respect intended and producing the desired outcome
    to meeting expected requirements? with respect to meeting expected requirements.
    Does the organization generate System Security - There is no evidence of a capability to generate
    & Privacy Plans (SSPPs), or similar document System Security Plans (SSPs), or similar
    repositories, to identify and maintain key document repositories, to identify and maintain
    architectural information on each critical system, key architectural information on each critical
    application or service, as well as influencing system, application or service, as well as
    inputs, entities, systems, applications and influencing inputs, entities, systems, applications
    processes, providing a historical record of the and processes, providing a historical record of
    data - There is no evidence of a capability to require
    Does the organization require system developers the data and its origins.
    and its origins?
    system developers and integrators to create and
    and integrators to create and execute a Security
    execute a Security Test and Evaluation (ST&E)
    Test and Evaluation (ST&E) plan to identify and
    plan to identify and remediate flaws during
    remediate flaws during development?
    development.
    - There is no evidence of a capability to ensure
    Does the organization ensure systems, projects
    systems, projects and services are officially
    and services are officially authorized prior to "go
    authorized prior to "go live" in a production
    live" in a production environment?
    environment.

    Does the organization develop, disseminate, - There is no evidence of a capability to develop,


    review & update procedures to facilitate the disseminate, review & update procedures to
    implementation of maintenance controls across facilitate the implementation of maintenance
    the enterprise? controls across the enterprise.

    Do access control mechanisms for mobile - There is no evidence of a capability to enforce


    devices enforce requirements for the connection access control requirements for the connection
    of mobile devices to organizational systems? of mobile devices to organizational systems.
    Does the organization protect mobile devices - There is no evidence of a capability to protect
    from tampering through inspecting devices mobile devices from tampering through
    returning from locations that the organization inspecting devices returning from locations that
    deems to be of significant risk, prior to the the organization deems to be of significant risk,
    device being connected to the organization’s prior to the device being connected to the
    network? organization’s network.

    Does the organization remotely purge selected - There is no evidence of a capability to remotely
    information from mobile devices? purge selected information from mobile devices.

    Does the organization develop, govern & update - There is no evidence of a capability to develop,
    procedures to facilitate the implementation of govern & update procedures to facilitate the
    network security controls? implementation of network security controls.

    Does the organization design, implement and - There is no evidence of a capability to design,
    review firewall and router configurations to implement and review firewall and router
    restrict connections between untrusted configurations to restrict connections between
    networks and internal systems? untrusted networks and internal systems.
    - There is no evidence of a capability to configure
    Does the organization configure firewall and
    firewall and router configurations to deny
    router configurations to deny network traffic by
    network traffic by default and allow network
    default and allow network traffic by exception
    traffic by exception (e.g., deny all, permit by
    (e.g.?, deny all, permit by exception)?
    exception).

    Does the organization protect the - There is no evidence of a capability to protect


    confidentiality, integrity and availability of information involved in electronic messaging
    electronic messaging communications? communications.
    Does the organization define, control and review - There is no evidence of a capability to define,
    remote access methods? control and review remote access methods.

    Does the organization define secure - There is no evidence of a capability to govern


    telecommuting practices and govern remote remote access to systems and data for remote
    access to systems and data for remote workers? workers.
    Does the organization establish trust - There is no evidence of a capability to establish
    relationships with other organizations owning, trust relationships with other organizations
    operating, and/or maintaining intranet systems, owning, operating, and/or maintaining intranet
    allowing authorized individuals to: systems, allowing authorized individuals to:
    ▪ Access the intranet from external systems; and ▪ Access the intranet from external systems; and
    ▪ Process, store, and/or transmit organization- ▪ Process, store, and/or transmit organization-
    controlled information using the external controlled information using the external
    systems? systems.
    - There is no evidence of a capability to
    Is Data Loss Prevention (DLP) used to protect
    implement Data Loss Prevention (DLP) to protect
    sensitive information as it is stored, transmitted
    sensitive information as it is stored, transmitted
    and processed?
    and processed.

    - There is no evidence of a capability to facilitate


    Does the organization facilitate the operation of
    physical and environmental protection controls? the operation of physical and environmental
    protection controls.

    Does the organization maintain a current list of - There is no evidence of a capability to maintain
    personnel with authorized access to a current list of personnel with authorized access
    organizational facilities (except for those areas to organizational facilities (except for those
    within the facility officially designated as publicly areas within the facility officially designated as
    accessible)? publicly accessible).
    - There is no evidence of a capability to enforce
    Does the organization enforce physical access
    physical access authorizations for all physical
    authorizations for all physical access points
    (including designated entry/exit points) to access points (including designated entry/exit
    facilities (excluding those areas within the facility points) to facilities (excluding those areas within
    the facility officially designated as publicly
    officially designated as publicly accessible)? accessible).
    - There is no evidence of a capability to identify
    systems, equipment and respective operating
    Are physical access controls designed and environments that require limited physical
    implemented for offices, rooms and facilities? access so that appropriate physical access
    control are designed and implemented for
    offices, rooms and facilities.
    - There is no evidence of a capability to allow
    Does the organization allow only authorized
    only authorized personnel access to secure
    personnel access to secure areas?
    areas.

    Does the organization protect power equipment - There is no evidence of a capability to protect
    and power cabling for the system from damage power equipment and power cabling for the
    and destruction? system from damage and destruction.

    - There is no evidence of a capability to utilize


    Does the organization utilize automatic voltage
    automatic voltage controls for critical system
    controls for critical system components?
    components.
    Does the organization isolate information - There is no evidence of a capability to isolate
    processing facilities from points such as delivery information processing facilities from points
    and loading areas and other points to avoid such as delivery and loading areas and other
    unauthorized access? points to avoid unauthorized access.
    Does the organization locate system - There is no evidence of a capability to locate
    components within the facility to minimize system components within the facility to
    potential damage from physical and minimize potential damage from physical and
    environmental hazards and to minimize the environmental hazards and to minimize the
    opportunity for unauthorized access? opportunity for unauthorized access.
    Does the organization protect power and - There is no evidence of a capability to protect
    telecommunications cabling carrying data or power and telecommunications cabling carrying
    supporting information services from data or supporting information services from
    interception, interference or damage? interception, interference or damage.
    - There is no evidence of a capability to appoints
    Does the organization appoints a Chief Privacy
    Officer (CPO) or similar role, with the authority, a Chief Privacy Officer (CPO) or similar role, with
    the authority, mission, accountability and
    mission, accountability and resources to
    coordinate, develop and implement, applicable resources to coordinate, develop and
    implement, applicable privacy requirements and
    privacy requirements and manage privacy risks manage privacy risks through the organization-
    through
    Does thethe organization-wide
    organization implement privacy program?
    a process for -wide
    There is no evidence
    privacy program. of a capability to
    ensuring that organizational plans for conducting implement a process for ensuring that
    security and privacy testing, training and organizational plans for conducting security and
    monitoring activities associated with privacy testing, training and monitoring activities
    organizational systems are developed and associated with organizational systems are
    performed? developed and performed.
    - There is no evidence of a capability to facilitate
    Does the organization facilitate the the implementation of security and privacy-
    implementation of security and privacy-related related resource planning controls that define a
    resource planning controls? viable plan for achieving cybersecurity & privacy
    objectives.
    Does the organization address all capital - There is no evidence of a capability to address
    planning and investment requests, including the all capital planning and investment requests,
    resources needed to implement the security & including the resources needed to implement
    privacy programs and documents all exceptions the security & privacy programs and documents
    to this requirement? all exceptions to this requirement.
    Does the organization identify and allocate - There is no evidence of a capability to identify
    resources for management, operational, and allocate resources for management,
    technical and privacy requirements within operational, technical and privacy requirements
    business process planning for projects / within business process planning for projects /
    initiatives? initiatives.
    - There is no evidence of a capability to assess
    Does the organization assess security and
    privacy controls in system project development security and privacy controls in system project
    development to determine the extent to which
    to determine the extent to which the controls
    the controls are implemented correctly,
    are implemented correctly, operating as
    operating as intended and producing the desired
    intended and producing the desired outcome
    outcome with respect to meeting the
    with
    Doesrespect to meeting
    the organization the requirements?
    identify critical system -requirements.
    There is no evidence of a capability to identify
    components and functions by performing a critical system components and functions by
    criticality analysis for critical systems, system performing a criticality analysis for critical
    components or services at pre-defined decision systems, system components or services at pre-
    points in the Secure Development Life Cycle defined decision points in the Secure
    (SDLC)? Development Life Cycle (SDLC).
    Does the organization ensure changes to - There is no evidence of a capability to ensure
    systems within the Secure Development Life changes to systems within the Secure
    Cycle (SDLC) are controlled through formal Development Life Cycle (SDLC) are controlled
    change control procedures? through formal change control procedures.
    - There is no evidence of a capability to facilitate
    Does the organization facilitate the the implementation of risk management
    implementation of risk management controls?
    controls.

    Does the organization identify and document - There is no evidence of a capability to identify
    risks, both internal and external? and document risks, both internal and external.

    Does the organization conduct an annual - There is no evidence of a capability to conduct


    assessment of risk that includes the likelihood an annual assessment of risk that includes the
    and magnitude of harm, from unauthorized likelihood and magnitude of harm, from
    access, use, disclosure, disruption, modification unauthorized access, use, disclosure, disruption,
    or destruction of the organization's systems and modification or destruction of the organization's
    data? systems and data.
    - There is no evidence of a capability to maintain
    Does the organization maintain a risk register
    that facilitates monitoring and reporting of risks? a risk register that facilitates monitoring and
    reporting of risks.

    Does the organization identify and assign a risk - There is no evidence of a capability to identify
    ranking to newly discovered security and assign a risk ranking to newly discovered
    vulnerabilities that is based on industry- security vulnerabilities that is based on industry-
    recognized practices? recognized practices.

    Does the organization remediate risks to an - There is no evidence of a capability to


    acceptable level? remediate risks to an acceptable level.

    Does the organization respond to findings from - There is no evidence of a capability to respond
    security and privacy assessments, incidents and to findings from security and privacy
    audits to ensure proper remediation has been assessments, incidents and audits to ensure
    performed? proper remediation has been performed.
    Does the organization routinely update risk - There is no evidence of a capability to routinely
    assessments and react accordingly upon update risk assessments and react accordingly
    identifying new security vulnerabilities, including upon identifying new security vulnerabilities,
    using outside sources for security vulnerability including using outside sources for security
    information? vulnerability information.

    Does the organization conduct a Business Impact - There is no evidence of a capability to conduct
    Analysis (BIA)? a Business Impact Analysis (BIA).

    Does the organization assess supply chain risks - There is no evidence of a capability to
    associated with systems, system components periodically assess supply chain risks associated
    and services? with systems, system components and services.

    Does the organization conduct a Data Protection - There is no evidence of a capability to conduct
    Impact Assessment (DPIA) on systems, a Data Protection Impact Assessment (DPIA) on
    applications and services to evaluate privacy systems, applications and services to evaluate
    implications? privacy implications.
    - There is no evidence of a capability to facilitate
    Does the organization facilitate the
    the implementation of industry-recognized
    implementation of industry-recognized security
    and privacy practices in the specification, design, security and privacy practices in the
    specification, design, development,
    development, implementation and modification
    implementation and modification of systems and
    of systems and services?
    Does the organization develop an enterprise services.
    - There is no evidence of a capability to develop
    architecture, aligned with industry-recognized an enterprise architecture, aligned with industry-
    leading practices, with consideration for recognized leading practices, with consideration
    cybersecurity and privacy principles that for cybersecurity and privacy principles that
    addresses risk to organizational operations, addresses risk to organizational operations,
    assets, individuals, other organizations? assets, individuals, other organizations.
    Does the organization utilize a trusted - There is no evidence of a capability to utilize a
    communications path between the user and the trusted communications path between the user
    security functions of the system? and the security functions of the system.

    Does the organization utilize time- - There is no evidence of a capability to utilize


    synchronization technology to synchronize all time-synchronization technology to synchronize
    critical system clocks? all critical system clocks.

    - There is no evidence of a capability to facilitate


    Does the organization facilitate the
    implementation of operational security controls? the implementation of operational security
    controls.

    Does the organization use Standardized - There is no evidence of a capability to identify


    Operating Procedures (SOP), or similar and document Standardized Operating
    mechanisms, to identify and document day-to- Procedures (SOP), or similar documentation, to
    day procedures to enable the proper execution enable the proper execution of day-to-day /
    of assigned tasks? -assigned
    There istasks.
    no evidence of a capability to develop
    a security Concept of Operations (CONOPS), or a
    Does the organization develop a security
    similarly-defined plan for achieving cybersecurity
    Concept of Operations (CONOPS) that
    documents management, operational and objectives, that documents management,
    operational and technical measures
    technical measures implemented to apply
    implemented to apply defense-in-depth
    defense-in-depth techniques? techniques that is communicated to all
    appropriate stakeholders.
    Does the organization facilitate the - There is no evidence of a capability to facilitate
    implementation of security workforce the implementation of security workforce
    development and awareness controls? development and awareness controls.

    Does the organization provide all employees and - There is no evidence of a capability to provide
    contractors appropriate awareness education all employees and contractors appropriate
    and
    Doestraining that is relevant
    the organization forprotect
    obtain, their job
    and awareness
    - There is noeducation
    evidenceand
    of atraining that
    capability toisobtain,
    function?
    distribute administrator documentation for relevant
    protect andfor distribute
    their job function.
    administrator
    systems that describe: documentation for systems that describe:
    ▪ Secure configuration, installation and ▪ Secure configuration, installation and
    operation of the system; operation of the system;
    ▪ Effective use and maintenance of security ▪ Effective use and maintenance of security
    features/functions; and features/functions; and
    ▪ Known vulnerabilities regarding configuration ▪ Known vulnerabilities regarding configuration
    and use of administrative (e.g.?, privileged) and use of administrative (e.g., privileged)
    functions?
    Does the organization develop applications functions.
    - There is no evidence of a capability to develop
    based on secure coding principles? applications based on secure coding principles.
    Does the organization maintain a segmented - There is no evidence of a capability to maintain
    development network to ensure a secure a segmented development network to ensure a
    development environment? secure development environment.
    Does the organization manage separate - There is no evidence of a capability to manage
    development, testing and operational separate development, testing and operational
    environments to reduce
    Does the organization the risks
    require of
    system environments to reduce
    - There is no evidence of the risks of to require
    a capability
    unauthorized
    developers/integrators consult withthe
    access or changes to unauthorized access or changes
    system developers/integrators consult to the with
    operational
    cybersecurityenvironment
    and privacy and to ensure
    personnel to: no operational
    cybersecurity environment
    and privacy and to ensure
    personnel to: no
    impact to production systems?
    ▪ Create and implement a Security Test and impact to production systems.
    ▪ Create and implement a Security Test and
    Evaluation (ST&E) plan; Evaluation (ST&E) plan;
    ▪ Implement a verifiable flaw remediation ▪ Implement a verifiable flaw remediation
    process to correct weaknesses and deficiencies process to correct weaknesses and deficiencies
    identified during the security testing and identified during the security testing and
    evaluation process; and evaluation process; and
    ▪ Document the results of the security ▪ Document the results of the security
    Does the organization
    testing/evaluation andapprove, document and
    flaw remediation -testing/evaluation
    There is no evidence
    andof a capability
    flaw remediationto approve,
    control the use of live data in development and
    processes? document
    processes. and control the use of live data in
    test environments? development and test environments.

    - There is no evidence of a capability to require


    Does the organization require system developers
    system developers and integrators to perform
    and integrators to perform configuration
    configuration management during system
    management during system design,
    development, implementation and operation? design, development, implementation and
    operation.
    - There is no evidence of a capability to require
    Does the organization require system developers
    system developers and integrators to create a
    and integrators to create a Security Test and
    Security Test and Evaluation (ST&E) plan and
    Evaluation (ST&E) plan and implement the plan
    under the witness of an independent party? implement the plan under the witness of an
    independent party.

    - There is no evidence of a capability to limit


    Does the organization limit privileges to change privileges to change software resident within
    software resident within software libraries?
    software libraries.

    Does the organization facilitate the - There is no evidence of a capability to facilitate


    implementation of third-party management the implementation of third-party management
    controls? controls.

    Does the organization evaluate security risks - There is no evidence of a capability to evaluate
    associated with the services and product supply security risks associated with the services and
    chain? product supply chain.

    Does the organization mitigate the risks - There is no evidence of a capability to mitigate
    associated with third-party access to the the risks associated with third-party access to
    organization’s systems and data? the organization’s systems and data.
    - There is no evidence of a capability to identify,
    Does the organization identify, regularly review
    regularly review and document third-party
    and document third-party confidentiality, Non-
    confidentiality, Non-Disclosure Agreements
    Disclosure Agreements (NDAs) and other
    (NDAs) and other contracts that reflect the
    contracts that reflect the organization’s needs to
    organization’s needs to protect systems and
    protect systems and data?
    data.
    Does the organization monitor, regularly review - There is no evidence of a capability to monitor,
    and audit supplier service delivery for regularly review and audit supplier service
    compliance with established contract delivery for compliance with established
    agreements? contract agreements.

    Does the organization address weaknesses or - There is no evidence of a capability to address


    deficiencies in supply chain elements identified weaknesses or deficiencies in supply chain
    during independent or organizational elements identified during independent or
    assessments of such elements? organizational assessments of such elements.
    - There is no evidence of a capability to control
    Does the organization control changes to
    changes to services by suppliers, taking into
    services by suppliers, taking into account the
    account the criticality of business information,
    criticality of business information, systems and
    systems and processes that are in scope by the
    processes that are in scope by the third-party?
    third-party.

    Does the organization facilitate the - There is no evidence of a capability to facilitate


    implementation and monitoring of vulnerability the implementation and monitoring of
    management controls? vulnerability management controls.

    - There is no evidence of a capability to ensure


    Does the organization ensure that vulnerabilities
    are properly identified, tracked and remediated? that vulnerabilities are properly identified,
    tracked and remediated.

    - There is no evidence of a capability to address


    Does the organization address new threats and
    new threats and vulnerabilities on an ongoing
    vulnerabilities on an ongoing basis and ensure
    basis and ensure assets are protected against
    assets are protected against known attacks? known attacks.

    - There is no evidence of a capability to identify


    Does the organization identify and correct flaws
    related to the collection, usage, processing or and correct flaws related to the collection,
    usage, processing or dissemination of Personal
    dissemination of Personal Data (PD)?
    Data (PD).

    Does the organization conduct software patching - There is no evidence of a capability to conduct
    for all deployed operating systems, applications software patching for all deployed operating
    and firmware? systems, applications and firmware.

    Does the organization facilitate the - There is no evidence of a capability to facilitate


    implementation of an enterprise-wide web the implementation of an enterprise-wide web
    management policy, as well as associated management policy, as well as associated
    standards, controls and procedures? standards, controls and procedures.

    Does the organization utilize a Demilitarized - There is no evidence of a capability to utilize a


    Zone (DMZ) to restrict inbound traffic to Demilitarized Zone (DMZ) to restrict inbound
    authorized devices on certain services, protocols traffic to authorized devices on certain services,
    and ports? protocols and ports.
    SP-CMM 1 Performed Informally SP-CMM 2 Planned & Tracked
    - Security and privacy governance is informally
    - Compliance requirements for security and
    assigned as an additional duty to existing IT or
    cybersecurity personnel. privacy are identified and documented.
    - Controls are assigned to sensitive assets to
    - Governance focus is narrowly limited to certain - Cybersecurity policies and standards exist that
    -compliance
    Basic cybersecurity policies and standards are comply with specific compliance requirements.
    requirements. are aligned with a leading cybersecurity
    documented [not based on any industry
    framework] framework (e.g., NIST 800-53, ISO 27002 or NIST
    Cybersecurity Framework).
    - Documentation is made available to internal - Formal review process
    Documentation is madeisavailable
    performed to on an
    internal
    personnel. annual basis.
    personnel.
    -- Basic procedures
    Unstructured are is
    review established
    performedforonimportant
    an annual - Review process
    Procedures includes the
    for important scope
    tasks are of
    tasks,
    basis. but are ad hoc and not formally applicable statutory, regulatory and contractual
    documented and assigned to individuals or
    documented.
    - Informal recommendations are made to update obligations.
    teams.
    existing policies and standards. - Recommendations for edits are submitted for
    - Documentation change control processes do review and are handled in accordance with
    not exist or are not formal. documentation change control processes.
    -SP-CMM1
    People affected by the changes are provided
    is N/A, since a structured process is - Updated version is published at least annually,
    notification
    required to assign a qualified individual with the based
    of the changes. on theindividual
    - A qualified review process.
    is assigned the role and
    mission and resources to centrally-manage, -
    responsibilities toby
    People affected the changes are coordinate,
    centrally-manage, provided
    notification of the
    coordinate, develop, implement and maintain an develop, implement and maintain a changes.
    enterprise-wide cybersecurity and privacy cybersecurity and privacy program.
    program. - Simple metrics exist to provide oversight of a
    limited scope of cybersecurity & privacy
    - Organizational leadership maintains an
    controls.
    informal process to review and respond to - Organizational leadership maintains an
    metrics.
    informal process to review and respond to
    -metrics.
    Incident response personnel identify and
    - Cybersecurity personnel identify and maintain maintain contact information for local and
    contact information for local and national law national law enforcement (e.g., FBI field office)
    enforcement (e.g., FBI field office) in case of in case of cybersecurity incidents that require
    cybersecurity incidents that require law law enforcement involvement.
    enforcement involvement. - Cybersecurity and privacy
    Contact information personnel
    is verified identifyon
    and updated
    and
    at least maintain
    an annualcontact information for local,
    basis.
    - Cybersecurity and privacy personnel identify regional and national cybersecurity / privacy
    and maintain contact information for local, groups and associations.
    regional and national cybersecurity / privacy - Cybersecurity and privacy personnel in
    groups and associations. supervisory
    - Inventoriespositions subscribe
    may be manual to news
    (e.g., feeds
    spreadsheets)
    - Inventories are manual (e.g., spreadsheets). from groups and associations to facilitate
    or automated.
    - Inventory of physical technology assets covers ongoing education and training.
    - Inventory covers assets in scope for statutory,
    common devices (e.g., laptops, workstations and
    regulatory and/or contractual compliance, which
    servers). -includes
    Organizational policies and standards cover
    both physical and virtual assets.
    - Annual IT asset inventories are performed. software licensing restrictionsare forperformed.
    users, as part
    - Organizational policies exists
    and standards - Annual IT asset inventories
    No structured process to reviewcover
    or share of acceptable and unacceptable behaviors.
    software
    the resultslicensing restrictions for users, as part - No structured process exists to review or share
    of the inventories. -theAsset management
    results is informally assigned as an
    of the inventories.
    of acceptable and unacceptable behaviors.
    additional duty to existing IT or cybersecurity
    - Asset management is informally assigned as an
    personnel.
    additional duty to existing IT or cybersecurity
    - Software licensing is tracked as part of IT asset
    personnel.
    inventories.
    - Software licensing is tracked as part of IT asset Inventories may be manual (e.g., spreadsheets)
    - Deviations from approved software
    inventories. or automated.are reviewed on a case-by-case
    - Inventories are manual (e.g., spreadsheets). deployments
    -basis
    Inventory
    by IT orofcybersecurity
    physical technology assets are
    personnel.
    - Inventory of physical technology assets are
    assigned to individual users or teams.
    assigned to individual users or teams.
    - Annual IT asset inventories are performed and
    ownership is updated.
    - Application/system/process owners categorize
    data in accordance with organizational policies
    and standards.
    - Application/system/process owners, in
    conjunction with IT and cybersecurity personnel,
    document where personal data is stored,
    - IT personnel maintain network diagrams to
    transmitted and processed in order to document
    document the flow of data across the network.
    - On at least an annual basis, or after any major sensitive - Content
    data flows.
    filtering blocks usersowners, from performing
    Application/system/process in
    technology or process change, network diagrams ad hoc file transfers through unapproved file
    conjunction with IT and cybersecurity personnel,
    are updated to reflect the current topology. transfer
    generateservices Data Flow (e.g., Box, Dropbox,
    Diagrams (DFDs) Google
    and
    Drive,
    network etc.).
    diagrams.
    - Organizational policies and standards cover
    - Users are educated
    On at least an annual onbasis,
    theiror responsibilities
    after any major to
    media handling requirements for users.
    strictly
    technology control or sensitivechange,
    process media the (e.g., USBs,
    - Data classification and handling criteria govern - Periodic physical and local inspections are
    mobile devices, external drives,
    application/system/process owner etc.).
    updates the
    user behavior for media handling. performed to validate the integrity of the
    - Organizational policies and standards cover -
    data Organizational
    mapping policies
    documentation. and standards cover
    -enhanced
    Organizational policies and standards cover unattended
    media handling systems.
    requirements for users.
    security requirements for unattended
    - Organizational policies and standards cover
    requirements for users
    systems (e.g., kiosks, etc.). of, destroy or Data classification and handling criteria govern
    to dispose
    ATMs,
    repurpose
    - Hardenedsystem systemcomponents
    configurations when is nofor enhanced
    are itused user
    - IT personnel behavior security
    collectrequirements
    for media handling.for
    technology unattended
    assets and
    longer needed for business or legal systems (e.g., kiosks, ATMs, etc.).
    unattended systems to enforce the reasons.
    principle of media for destruction when it is no longer
    -"least
    IT personnel utilize by
    an removing
    informal process to -needed Hardened system configurations
    for business or legal reasons. are used for
    functionality" unnecessary
    govern technology development unattended systems
    and acquisition. - IT personnel either perform the destructionto enforce the principle of of
    accounts, applications and services.
    - Project management is decentralized and "least functionality" by
    technology assets and media in a secure mannerremoving unnecessary
    generally lacks formal project management accounts,
    or outsource applications and services.
    the destruction to a third-party
    managers or broader oversight. that specializes in technology assets and media
    - IT staff work with business process owners to -destruction. Departing user's supervisor collects assets and
    help ensure secure practices are implemented returns - Organizational the assets to IT personnel.
    policies and standards cover
    throughout the System Development Lifecycle -requirements Devices are "escrowed"
    for users toin storageof,for
    dispose a period
    destroy or
    (SDLC) for all high-value projects. of
    repurpose time before system being wiped andwhen
    components reissued,
    it is in
    no case
    - Departing user's supervisor collects assets and
    -returns
    Configurations mostly conform to industry- data
    longer onneeded
    the devices are needed
    for business for reasons.
    or legal
    the assets to IT personnel.
    recognized standards for hardening (e.g., DISA investigations or business purposes.
    STIGs, CIS Benchmarks or OEM security guides) - Assets not returned are reported as a security
    -incident, Users are trained
    based anddata
    on the encouraged
    that maytoexist stoponand the
    -question
    device(s).Disasteranyone
    Recovery (DR) is formally
    attempting to install assigned
    or removeas
    - Organizational policies and standards cover anassets additional
    fromduty to existing IT or cybersecurity
    requirements for approving assets from entering IT
    facilities.
    personnel.
    - Organizational policies and standards cover
    or
    - ITexisting
    personnelfacilities.
    work with business stakeholders -requirements On at least anfor annual
    approvingbasis,assets
    DR personnel
    from entering
    to identify business-critical systems and services. conduct or existing tabletop exercises
    facilities.
    - Disaster Recovery (DR) is formally assigned to validate disasteras
    - IT personnel develop Disaster Recovery Plans recovery and contingency plans.
    an additional duty to existing IT or cybersecurity
    (DRP) to recover business-critical systems and -personnel.
    DR personnel work with business stakeholders
    services.
    - IT personnel work with business stakeholders - On to identify
    at least business-critical
    an annual basis, systems and services.
    DR personnel
    -toBusiness stakeholders develop Business - IT personnel develop
    identify business-critical systems and services, conduct tabletop exercises to validate disaster Disaster Recovery Plans
    Continuity Plans (BCPs) to ensure business (DRP)
    including related plans (e.g., incident response, recovery and contingency plans. to recover business-critical systems and
    functions are sustainable
    breach notification, etc.). both during and after services.
    - DR personnel work with business stakeholders
    an
    - ITincident.
    personnel develop Disaster Recovery Plans -toBusiness identify stakeholders
    business-critical develop
    systems Business
    and services,
    (DRP) to recover business-critical systems and Continuity Plans (BCPs)
    including related plans (e.g., incident to ensure business
    response,
    services. functions
    breach are sustainable
    notification, etc.). both during and after
    -anDedicated alternate storage site is identified
    - Business stakeholders develop Business -and ITincident.
    personnel
    documented. develop Disaster Recovery Plans
    Continuity Plans (BCPs) to ensure business
    SP-CMM1 is N/A, since a structured process is (DRP) to
    -- Technologies recover business-critical
    exist to conduct systems and
    functions are sustainable both during and after Organization acquires
    services. space tofull, serveincremental
    as the
    required to establish an alternate storage site or differential
    alternate site backups
    that (e.g.,distance
    is a safe tape/disk, from hybrid
    the
    an
    thatincident.
    includes both the assets and necessary -cloudBusiness
    or stakeholders
    direct-to-cloud). develop Business
    inaccessible facility (e.g., dedicated business or
    facility
    agreements to permit the storage and recovery Continuity --cloud
    IT personnel
    Disaster
    Plans
    Recovery
    instance).
    (BCPs)
    utilize (DR)
    to ensure
    a backup
    is methodology
    formally assigned as
    of system backup information. functions
    (e.g., are sustainable
    grandfather, father both
    & son during and after
    an additional
    - ITincident.
    an personnel duty to existing
    maintain IT rotation)
    technologies thatto arestore
    or cybersecurity
    backups
    personnel.
    compatible offsite,
    withseparate from theand
    existing network primary
    SP-CMM1 is N/A, since a structured process is
    - IT personnel work with business stakeholders -infrastructure storage site.
    On at least anconfiguration.
    annual basis, DR personnel
    required
    to identifytobusiness-critical
    establish an alternate
    systems processing site conduct tabletop exercises to validate disaster
    and services. - IT personnel maintain network connectivity
    that provides security
    - IT personnel developmeasures equivalent
    Disaster Recovery to
    Plans recovery
    from the and contingency
    alternate site to the plans.business locations
    that
    (DRP)oftothe primary
    recover site.
    business-critical systems and - DR personnel work with business stakeholders
    providing the ability for data communications
    services. to identify
    support business-critical
    business processes. systems and services.
    - Technologies exist to conduct full, incremental - IT personnel
    Assigns roles develop Disaster Recovery
    and responsibilities to restorePlans
    the
    or differential backups (e.g., tape/disk, hybrid (DRP)
    site in totherecover
    event of business-critical
    a catastrophe,systems emergency, and or
    cloud or direct-to-cloud). services.
    similar-type disruptive incident in accordance
    - IT personnel utilize a backup methodology -with
    Technologies
    the Continuity exist of
    to Operations
    conduct full,(COOP) incremental
    plan.
    (e.g., grandfather, father & son rotation) to or differential backups (e.g., tape/disk, hybrid
    create backups to support business needs (e.g., cloud or direct-to-cloud).
    Recovery Time Objectives). - IT personnel utilize a backup methodology
    - A random sampling of backups are tested at (e.g., grandfather, father & son rotation) to
    least annually. create backups to support business needs (e.g.,
    Recovery Time Objectives).
    - A random sampling of backups are tested at
    - IT personnel work with business stakeholders
    - IT personnel work with business stakeholders to
    - Aidentify Change business-critical
    Advisory Board (CAB), systems orand services.
    similar
    -toRequests for Change
    identify growth (RFC) are submitted
    requirements and add to IT -structure, IT infrastructure personnel create and maintain
    exists to govern changes to
    personnel.
    capacity accordingly. asystems/applications/services
    model of infrastructure performance to ensuretotheir
    - IT personnel utilize an informal process to understand current resource needs.
    stability, reliability and predictability.
    govern changes to systems/applications/services
    - Changes are tracked through a centralized
    to ensure their stability, reliability and
    technology
    - A Change Advisory solution to submit,
    Board (CAB), review, approve
    or similar
    predictability.
    - Requests for Change (RFC) are submitted to IT and assign Requests
    structure, exists to govern changes to for Change (RFC).
    -personnel.
    Prior to changes being made, RFCs are
    -systems/applications/services
    Prior to changes being made,to RFCs are their
    ensure
    reviewed
    - IT personnelfor cybersecurity and privacy
    utilize an informal process to reviewed for cybersecurity
    stability, reliability and predictability. and privacy
    ramifications.
    govern changes to systems/applications/services ramifications.
    - Changes are tracked through a centralized
    -toAccess
    ensurecontrol is governed
    their stability, to limitand
    reliability the ability of
    -technology Access control is governed
    solution to submit, to review,
    limit theapprove
    ability of
    non-administrators
    predictability. from making configuration
    non-administrators
    and assign Requests for Change (RFC). from making configuration
    changes
    - Prior toto systems/applications/services.
    changes being made, RFCs are changes
    - Prior toto systems/applications/services.
    changes being made, RFCs are
    reviewed for cybersecurity and privacy
    reviewed for cybersecurity and privacy
    ramifications. -ramifications. IT personnel utilize a dedicated test
    -- Access
    Whenevercontrol is governed
    possible, to limittest
    IT personnel thechanges
    ability of environment to deploy changes.
    - Access control is governed to limit the ability of
    non-administrators from making configuration
    to critical systems/services/applications on like -non-administrators
    changes to systems/applications/services. - The IT security function utilizesafter
    IT security controls are
    from tested
    making the change
    aconfiguration
    structured
    technology, prior to widespread production is
    process to govern statutory, regulatoryoperating
    changes implemented
    to to ensure controls
    systems/applications/services. are and
    release of the change. properly.
    contractual compliance obligations.
    -- Results from testing
    The IT security functionchanges
    performs are documented.
    an annual
    - IT personnel utilize an informal process to
    review of existing compliance requirements and
    govern statutory, regulatory and contractual
    researches
    - The IT security evolving or new
    function requirements
    utilizes a structured that
    compliance obligations.
    are not in scope for
    process to govern statutory, regulatory and compliance.
    - Compliance reporting is performed, as
    -required.
    IT personnel utilize an informal process to --contractual Asset
    The ITcustodians
    security are assigned
    function
    compliance utilizesroles
    obligations. and
    a structured
    govern statutory, regulatory and contractual responsibilities
    process
    - The IT security to govern that address
    statutory,
    function technical
    regulatory
    performs and
    an annual
    compliance obligations. compliance
    contractual
    review of existing requirements.
    compliance obligations.
    compliance requirements and
    - IT personnel self-identify a set of controls that --researches Compliance
    The IT security reporting
    function
    evolving is performs
    or new performed,
    requirementsanasannual
    that
    are appropriate to conduct security and privacy required.
    review of existing
    are not in scope for compliance. compliance requirements and
    control assessments. researches
    - Asset custodians evolvingare orassigned
    new requirements
    roles and that
    - IT personnel utilize an informal process to
    -govern
    Compliance reporting is performed, as are
    responsibilities not in scopethat for compliance.
    address technical
    statutory, regulatory and contractual
    required. -compliance IT security requirements.
    personnel use a set of controls that
    compliance obligations.
    are
    - Compliance appropriate to conduct
    reporting security and
    is performed, as privacy
    - IT personnel self-identify a set of controls that control assessments, as defined by the
    are appropriate to conduct security and privacy required.
    applicable statutory, regulatory and contractual
    control assessments. -requirements.
    The IT security function utilizes a structured
    - IT personnel assess the security and privacy process to govern statutory,
    - On at least an annual basis,regulatory
    IT security and
    controls to determine acceptable risk. contractual
    -personnel compliance
    IT securityperform
    functionaneither obligations.
    uses anofimpartial
    - Stakeholders contract with a third-party assessment applicable
    -member
    security IT
    Thesecurity function
    IT security
    of its
    and team
    privacy utilizes
    function
    or contracts
    controls. a structured
    performs process
    an aannual
    with third-
    assessor to perform an independent assessment to
    review design,
    of build
    existingand maintain
    compliance secure
    requirements and
    party
    - IT security assessor to perform
    personnel an independent
    generate a formal report
    of security and privacy controls. configurations
    researches for
    evolving test,
    or development,
    new requirements staging
    that
    - IT personnel utilize an informal process to assessment of security and
    for each security assessment that documents the privacy controls.
    and
    are
    assessment production
    not in scope environments.
    for compliance.
    of security and privacy controls to
    govern statutory, regulatory and contractual --determine
    IT security personnel use
    IT securityacceptable
    personnel risk.use secure
    a set ofconfiguration
    controls that
    compliance obligations. guidelines that are appropriate to address
    are appropriate to conduct security and privacy
    - IT personnel self-identify a set of controls that applicable statutory, regulatory and contractual
    control
    -requirements. assessments, as defined
    The IT security function utilizes a structuredby the
    are appropriate to conduct security and privacy
    applicable
    process statutory,
    to govern regulatory
    statutory, and contractual
    control assessments. -requirements.
    Apart from workstation andregulatory and
    server operating
    - IT personnel assess the security and privacy contractual
    system compliance
    baselines, obligations.
    configuration management is
    -- On TheatITleast
    securityan annual
    function basis, IT security
    performs an annual
    controls to determine
    - IT personnel utilize anacceptable risk. to
    informal process decentralized.
    personnel
    review perform
    of existingmostly an assessment
    compliance of applicable
    requirements
    -notify
    IT personnel
    stakeholders about audit activities to
    utilize an informal process to -security
    Configurations
    andevolving
    privacy or conform
    controls. to industry-and
    design, build researches new requirements that
    minimize the and maintain
    impact secure
    of those auditconfigurations
    activities on recognized
    -areIT security standards
    personnel for hardening
    generate (e.g., report
    a formal DISA
    for test, development, not in scope for compliance.
    business operations. staging and production STIGs,
    for CISsecurity
    Benchmarks or OEM security guides),
    environments. IT each
    -including
    security assessment
    personnel
    cryptographic utilize athat
    protections
    documents
    process for to
    the
    notify
    sensitive
    assessment
    stakeholders of security
    about auditand privacy
    activities controls
    to minimize to
    - Apart from workstation and server operating data.
    determine acceptable risk.activities on business
    system baselines, configuration management is the
    - Theimpact of those
    IT security audit
    function performs an annual
    decentralized. operations.
    review of existing configurations to ensure
    - Configurations are not closely aligned with security objectives are still being accomplished.
    industry-recognized standards for hardening - Historical versions of configurations are
    (e.g., DISA STIGs, CIS Benchmarks or OEM maintained for troubleshooting and forensics
    security guides). reasons.
    - Configurations are reviewed only when new - Special baseline configurations are created for
    operating systems are released. "high risk" environments or for systems /
    applications / services that store, process or
    transmit sensitive data.
    - Deviations to baseline configurations are
    denying
    forensics having
    analysis. performed a particular action.
    -decentralized.
    -- IT security
    System function
    baseline utilizes a structured
    configurations use internal process
    - IT personnel utilize an informal process to -system
    to System
    design, baseline
    Configurations build andconfigurations
    mostly maintainconform secure enforce
    to industry- logging
    clocks to generate time stamps for audit
    design, build and maintain secure configurations that recognized
    configurations
    - System
    records
    links system
    that standards access
    test,for
    areforsynchronized
    baseline tohardening
    individual
    development,
    configurations with generate
    an
    users
    (e.g.,
    staging or
    DISA
    logs
    for test, development, staging and production service
    STIGs,
    and
    that accounts
    CIS
    productionBenchmarks
    contain sufficient that utilize
    environments. or OEM a non-repudiation
    security
    information to establish guides),
    authoritative
    capability to time source.
    protect against an individual falsely
    environments. including
    -necessary
    -denying IT security
    System cryptographic
    personnel
    particulars
    baseline protections
    ofuse
    configurations secure
    activity and for sensitive
    configuration
    store allowlogs for
    - System baseline configurations generate
    Apart from workstation and server operating guidelines logs data.
    forensics having
    that
    analysis. performed
    are appropriate a particular
    to address action.
    locally and forward logs to a acentralized log
    that
    system contain sufficient
    baselines, information
    configuration to establishis ---applicable
    management -to
    IT
    The
    security
    System
    System IT security
    function
    baseline
    statutory,
    baseline function
    utilizes
    configurations performs
    regulatory
    configurations
    structured
    use
    and internal
    ancontractual
    enforce annual
    process
    logging
    repository
    system design, clocksto
    build provide
    to and an
    maintain
    generate alternate
    time secure
    stampsaudit for audit
    necessary
    decentralized. particulars of activity and allow for review
    requirements,
    that linksof existing
    system configurations
    including
    access the
    to toinensure
    implementation orof
    capability
    configurations
    records thatin the
    are for event
    test,of
    synchronized a individual
    failure
    development, with an
    users
    primary
    staging
    forensics
    - Configurations analysis.are not closely aligned with security
    cryptographic
    service objectives are
    protections
    accountsenvironments. still being
    controls
    that utilize a non-repudiation accomplished.
    using known
    audit capability.
    -industry-recognized System baseline configurations
    standards forenforce hardening logging and authoritative
    -- Historical
    public
    capability
    production
    standards timeand
    toversions
    protect source.
    of configurations
    trusted
    against cryptographic
    an individual areaccessfalsely
    - System
    IT security
    System baseline
    personnel
    baseline configurations
    use secure
    configurations restrict
    configuration
    store logs
    that
    -(e.g., links
    System system
    DISAbaseline access
    STIGs, CIS to
    configurationsindividual
    Benchmarksgenerate users or
    or OEM logs technologies maintained
    denying havingforto troubleshooting
    protect
    performed the a and
    confidentiality
    particular forensics
    action. and
    to
    guidelines
    locally the management
    and that
    forward of
    are appropriate
    logs event logs to to
    to a acentralized privileged
    address log
    service
    security
    that contain accounts
    guides). that utilize
    sufficient information to establish -reasons.
    a non-repudiation integrity
    -applicable
    users
    IT security
    System with of function
    the
    baseline
    a data.
    specific
    statutory,
    utilizes
    configurations
    business
    regulatory
    structured
    need use
    and to internal
    protect
    process
    contractual
    capability
    -necessary to
    Configurations protect
    particulars against
    are reviewed
    of activityanonly
    individual
    andwhen
    allownewfalsely
    for -repository
    to
    system
    event
    requirements,
    design,
    Special
    Apart from
    clocks
    logs
    toworkstation
    build
    baseline
    and
    provide
    to and
    generate
    audit
    including
    an alternate
    maintain
    configurations
    tools and
    the time
    from
    secure
    serverare
    stampsaudit
    created
    operating
    unauthorized
    implementation for audit for
    of
    denying
    operating having
    systemsperformed
    are a
    released.particular action. capability
    configurations
    "high
    system
    records risk" in the for
    environments
    baselines,
    that are event
    test, of
    configuration
    synchronized a
    or failure
    development,
    for in
    systems
    with primary
    management
    an staging
    / is
    forensics analysis. access,
    cryptographic modification protections and deletion.
    controls using known
    audit capability.
    -- System System baseline
    baseline configurations
    configurations restrict logging and
    enforceaccess applications
    decentralized.
    authoritative
    -- System
    public
    production /
    baseline
    standards time environments.
    services source. that
    configurations
    and trusted
    store, process
    retain
    cryptographic auditor
    to the management of event logs to privileged transmit
    -technologies System
    IT
    All security
    System baseline
    personnel
    sensitive
    instances
    baseline configurations
    data.
    ofprotect
    non-console use secure
    configurations restrict
    configuration
    administrative
    store logsaccess
    that
    -users IT links system
    personnel
    System access
    utilize
    baseline an to individual
    informal
    configurations processusers
    generate to or
    logs records for a time
    to period the consistent
    confidentiality with records
    and
    with a specific business need to protect to
    guidelines
    -
    access
    locally
    -retention the management
    Deviations
    utilize
    and
    IT security that
    to
    forward are
    baseline
    cryptographic
    function of
    logs event
    appropriate logs
    configurations to
    mechanisms
    to provide
    utilizes a acentralized to
    structured privileged
    address are to
    log
    process
    service
    design,
    that accounts
    build
    contain and that utilize
    maintain
    sufficient a non-repudiation
    secure
    information configurations
    to establish integrity requirements
    of the data. to support for
    event logsto and audit against
    tools from unauthorized users
    applicable
    required
    protect
    repository
    to with
    design, the a
    tobuild
    to specific
    statutory,
    have
    provide a risk
    confidentiality
    and business
    regulatory
    an assessment
    maintain and
    alternate need and
    secure to
    and
    integrity
    audit protect
    contractual
    the
    of the
    capability
    for
    necessary protect
    test,modification
    development,
    particularsand ofstaging an
    activity individual
    and
    andproduction falsely
    allow for after-the-fact
    - Apart from investigations
    workstation and of security
    server incidents
    operating
    event logsprocess
    and audit tools afrom unauthorized
    access,
    denying
    environments,
    forensics having performed
    including
    analysis. the particular action.of requirements,
    deletion.
    a implementation business
    data
    capability
    configurations
    and
    system being
    to meet in
    baselines,
    including
    transmitted.
    the for
    statutory,owner
    event
    test, of the
    accepts implementation
    failure
    development,
    regulatory
    configuration the and
    management stagingofis
    in risk(s)
    primary
    -- Logging events and the review of event logs is access,
    cryptographic
    associated
    -audit modification
    All production
    mobile with
    capability. protections
    devices and
    the containing
    deviation.deletion.
    controls using
    sensitive data known
    cryptographic
    -narrowly-focused System
    System baseline configurations
    protections
    baseline to critical controls
    configurations restrict
    enforce
    systems. logging and
    using access
    known contractual
    decentralized.
    --utilize
    public System
    Unauthorized
    retention
    baseline
    standards
    a cryptographic
    environments.
    requirements.
    configurations
    and trusted
    configuration mechanism changes retain
    cryptographic
    to areaudit
    prevent the
    to
    public the management
    standards oftrusted
    event logs to privileged -records System
    IT
    Allsecurity
    Logs of baseline
    personnel
    privileged
    instances configurations
    ofprotect use secure
    functions
    non-console (e.g., restrict
    configuration
    administrator
    administrative access
    that links system and access cryptographic
    to individual users or technologies
    responded
    unauthorized for a time
    to toinare period
    accordance
    disclosure ofconsistent
    the confidentiality
    with
    information the with
    Incident
    attorecords
    and
    rest
    users
    technologies
    service accounts with a specific
    to protectbusiness need to
    the confidentiality
    that utilize protect
    a non-repudiation and -retention to
    guidelines
    or
    access the
    root management
    that
    actions)
    utilize
    IT security function are
    cryptographic of
    reviewedevent
    appropriate
    utilizes logs
    for to
    mechanisms to privileged
    address
    evidence
    a structured of
    process
    integrity
    Response
    (e.g.,
    users whole
    with ofrequirements
    athe
    Plandrive data.
    (IRP)
    specific to
    encryption). to provide
    determine
    business need ifsupport
    tothe protect for
    event
    integrity
    capability logs and
    oftothe audit
    protect tools from
    data. against unauthorized
    an individual falsely applicable unauthorized
    protect
    to
    after-the-fact
    -
    unauthorized design,
    Apart
    All from
    databases
    statutory,
    thebuild activities.
    confidentiality
    and
    workstation
    configuration
    containing
    regulatory
    maintain
    investigations andand of
    and
    integrity
    secure
    security
    server
    isimplementation
    malicious
    sensitive
    contractual
    of the
    incidents
    operating
    datain utilize
    access,
    -denying modification
    Apart fromhavingworkstationand deletion.
    performed and server operating
    a particular action.
    event
    requirements,
    -configurations
    data
    and
    system A logto
    logs
    meet
    and
    aggregator,
    being
    baselines,
    audit
    transmitted.
    for
    statutory, ortools
    including
    test, the
    similar from
    development,
    regulatory
    configuration
    unauthorized
    automated and
    management tool,ofisa
    staging
    -system Logging events and the review of event logs is nature.
    access,
    cryptographic
    -monitors modification
    All production
    mobile critical mechanism
    protections
    devices systems and
    containing to
    deletion.prevent
    controls
    for unauthorized using
    sensitive datathe known
    - Systembaselines, configuration management
    baseline configurations restrict accessis and contractual
    decentralized.
    unauthorized retention environments.
    disclosure requirements.
    of information in the the
    narrowly-focused to critical systems. -
    public
    activities. System baseline
    standards configurations
    and trusted retain
    cryptographic audit
    to the management of event logs to privileged -utilize
    decentralized.
    database IT
    Logs
    All a cryptographic
    security
    of personnel
    privileged
    instances(e.g., of mechanism
    use secure
    functions
    non-console
    column-level, (e.g., to prevent
    configuration
    administrator
    administrative
    Transparent Data
    --users IT
    Allpersonnel
    mobile utilizecontaining
    an informal process to records
    technologies
    -guidelines
    unauthorized Aroot for
    log aggregator,a time
    to period
    protect
    disclosureor the
    similar consistent
    confidentiality
    automated
    of information with records
    attool,and
    rest
    with adevices
    specific business sensitive
    need data
    to protect or
    access
    -
    Encryption IT utilize
    security that
    actions) are
    are
    cryptographic
    function
    (TDE), appropriate
    reviewed
    etc.). utilizes for toevidence
    mechanisms
    a address
    structured to of
    process
    design,
    utilize abuild and
    cryptographicmaintain secure
    mechanism configurations
    to prevent the retention
    integrity
    provides
    (e.g., whole requirements
    of
    an the
    event
    drive data.log to
    report
    encryption). provide
    generation support for
    event logs and audit tools from unauthorized applicable
    unauthorized
    protect
    to design,
    All network statutory,
    thebuild activities.
    confidentiality
    and
    communications regulatory
    maintain and and contractual
    integrity
    secure
    containing of the
    for test,modification
    development, staging and production after-the-fact
    -
    -capability Apart
    All from
    databases investigations
    workstation
    totransmitted.
    aidincluding
    in detecting
    containing and of security
    server
    and assessing
    sensitive incidents
    operating
    data utilize
    unauthorized
    access, disclosure
    and of information
    deletion. at rest requirements,
    -configurations
    data
    sensitive
    and A log aggregator,
    being
    to meetdata orasimilar
    for configuration
    utilize
    statutory, test, the implementation
    development,
    cryptographic
    regulatory automated and tool,ofisa
    staging
    mechanism
    environments,
    (e.g.,
    - Logging wholeevents including
    drive and the the
    encryption). implementation
    review of event logs of is system anomalous
    cryptographic
    monitors
    -decentralized. Allprevent
    baselines,
    mobilethe activities
    critical mechanism
    protections
    devices systems on
    containingcritical
    to
    controls
    for
    management
    systems.
    prevent
    unauthorized using
    sensitiveof the known
    data
    cryptographic All databasesprotections
    -narrowly-focused containing
    to critical controls
    sensitive
    systems. using knowna and
    data utilize
    to
    contractual
    -public
    unauthorized
    activities.
    production
    Internet-bound
    standards
    environments.
    unauthorized
    retention requests
    disclosure
    and requirements.
    of
    trusted are disclosure
    logged
    information
    cryptographic in order
    in the theto
    utilize
    -information
    - IT
    Logs
    All a cryptographic
    security
    of personnel
    while
    privileged
    instances of mechanism
    use secure
    inactivities
    transit
    functions
    non-console (e.g.,
    (e.g., to
    SSH, prevent
    configuration
    TLS,
    administrator
    administrative VPN,
    public
    -cryptographic standards
    IT personnel utilize and
    mechanism trusted cryptographic
    to prevent
    an informal processthe to identify
    database
    technologies
    -guidelines Aroot prohibited
    (e.g.,
    log aggregator, to column-level,
    protect
    or the
    similar and assist
    Transparent
    confidentiality
    automated incident
    Data
    and
    unauthorized
    etc.).
    or
    access that
    actions)
    utilize disclosure
    are
    are
    cryptographicappropriate
    reviewed of information
    fortoevidence
    mechanisms address attool,
    torest
    of
    technologies
    SP-CMM1
    unauthorized
    design, build to
    is N/A, protect
    since athe
    disclosure
    and maintain of confidentiality
    structured
    information
    secure process and
    in the
    configurationsis handlers
    Encryption
    integrity
    provides with
    of
    an (TDE),
    the
    eventidentifying
    etc.).
    data.log report potentially
    generation
    (e.g.,
    applicable
    -unauthorized All whole
    wireless drive
    thestatutory,
    access encryption).
    activities. isregulatory
    protected and contractual
    via secure
    integrity
    required
    database
    for test, development, of
    to the data.thestaging
    address
    (e.g., column-level, exporting andof
    Transparent
    productionData protect -compromised
    capability
    -authentication All
    Apart
    All network
    from
    databases
    confidentiality
    systems.
    communications
    workstation
    totransmitted.
    aid in detecting
    containing andandserver
    and
    sensitive
    integrity
    containing of the
    operating
    assessing
    data utilize
    -environments,
    cryptographicApart
    Encryption (TDE), from workstation
    technologies and server
    etc.). theinimplementation operating
    compliance with requirements,
    -
    data
    sensitive A log aggregator,
    being data including
    and
    utilize encryption.
    or the
    similar implementation
    aoncryptographic automated tool,of a
    mechanism
    including of system anomalous
    cryptographic
    cryptographic
    -
    monitors Systems baselines,
    / activities
    critical
    configuration
    mechanism
    protections
    applications
    systems critical
    / to
    controls
    services
    for
    management
    systems.
    prevent using
    that
    unauthorized the known
    store, is
    system
    relevant
    - All network baselines,
    statutory configuration
    and regulatory
    communications management
    requirements.
    containing is to decentralized. Allprevent
    mobilethe devices containing
    unauthorized sensitiveof
    disclosure data
    cryptographic protections controls using known -public
    unauthorized Internet-bound requests
    disclosure of are logged
    information in order
    in the to
    decentralized.
    sensitive
    public data utilize
    standards and atrusted
    cryptographic mechanism activities.
    cryptographic
    process
    utilize
    information
    - All astandards
    or
    instances
    transmit
    cryptographic
    whileof
    and trusted
    sensitive
    mechanism
    inactivities
    transit
    non-console
    cryptographic
    dataSSH,
    (e.g., utilize
    to prevent
    administrative TLS, VPN, the
    --toIT personnel utilizecontaining
    an informal processof to identify
    database
    technologies
    cryptographic
    -access prohibited
    (e.g.,
    A log aggregator, to column-level,
    protect
    mechanisms
    or similar the to and assist
    Transparent
    confidentiality
    prevent attool,
    automated incident
    Data
    and
    and unauthorized
    Allprevent
    mobilethe devices sensitive data etc.). disclosure of information torest
    technologies
    design, build tounauthorized
    and protect
    maintain
    disclosure
    thesecure
    confidentiality
    configurations handlers
    Encryption
    integrity
    unauthorized
    provides
    utilize
    with
    of
    an thecryptographic
    (TDE),
    eventidentifying
    etc.).
    data.
    disclosure
    log of
    report
    mechanisms
    potentially
    information
    generation as an
    utilize
    information a cryptographic
    while mechanism to prevent
    in transit (e.g., SSH, TLS, VPN, protectthe (e.g.,
    -compromised All whole
    wireless
    the drive
    access encryption).
    confidentiality is protected andserver via secure
    integrity of the
    integrity of the data. All systems.
    for
    unauthorized test, development,
    disclosurestaging
    ofand and production
    information at rest -alternate
    capability
    -authentication All network
    Apart from
    databasesto communications
    workstation
    physical
    totransmitted.
    aid in detecting
    containing
    and encryption. and
    safeguards. and
    sensitive containing operating
    assessing
    data utilize a
    -etc.). Apart
    environments, from workstation
    including the server operating
    implementation of
    data
    sensitive
    system
    -
    anomalous An being
    IT data
    baselines,
    infrastructure utilize
    activities aon cryptographic
    configuration
    team, or
    critical management
    similar
    systems. mechanism
    function, is
    (e.g.,
    - All wireless whole drive
    accessencryption).
    is protectedmanagement
    via secure is to cryptographic
    - Systems
    Allprevent
    mobilethe/ mechanism
    applications
    devices containing/ to prevent
    services that the
    sensitivePublic store,
    data Key
    system
    cryptographic baselines, configuration
    protections controls using known decentralized.
    implements
    -
    unauthorized Internet-bound and unauthorized
    maintains
    requests
    disclosure of an
    are disclosure
    internal
    logged
    information in of
    order
    in the to
    -authentication
    All databases containing
    decentralized. and encryption. sensitive data utilize a process utilize
    information a or transmit
    cryptographic
    while sensitive
    mechanism
    inactivities
    transit dataSSH,
    (e.g., utilize
    toobtains
    prevent
    TLS, VPN, the
    public
    cryptographic standards and trusted
    mechanism to cryptographic
    prevent the -Infrastructure
    identify
    database
    cryptographic All instances
    prohibited
    (e.g., of
    (PKI)non-console
    infrastructure
    column-level,
    mechanisms administrative
    and or
    assist
    Transparent
    to prevent at rest incident
    Data PKI
    -technologies
    All mobile devices
    unauthorized to containing
    protect
    disclosure the sensitive data
    confidentiality
    of information and unauthorized
    in the
    etc.).
    access
    services
    handlers
    Encryption
    unauthorized utilize
    from
    with(TDE),
    disclosure
    cryptographic
    aidentifying
    reputable ofPKIinformation
    etc.). ofpotentially
    disclosure mechanisms
    service provider.
    information astoan
    utilize a cryptographic mechanism to prevent the (e.g.,
    ---compromised
    protect All
    The whole
    wireless
    the
    Public drive
    access encryption).
    confidentiality
    Key is protected
    Infrastructure and via
    integrity
    (PKI) secure of the
    integrity of the data. All systems.
    database
    unauthorized (e.g.,disclosure
    column-level, ofand Transparent
    information at Data
    rest alternate
    -data
    authentication
    management All network
    databases
    being
    communications
    to physical containing
    and
    transmitted.
    function
    safeguards.
    encryption. sensitive
    facilitates
    containing
    the data utilize a
    -Encryption
    Apart from(TDE),workstation
    etc.). server operating sensitive
    - An data utilize
    IT infrastructure ateam,
    cryptographic mechanism
    toorprevent
    similar function,
    management is -cryptographic
    (e.g., whole drive encryption). implementation Systems
    All mobile /the mechanism
    applications
    devices of containing/ services
    cryptographic thatthe
    sensitive
    key store,
    data
    system
    -- All baselines,
    network configurationcontaining
    communications to
    -
    implements ITprevent
    security unauthorized
    personnel
    and maintains identifyan disclosure
    data
    internal of
    protection
    Public
    All databases containing sensitive data utilize a unauthorized
    process
    utilize
    management a or disclosure
    transmit
    cryptographic
    controls sensitive of information
    mechanism
    to protect data utilize
    theto in theKey
    prevent the
    decentralized.
    sensitive data utilize a cryptographic mechanism information
    and
    Infrastructure privacy while
    controls
    (PKI) in transit
    that are
    infrastructure (e.g., SSH,
    appropriate TLS,
    or obtains to VPN,
    PKI
    cryptographic mechanism to prevent thedata database
    cryptographic
    unauthorized
    confidentiality, (e.g., column-level,
    mechanisms
    disclosure
    integrity ofPKI
    and Transparent
    toavailability
    prevent
    information at
    of Data
    rest
    keys.
    -toAllprevent
    mobilethe devices containing
    unauthorized sensitive
    disclosure of etc.).
    address
    services applicable
    from a statutory,
    reputable regulatory
    service and
    provider.
    unauthorized disclosure of information in the the Encryption -unauthorized (TDE), etc.). ensures
    disclosure of information as an
    utilize
    information
    database
    a cryptographic
    while
    (e.g.,
    mechanism
    in transit
    column-level, (e.g., to prevent
    SSH,
    Transparent VPN, (e.g.,
    TLS,Data contractual
    -alternate The
    All
    The
    All
    whole
    PKI
    wireless
    Public
    network
    drive
    infrastructure
    access
    requirements.
    Key encryption).
    is protected
    Infrastructure
    communications
    the
    via availability
    (PKI)
    containing secure
    unauthorized disclosure of information at rest -
    of
    authentication All databases
    information to physical
    containing
    in
    and the safeguards.
    event
    encryption. sensitive
    of the data
    loss of utilize a
    etc.).
    Encryption -management
    sensitive Physical controls,
    data function
    utilize administrative
    facilitates
    ateam,
    cryptographic processes
    the mechanism and
    (e.g.,
    -- All whole(TDE),
    wireless drive
    access
    etc.).
    encryption).
    is protected via secure
    --cryptographic
    technologies
    implementation
    An IT infrastructure
    Systems / mechanism
    keys
    applications
    focus of by
    on / to
    individualorprevent
    services
    protecting
    cryptographic
    similar
    users.
    that
    High
    key Value
    function,
    thestore,
    All to prevent the unauthorized disclosure of
    All network
    databasescommunications
    -authentication containing
    and encryption.
    containing
    sensitive data utilize a unauthorized implements
    -process
    Assets
    management The PKI
    (HVAs),
    and
    transmit maintains
    disclosure
    orinfrastructure
    including
    controls sensitive
    to of an internal
    information
    facilitatesdata
    environments
    protect the
    utilize
    the
    Public
    in theKey
    secure
    where
    sensitive data utilize a cryptographic mechanism information
    Infrastructure
    database while
    (e.g., (PKI) in transit
    infrastructure
    column-level, (e.g., SSH,
    or
    Transparent TLS,
    obtains VPN,
    PKI
    cryptographic mechanism to prevent the
    to prevent the unauthorized disclosure of
    distribution
    cryptographic
    sensitive
    confidentiality,
    etc.).
    services from
    of
    data ais symmetric
    mechanisms
    stored, transmitted
    integrity
    reputable andand
    PKI
    asymmetric
    toavailability
    prevent
    service and ofData
    provider. keys.
    SP-CMM1
    unauthorized is N/A, since aof
    disclosure structured
    information process
    in theis Encryption
    cryptographic
    -unauthorized (TDE), keys etc.).
    disclosure using industry
    of information recognized as an key
    information
    required
    databaseto while in transit
    facilitate
    (e.g., (e.g.,
    cryptographic
    column-level, SSH,
    keyTLS,Data
    Transparent VPN, processed. -alternate
    management
    The
    All
    The
    All
    PKI
    wireless
    Public
    network
    infrastructure
    access
    Key Infrastructure
    communications
    technology
    ensures
    is protectedand
    the
    via availability
    (PKI)
    containing
    processes. secure
    -of
    authentication Data
    information to
    protectionphysical
    in
    and controls
    the safeguards.
    event
    encryption. are
    of primarily
    thethe loss of
    etc.).
    management
    Encryption (TDE), controls
    etc.).to protect the management
    sensitive data function
    All cryptographic utilize keys facilitates
    ateam,
    cryptographic
    are bound to mechanism
    individual
    --administrative
    cryptographicAn IT infrastructure
    Systems / and
    keys
    applications preventative
    by individual
    / or similar
    services in nature
    users.
    that function,
    store, (e.g.,
    -confidentiality,
    All wireless access is protected
    integrity and availability
    - All network communications via secure
    containingof keys. to implementation
    identities. prevent the of cryptographic
    unauthorized disclosurekey ofand Key
    implements
    policies
    -
    process The PKI &
    or and
    standards)
    infrastructure
    transmit maintains to
    sensitive an
    classify,
    facilitates internal
    data protect
    the
    utilize Public
    secure
    authentication and encryption.
    sensitive data utilize a cryptographic mechanism information management
    Infrastructure controls
    while(PKI) inand to protect
    transit
    infrastructure (e.g., the
    SSH, TLS, VPN,
    or obtains PKI
    dispose
    distribution
    cryptographic
    confidentiality, of systems
    of symmetric
    mechanisms
    integrity data.
    andand asymmetric
    toavailability
    prevent of keys.
    to prevent the unauthorized disclosure of etc.).
    services
    -
    cryptographicIT from
    personnel, a orreputable
    keys a similar
    using PKI service
    function,
    industry provider.
    implement
    recognized
    SP-CMM1 is while
    N/A, since a structured process is -unauthorized
    --and The
    All PKI
    wireless disclosure
    infrastructure
    access of information
    ensures
    is protected the secure as an key
    via availability
    information in transit (e.g., SSH, TLS, VPN, managementThemaintain
    Public Keyan Infrastructure
    asset
    technology management
    and (PKI)
    processes. capability.
    required to facilitate the implementation of data authentication alternate
    of to physical
    informationfunction in
    and safeguards.
    theencryption.
    event of thethe loss of
    etc.). management
    --cryptographic
    Technologies are facilitates
    configured
    protection controls. -with
    All cryptographic
    An IT infrastructure
    Systems / keys
    applications
    keys
    by team,
    individual
    / or to
    are bound
    services
    protect
    similar to individual
    thatfunction,
    users. data
    store,
    - All wireless access is protected via secure implementation
    identities. the strength ofandcryptographic
    integrity key
    commensurate
    implements
    -
    processThe PKI and
    infrastructure maintains an
    facilitates internalthe Public
    secure Key
    authentication and encryption. management
    with theor
    Infrastructure
    distribution
    transmit
    of
    controls
    classification
    (PKI)
    symmetric
    sensitive
    or
    infrastructure
    and
    datathe
    to sensitivity
    protect utilize
    or
    asymmetric ofobtains
    the PKI
    cryptographic
    confidentiality,
    information mechanisms
    integrity and toavailability
    prevent of keys.
    services
    cryptographic fromand akeys mostly
    reputable conform
    usingensures PKI
    industry serviceto industry-
    provider.
    recognized an key
    -unauthorized
    The
    recognized
    -alternate PKI
    The Public
    disclosure
    infrastructure
    standards
    Key
    of information
    for hardening
    Infrastructure the as
    availability
    (PKI) (e.g., DISA
    management
    of information to technology
    physical
    in the event and
    safeguards. of theprocesses.
    loss ofguides),
    STIGs,
    management CIS Benchmarks
    function or
    areOEM
    facilitates security
    the
    --including
    All cryptographic
    An IT infrastructure
    cryptographic keys
    cryptographic
    keys
    by team,
    individualbound
    or similar
    protections
    to individual
    users. function,
    implementation
    identities.
    implements and of cryptographic
    maintains an internal keyforPublic sensitive
    Key
    -data.
    The PKI
    management infrastructure
    controls facilitates
    to protect the the secure
    Infrastructure
    distribution
    -confidentiality,
    Data management of (PKI)
    symmetric infrastructure
    and
    is decentralized or
    asymmetric obtains
    where PKI
    services from akeys integrity
    reputable andPKIavailability
    service of keys.
    provider.
    cryptographic using industry recognized key
    sensitive
    address applicable data is stored, transmitted
    statutory, regulatoryand and
    processed.
    contractual requirements.
    -- Data protection
    Physical controls,controls are primarily
    administrative processes and
    administrative
    technologies and
    focus preventative
    on protecting inHigh
    nature
    Value(e.g.,
    - IT security
    policies & personneltoidentify
    standards) classify,data protection
    protect and
    Assets
    and (HVAs),
    privacy including
    controls environments
    thatdata.
    are appropriate where
    to
    dispose
    sensitive ofdata
    systems and
    is stored, transmitted and and
    SP-CMM1 is N/A, since a structured process is address applicable statutory, regulatory
    -processed. IT personnel, or a similar function, implement
    required to ensure data and assets are contractual requirements.
    categorized in accordance with applicable and
    -- Data maintain
    protectionan asset management
    controls are primarily capability.
    -administrative Physical controls,
    Technologies and administrative
    are configured to processes
    protect data and
    statutory, regulatory and contractual technologies focus preventative
    on protecting inHigh
    nature
    Value(e.g.,
    with
    - IT security
    policies the strength and integrity
    personneltoidentify
    & standards) classify,commensurate
    data protection
    protect and
    requirements. Assets (HVAs), including environments where
    with
    and privacy
    dispose theofclassification
    controls
    systems ordata.
    that
    and sensitivity of the
    are appropriate to
    SP-CMM1 is N/A, since a structured process is sensitive
    information data is stored,
    and transmitted and and
    address
    -processed. IT personnel, ormostly
    applicable similar conform
    a statutory, to industry-
    regulatory
    function, implement
    required to mark media in accordance with data contractual recognized standards
    requirements. for hardening (e.g., DISA
    and
    -- Data maintain
    protectionan asset management
    controls are primarily capability.
    protection requirements so that personnel are STIGs, CIS
    Physical Benchmarks
    controls, or OEM
    administrative security guides),
    processes and
    -administrative Technologies and are configured
    preventative to in
    protect
    nature data
    (e.g.,
    alerted to distribution limitations, handling including
    technologies cryptographic
    focus on protections
    protecting forValue
    High sensitive
    with
    -data.
    policies the strength
    IT security and integrity
    personneltoidentify
    & standards) classify,commensurate
    data protection
    protect and
    caveats and applicable security requirements. Assets (HVAs), including environments where
    with
    and
    dispose theofclassification
    privacy controls
    systems ordata.
    that
    and sensitivity
    are of the
    appropriate to
    -information
    sensitive Data management
    data is decentralized
    is stored,
    and mostly transmitted
    conform where
    and
    to industry-
    address
    -processed.
    business IT applicable
    personnel,
    process or a statutory,
    similar
    owners regulatory
    function,
    are expected and
    implement
    to take
    SP-CMM1 is N/A, since a structured process is recognized
    contractual standards
    requirements. for hardening (e.g., DISA
    and maintain anwork
    asset management capability.
    required to identify custodians throughout the the -STIGs,
    -Officers
    initiative
    Data CIS
    Physical
    to
    protection
    Benchmarks
    controls,
    with
    controlsor Dataprimarily
    are
    OEM
    administrative
    Protection
    security guides),
    processes and
    -administrative Technologies
    (DPOs) are configured
    to ensure
    and to in
    protect
    applicable
    preventative data
    statutory,
    nature (e.g.,
    transport of system media. including
    technologies cryptographic
    focus on protections
    protecting for
    High sensitive
    Value
    with
    -regulatory
    policies the strength
    IT security personnel
    and and integrity
    toidentify
    contractual
    & standards) classify,commensurate
    data
    obligationsprotection
    protect are
    and
    data.
    Assets
    with (HVAs),
    the including
    classification environments
    ordata.
    sensitivity of thewhere
    and
    properly
    dispose
    -information privacy
    of controls
    addressed,
    systems
    Data management that
    and are
    including appropriate
    the
    is decentralized storage,
    where to
    sensitive
    address
    transmission data is stored,
    and
    applicable
    and mostly transmitted
    conform
    statutory,
    processing regulatory
    of and
    to industry-
    sensitive and
    data.
    -processed.
    business IT personnel,
    process or a similar
    owners function,
    are expected implement
    to take
    SP-CMM1 is N/A, since a structured process is recognized
    contractual standards
    requirements. for hardening (e.g., DISA
    and maintain anwork
    asset management capability.
    required to securely dispose of media when it is the -STIGs,
    -Officers
    initiative
    Data CIS
    Physical
    to
    protection
    Benchmarks
    controls,
    with
    controlsor Dataprimarily
    are
    OEM
    administrative
    Protection
    security guides),
    processes and
    -administrative Technologies
    (DPOs) are configured
    to ensure
    and to in
    protect
    applicable
    preventative data
    statutory,
    nature (e.g.,
    no longer required, using formal procedures. including
    technologies cryptographic
    focus on protections
    protecting for
    High sensitive
    Value
    with
    -regulatory
    policies the strength
    IT security personnel
    and and integrity
    toidentify
    contractual
    & standards) classify,commensurate
    data
    obligationsprotection
    protect are
    and
    data.
    Assets
    with (HVAs),
    the including
    classification environments
    ordata.
    sensitivity of thewhere
    and
    properly
    dispose
    -information privacy
    of controls
    addressed,
    systems
    Data management that
    and are
    including appropriate
    the
    is decentralized storage,
    where to
    sensitive
    address
    transmission data is stored,
    and
    applicable
    and mostly transmitted
    conform
    statutory,
    processing regulatory
    of and
    to industry-
    sensitive and
    data.
    -processed.
    business IT personnel,
    process or a similar
    owners function,
    are expected implement
    to take
    SP-CMM1 is N/A, since a structured process is recognized
    contractual standards
    requirements. for hardening (e.g., DISA
    and
    the
    -STIGs, Datamaintain
    initiative anwork
    to
    protection asset management
    with
    controls Dataprimarily
    are capability.
    Protection
    required to restrict the use of types of digital -Officers CIS
    Physical Benchmarks
    controls, or OEM
    administrative security guides),
    processes and
    administrative Technologies
    (DPOs) are configured
    to ensure
    and to in
    protect
    applicable
    preventative data
    statutory,
    nature (e.g.,
    media on systems or system components. including
    technologies cryptographic
    focus on protections
    protecting for
    High sensitive
    Value
    with
    -regulatory
    policies the strength
    IT security personnel
    and and integrity
    toidentify
    contractual
    & standards) classify,commensurate
    data
    obligationsprotection
    protect are
    and
    data.
    Assets
    with (HVAs),
    the including
    classification environments
    ordata.
    sensitivity of thewhere
    and
    properly
    dispose
    -information privacy
    of controls
    addressed,
    systems
    Data management that
    and are
    including appropriate
    the
    is decentralized storage,
    where to
    sensitive
    address
    transmission data is stored,
    and
    applicable
    and mostly transmitted
    conform
    statutory,
    processing regulatory
    of and
    to industry-
    sensitive and
    data.
    SP-CMM1 is N/A, since a structured process is -processed.
    business IT personnel,
    process or a similar
    owners function,
    are expected implement
    to take
    required to restrict removable media in recognized
    contractual
    and maintain standards
    requirements.
    anwork
    asset for hardening
    management (e.g., DISA
    capability.
    the
    -STIGs, initiative
    Data to
    protection
    CIS Benchmarks with
    controlsor Dataprimarily
    are
    OEM Protection
    security guides),
    accordance with data handling and acceptable Officers -
    -administrative Physical controls,
    Technologies
    (DPOs) are administrative
    configured
    to ensure to in processes
    protect
    applicable data
    statutory,and
    -including
    technologies IT security and
    cryptographic
    personnel
    focus preventative
    on protections
    identify
    protecting data nature
    for (e.g.,
    sensitive
    protection
    High Value
    usage parameters. with
    regulatory
    policies the strength
    and and integrity
    contractual
    & standards) commensurate
    obligations
    to classify, protectare and
    data.
    and
    Assets
    with privacy
    (HVAs),
    the controls that
    including
    classification are appropriate
    environments
    ordata.
    sensitivity of the to
    where
    properly
    dispose
    -information
    address ofaddressed,
    systems
    Data management
    applicable including
    and
    is the
    decentralized
    statutory, storage,
    regulatory whereand
    sensitive data is
    and stored, transmitted and
    SP-CMM1 is N/A, since a structured process is transmission
    -contractual
    business
    processed. IT personnel,
    process ormostly
    and similar
    owners
    requirements
    conform
    aprocessing of to industry-
    sensitive
    function,
    are
    for expected
    endpoint data.
    implement
    to take
    devices.
    required to utilize a process to assist users in recognized
    and maintain standards
    anwork
    asset for hardening
    management (e.g., DISA
    capability.
    the
    -STIGs, initiative
    Physical
    Data to
    controls,
    protection
    CIS Benchmarks with
    controlsor Dataprimarily
    administrative
    are
    OEM Protection
    processes
    security and
    guides),
    making information sharing decisions to ensure technologies -Officers Technologies
    administrative (DPOs) are
    focus
    and configured
    to ensure
    on protecting
    preventative to in
    protect
    applicable High data
    statutory,
    Value
    nature (e.g.,
    data is appropriately protected. including
    -
    with IT security
    the cryptographic
    personnel protections
    identify data for sensitive
    protection
    regulatory
    Assets
    policies
    data.
    and &strength
    privacy and
    (HVAs),
    standards)
    controls
    andto integrity
    contractual
    including
    that
    commensurate
    obligations
    protectare
    environments
    classify,
    are appropriate where
    and
    with
    properly
    sensitive
    dispose theofclassification
    addressed,
    data is
    systems stored,
    and or sensitivity
    including the
    transmitted
    data. ofandthe to
    storage,
    -information
    address Data management
    applicable
    and is decentralized
    statutory, regulatory whereand
    -- Policies and standards
    IT personnel dictate requirements
    utilize an informal process to for -contractual
    transmission
    processed.
    business IT personnel,
    process ormostly
    and similar
    owners
    requirements
    conform
    aprocessing of to industry-
    sensitive
    function,
    are
    for expected
    endpoint data.
    implement
    to take
    devices.
    retaining certain recognized
    - Data standards
    protection for
    controls hardening
    are primarily(e.g., DISA
    design, build andtypes of data.
    maintain secure configurations the and
    - Physical
    STIGs,
    maintain
    initiative
    CIS
    anwork
    to
    controls, asset
    Benchmarks
    management
    with Data security
    administrative
    or OEM
    capability.
    Protection
    processes and
    guides),
    -for Security awareness training administrative and preventative in nature (e.g.,
    test, development, stagingcovers the
    and production -Officers
    including
    -
    Technologies
    technologies
    IT
    (DPOs)
    security
    are
    cryptographic
    personnel
    configured
    to ensure
    focus to protect
    applicable
    on protecting
    protections
    identify dataHigh
    for
    data
    statutory,
    Value
    sensitive
    protection
    restrictions on disposing protected data. policies &strength
    standards) andto manage endpoint
    environments, including the implementation of with regulatory
    Assets
    data.
    and
    the and including
    (HVAs),
    privacy controls that
    integrity
    contractual commensurate
    obligations
    environments
    are appropriate
    are
    where
    appropriate data protection and privacy
    devices.
    with
    properly
    sensitive the classification
    addressed,
    data is or sensitivity
    including
    stored, the
    transmitted ofandthe to
    storage,
    --information
    address Data management
    applicable
    IT personnel, andormostlyis decentralized
    statutory,
    aprocessing
    similar regulatory
    function,
    conform whereand
    implement
    to industry-
    controls. transmission
    processed.
    business
    contractual and
    process owners
    requirements are
    forof sensitive
    expected
    endpoint todata.
    take
    devices.
    - IT personnel utilize an informal process to and
    recognized maintain an asset
    standards management
    for hardening capability,
    (e.g., DISA
    -design,Data management is decentralized. - Data protection controls are primarily
    build and maintain secure configurations the -including
    STIGs, initiative
    Physical
    CIS to work
    controls,
    endpoint
    Benchmarks with
    devices.
    or Data security
    administrative
    OEM Protection
    processes and
    guides),
    -for Alltest,
    endpoint devices containing sensitive data technologies administrative
    Officers (DPOs) and preventative
    to ensure
    focus in
    applicable
    on protecting nature
    High (e.g.,
    statutory,
    Value
    development, staging and production -including
    Technologies are
    cryptographicconfigured to
    protectionsprotect
    for data
    sensitive
    utilize a cryptographic
    environments, including mechanism to preventof
    the implementation the policies regulatory
    Assets & standards)
    and including
    (HVAs), to manage
    contractual endpoint
    obligations
    environments are
    where
    with
    data.
    devices. the strength and integrity commensurate
    unauthorized disclosure of information
    appropriate data protection and privacy at rest properly
    sensitive
    with the addressed,
    data is including
    stored,
    classification or the
    transmitted
    sensitivity storage,
    ofandthe
    (e.g., whole drive encryption). -- Data management
    IT personnel, is decentralized
    or aprocessing
    similar function, where
    implement
    controls. transmission
    processed.
    information
    business and
    and
    process mostly
    owners of
    conform
    are sensitive todata.
    to industry-
    expected take
    -- IT personnel
    Configurations utilize
    mostlyan informal
    conform process
    to to
    industry- and maintain an asset management capability,
    -design,
    Data management is decentralized. - Data
    recognized
    the protection
    initiativestandards
    to workcontrols are primarily
    for hardening
    with (e.g., DISA
    Data Protection
    recognized buildstandards
    and maintain
    for secure configurations
    hardening (e.g., DISA including endpoint devices.
    -forAlltest,
    endpoint devices containing
    development, staging sensitive data administrative STIGs,
    Officers CIS and
    Benchmarks
    (DPOs) preventative
    to ensure in nature
    or applicable
    OEMtosecurity (e.g.,
    guides),
    statutory,
    STIGs,
    utilize aCIS
    cryptographic or OEMand
    Benchmarks mechanism production
    security
    to guides).
    prevent the
    -policies
    Technologies
    & are
    standards) configured
    to manage protect
    endpoint data
    environments, including the implementation of including regulatory
    with cryptographic
    and contractual
    the strength protections
    and integrity obligationsforare
    commensurate sensitive
    unauthorized disclosure of information devices.
    appropriate data protection and privacyat rest data.
    properly
    with the addressed, including
    classification or the storage,
    sensitivity of the
    (e.g., whole drive encryption). - Data
    IT personnel,
    -transmission
    management or aprocessing
    and similar function,
    is decentralized implement
    of sensitivewheredata.
    controls. information and
    -- Configurations mostly conform to industry- and maintain
    business processan mostly
    asset
    owners
    conform
    management to industry-
    capability,
    Data management is decentralized. recognized
    including standards
    endpoint for hardening (e.g., take
    devices.
    are expected to DISA
    recognized standards for hardening (e.g., DISA
    - All endpoint devices containing sensitive data STIGs, CIS Benchmarks or OEM the initiative to work with Data security
    Protection
    - Technologies are configured to protect guides),
    data
    STIGs,
    utilize aCIS Benchmarks mechanism
    cryptographic or OEM security guides).
    to prevent the Officers (DPOs) to ensure applicable statutory,
    including
    with the cryptographic
    strength and protections
    integrity for
    commensurate sensitive
    unauthorized disclosure of information at rest regulatory
    data. and contractual obligations are
    with
    properlythe classification
    addressed, is or sensitivity
    including of the
    the storage,
    (e.g., whole drive encryption). -information
    Data management decentralized where
    transmission and mostly
    and owners conform
    processing of to industry-
    sensitive
    - Configurations mostly conform to industry- business process are
    recognized standards for hardening (e.g.,expected todata.
    take
    DISA
    recognized standards for hardening (e.g., DISA the initiative to work with Data Protection
    STIGs, CIS Benchmarks or OEM security guides),
    STIGs, CIS Benchmarks or OEM security guides). Officers (DPOs) to ensure applicable statutory,
    including cryptographic protections for sensitive
    regulatory
    data. and contractual obligations are
    properly addressed,
    - Data management is including the storage,
    decentralized where
    address
    -processed. A Human applicable
    Resources statutory,
    (HR), orregulatory and
    similar function,
    - IT personnel utilize an informal process to contractual
    ensures requirements
    industry-recognized for endpoint devices.
    design, build and maintain secure configurations -implemented - Data protection
    Physical controls, controls areHR
    administrative
    practices are
    primarily
    processes and
    administrative forand hiring, retaininginand
    preventative nature (e.g.,
    for test, development, staging and production technologies
    terminating
    -policies IT security focus on protecting
    employees,
    personnel contractors
    identify High
    data andValue
    other
    protection
    environments, including the implementation of Assets & standards)
    (HVAs), includingto manage
    environmentsendpoint
    personnel
    and
    devices. privacy that work that
    controls on behalf of the where
    are appropriate to
    appropriate data protection and privacy sensitive
    organization.
    address data is
    applicable stored, transmitted
    statutory, regulatoryand and
    -processed. IT Human
    A personnel, or a similar
    Resources (HR),function,
    or similarimplement
    function,
    controls.
    - IT personnel utilize an informal process to -contractual Themaintain
    HRindustry-recognized
    function, in conjunction
    requirements forHR with
    endpoint ITdevices.
    security
    and
    ensures
    -- Data protectionan asset management
    controls capability,
    practices
    are primarily are
    -design, Data management
    build and maintain is decentralized.
    secure configurations personnel, including Physical help
    controls,
    endpoint ensure secure
    administrative
    devices. practices
    processesare and
    -for Alltest,
    endpoint devices containing sensitive implemented
    administrative
    data implemented forand hiring, retaining
    preventative inand
    nature (e.g.,
    development, staging and production technologies
    -policies
    terminating Technologies inare
    focus personnel
    employees, on protecting
    configured management
    High
    to endpoint
    contractors protect
    andValue
    data
    other
    utilize a cryptographic mechanism to prevent the & standards) to manage
    environments, including the implementation of operations Assets
    with
    personnel the to help
    (HVAs),
    strength
    that manage
    including
    and
    work riskoftothe
    environments
    onintegrity
    behalf bothwhere
    commensurateassets
    unauthorized disclosure of information devices.
    appropriate data protection and privacyat rest and
    sensitive
    with
    organization. data. data is stored,
    the classification transmitted
    or sensitivity and
    of the
    (e.g., whole drive encryption). --processed. IT HR,
    A
    A personnel,
    Humanorfunction,
    similar or function,
    Resources a similar
    (HR), function,
    or similar
    defines implement
    function,
    terms of
    controls.
    - IT personnel utilize an informal process to information
    - The HR and mostly
    in conform
    conjunction to
    withindustry-
    IT security
    Configurations mostly conform to industry- and
    ensures
    employment,
    -recognized maintain
    Data protection an asset
    industry-recognized
    including management
    controls HR
    acceptable capability,
    practices
    and
    are primarily are
    -design, Data management
    buildstandards is decentralized.
    and maintain secure configurations personnel, standards
    help ensure for hardening
    secure (e.g.,are
    practices DISA
    recognized for hardening (e.g., DISA including
    implemented
    unacceptable
    administrative endpoint
    for
    rules
    and devices.
    hiring,
    of retaining
    behavior
    preventative for
    inand
    the
    natureuse of
    (e.g.,
    --for
    STIGs,
    AllHuman
    A endpoint
    test, devices (HR),
    Resources
    development,
    CIS Benchmarks
    containing
    staging
    or OEM andsensitive
    or similar production
    security
    data implemented
    function,
    guides).
    STIGs,
    -technologies,
    terminating
    CIS Benchmarks
    Technologies inarepersonnel
    employees,
    or OEM
    configured tosecurity
    management
    contractors protect
    and
    guides),
    data
    other
    utilize a cryptographic mechanism to prevent the policies
    including & including
    standards)
    cryptographic to consequences
    manage
    protections endpoint for
    for sensitive
    provides
    environments, guidance on HRthe
    including practices for hiring, of operations
    implementation with
    personnel to help
    the strength
    that manage
    and
    work onintegrity
    behalfriskoftothe
    both
    commensurateassets
    unauthorized disclosure ofemployees,
    information unacceptable
    devices. behavior.
    retaining
    appropriate anddataterminating
    protection and privacyat rest data.
    and
    with
    -organization.
    data.
    the classification or sensitivity of the
    (e.g.,
    contractors
    controls. whole and driveother
    encryption).
    personnel that work on -- Personnel IT
    A personnel,
    Human
    Data
    A HR, management
    management
    orfunction,
    similar or function,
    Resources a similar
    is(HR), isfunction,
    mainly
    or similar
    decentralized
    defines implement
    function,
    where
    terms of
    information
    -
    decentralized,
    and
    ensures The HR
    maintain and
    anwithmostly
    inthe
    asset
    industry-recognized conform
    conjunction
    responsibility
    management HR to
    withindustry-
    IT security
    for training
    capability,
    practices are
    -behalf Configurations
    - Data management mostly
    of the organization. conform
    is decentralized. to industry- business
    employment, process owners
    including are expected
    acceptable and to take
    recognized
    personnel,
    users
    including
    implemented standards
    help
    andendpoint
    enforcing
    for ensure for
    policies
    devices.
    hiring, hardening
    secure being
    retaining (e.g.,are
    practices
    assigned
    and DISA
    to
    recognized
    -- The HR
    AllHuman standards
    function,
    endpoint in for hardening
    conjunction
    devices (HR),
    containing with(e.g.,
    IT
    sensitive DISA
    staff
    data implemented the
    unacceptable initiative to
    ruleswork ofwith
    behaviorData Protection
    for the use of
    A Resources or similar function, STIGs,
    users’
    -
    terminating CIS Benchmarks
    inare
    supervisors
    Technologies personnel
    employees, and orcontractors
    OEM
    managers,
    configured tosecurity
    management
    including
    protect
    and guides),
    data
    otherthe
    STIGs, CIS Benchmarks or OEM security guides).
    are the technologies, Officers (DPOs) to ensure applicable statutory,
    personnel,
    utilize
    provides help ensure
    a cryptographic
    guidance on HR secure
    mechanism
    practicespractices
    to
    forprevent
    hiring, including
    operations
    definition to including
    cryptographic
    and help manage
    enforcement
    consequences
    protections
    risk tothe
    of users’ for
    both for
    sensitive
    assets
    roles
    implemented
    unauthorized in personnel
    disclosure of management
    information at rest
    with
    personnel
    regulatory
    unacceptable
    data.
    and
    the strength
    data.
    that
    and and
    work
    behavior. onintegrity
    contractual behalf of
    obligations are and
    commensurate
    retaining and terminating employees, responsibilities.
    with
    organization. the classification or sensitivity of the
    operations
    (e.g., wholeto help
    drive manage
    encryption). risk tothat
    both assets -properly
    -- Personnel A Human
    Data addressed,
    management
    Resources
    management
    HR,HRorfunction,
    similar including
    is(HR),
    function, or the storage,
    isdefines
    mainly
    similar
    decentralized function,
    where
    terms of and
    contractors and other personnel work on information
    -
    transmission Physical
    The controls,
    and
    and administrative
    mostly
    in conform
    conjunction
    processing of toprocesses
    withindustry-
    sensitive IT data.
    security
    and
    - Configurations data. mostly conform to industry- decentralized,
    ensures
    business
    employment, process with the
    industry-recognized
    owners
    including responsibility
    are HR
    expected
    acceptable and for
    practices to training
    are
    take
    behalf of the organization. technologies
    recognized focus
    standards on protecting
    for hardening High Value
    (e.g., DISA
    -recognized
    - Personnel The HR function,management
    standards is decentralized,
    for hardening
    in conjunction with(e.g., with personnel,
    DISA
    IT staff
    users
    implemented
    the
    unacceptable initiative
    help
    and enforcing
    for
    to
    rules
    ensure
    hiring,
    work ofwith
    secure
    policies
    retaining
    behaviorData
    practices
    being assigned
    and
    Protection
    for the
    are
    use to
    of
    Assets
    STIGs,
    implemented
    users’ (HVAs),
    CIS inincluding
    Benchmarks
    supervisors personnel
    and environments
    orcontractors
    OEM
    managers, security
    management where
    includingguides),
    the
    the
    STIGs, responsibility
    CIS Benchmarks for training
    or OEM users and
    security guides). terminating
    Officers
    technologies, employees,
    (DPOs) to ensure applicable and other
    statutory,
    personnel, help ensure secure practices are sensitive
    including
    operations
    definition to including
    data
    and is
    help stored,
    cryptographic manage
    enforcement
    consequences
    transmitted
    protections
    risk tothe
    of users’ and
    for
    both for
    sensitive
    assets
    roles
    enforcing
    implemented policies being assigned
    in personnel managementto users’ personnel
    regulatory
    unacceptable
    processed.
    data.
    and data.
    that
    and work on behalf
    contractual
    behavior. of
    obligations are and
    supervisors and managers, including the responsibilities.
    organization.
    -properly addressed, including the storage,
    operations to help manage risk to both assets
    definition --- Personnel A
    A Human
    Data management
    Resources
    protection
    management
    HR,HR
    Physicalorfunction,
    similar
    controls, is(HR),
    controls
    function, isare
    mainly
    or similar
    primarily
    decentralized
    defines
    administrative function,
    where
    terms
    processes of and
    and data. and enforcement of users’ roles and decentralized, transmission
    ensures
    administrative
    business
    employment,
    The and
    process with
    and in conjunction
    processing
    the
    industry-recognized
    preventative
    owners
    including are of
    HR with
    sensitive
    responsibilitypractices
    in
    expected
    acceptable
    IT data.
    for
    nature
    and to
    security
    training
    are
    (e.g.,
    take
    responsibilities. technologies focus on protecting High Value
    - Personnel management is decentralized, with personnel, users
    implemented
    policies
    the
    unacceptable and& help
    enforcing
    for ensure
    standards).
    initiative to
    ruleswork ofwith
    secure
    policies
    hiring,behaviorData
    practices
    being
    retaining assigned
    and
    Protection
    for the
    are
    use to
    of
    -the Terms
    A Human of employment,
    Resources including
    (HR), orusers acceptable
    similar function, implemented Assets
    users’ (HVAs),inincluding
    supervisors personnel
    and environments
    management
    managers, where
    including the
    responsibility for training and terminating
    -Officers
    technologies, IT personnel, employees,
    (DPOs) orto a similar
    ensure
    including contractors
    function,
    applicable
    consequences and other
    implement
    statutory,
    for
    and
    provides unacceptable
    guidance rules
    on HRof behavior
    practices for
    tofor the use sensitive
    hiring, operations
    definition data
    to an
    and is
    help stored,
    manage
    enforcement transmitted
    risk tothe
    of users’ and
    both assets
    roles
    enforcing
    of
    policies being
    technologies, including
    assigned
    consequences
    users’
    for
    personnel
    and
    regulatory
    unacceptable
    processed.
    and
    maintain
    data.
    that
    and work
    asset onmanagement
    contractual
    behavior. behalf of
    obligations are and
    capability,
    retaining and terminating
    supervisors and managers, including the employees, responsibilities.
    organization.
    including endpoint devices.
    unacceptable behavior -properly
    -- Personnel A Human
    Data addressed,
    management
    Resources
    protection including
    (HR),isare
    controls or the
    mainly storage,
    similar
    primarily function,
    contractors
    SP-CMM1
    definition and isand
    N/A, other
    enforcement aare
    sincepersonnel atofthe
    structured discretion
    that
    users’ workand
    process
    roles of
    on
    is transmission
    decentralized,
    A
    TheHR,HR
    Physicalorfunction,
    similar
    controls,
    Technologies and are
    with
    function,
    in defines
    administrative
    conjunction
    configured
    processing
    the ofto terms
    processes
    with
    protect
    sensitive
    responsibility
    of and
    IT data.
    for security
    data
    training
    users’
    behalf
    required management.
    of totherequire
    organization.
    all employees and ensures
    administrative
    employment,
    technologies industry-recognized
    and
    including
    focus preventative
    on HR
    acceptable
    protecting practices
    in nature
    and
    High Valueare
    (e.g.,
    responsibilities. personnel,
    with
    users the
    and help
    strength
    enforcing ensure
    and secure
    integrity
    policies practices
    beingcommensurate
    assigned are to
    -contractors
    The HR function, in conjunction
    to apply security with
    and privacy IT staff implemented
    policies
    unacceptable
    Assets &
    (HVAs), for
    standards).
    rules hiring,
    of
    including retaining
    behavior for
    environments and
    the use
    where of
    - Terms of employment, including acceptable implemented
    with
    users’ the inor personnel
    classification
    supervisors or management
    sensitivity of the
    personnel,
    principles inhelp
    theirensure
    daily secure
    work. practices are terminating
    -sensitive
    technologies, IT personnel,
    dataemployees,
    is aand
    including
    stored,
    managers,
    similar contractors
    function,
    consequences
    transmitted
    including
    and
    andforother
    implement the
    and unacceptable rules of behavior for the use definition operations
    information toand
    and help manage
    mostly
    enforcement risk
    conformof totoboth
    users’ assets
    industry-
    roles and
    implemented in personnel management for personnel
    and
    unacceptable
    processed. maintainthat an work
    asset
    behavior. on behalf
    management of the capability,
    of technologies, including consequences and
    recognized
    responsibilities.
    organization. data. endpoint
    standards for hardening (e.g., DISA
    including devices.
    operations
    unacceptable to help
    behaviormanage are atriskthe
    todiscretion
    both assets of --STIGs, -decentralized,
    -ensures
    Personnel
    A Human
    Data
    A HR,
    Physical
    The HRor
    CIS management
    Resources
    protection
    similar
    Benchmarks
    controls,
    function,
    Technologies arefunction, or is
    (HR),
    controls mainly
    or
    are similar
    primarily
    defines
    OEM
    administrative
    in conjunction
    configured
    function,
    terms
    tosecurity
    processes
    with
    protect of and
    ITguides),
    security
    data
    and data.
    users’ management. administrative
    employment,
    including with
    including
    cryptographic the
    industry-recognized
    and responsibility
    preventative HR
    acceptable
    protections in for
    practices
    nature
    and
    for training
    are
    (e.g.,
    sensitive
    - Personnel management is decentralized, with personnel, technologies
    with
    users the
    and focus
    help
    strength
    enforcing on
    ensure
    and protecting
    secure
    integrity
    policies being High
    practices Value
    commensurate
    assigned are to
    implemented
    policies
    unacceptable
    data.
    Assets &
    (HVAs), for
    standards).
    rules hiring,
    of
    including retaining
    behavior for
    environments and
    the use
    where of
    -the A Human Resources
    responsibility (HR), orusers
    for training similar andfunction, implemented with
    users’
    terminating
    -sensitive
    technologies, IT the
    personnel, inor
    supervisors personnel
    classification
    employees,aand
    including
    or
    similar management
    sensitivity
    managers,
    contractors
    function,
    consequences
    of the
    including
    and other
    implement
    for the
    provides -
    operations
    information Data management
    data
    toandis
    help is
    stored,
    manage
    mostly decentralized
    transmitted
    risk
    conform totobothwhere
    and assets
    industry-
    enforcingguidance on HRassigned
    policies being practicestofor hiring,
    users’ definition
    personnel
    and
    unacceptable
    business maintainand
    that enforcement
    an work
    asset
    behavior. on behalf
    managementof users’
    of the roles and
    capability,
    retaining
    supervisors and andterminating
    managers,employees,
    including the
    processed.
    and
    recognized
    responsibilities.
    organization.
    including data.process
    standards
    endpoint
    owners for are
    devices.
    expected
    hardening to take
    (e.g., DISA
    contractors -
    the
    -
    STIGs, Personnel
    A initiative
    Data
    HR, or
    CIS management
    to
    protection
    similar
    Benchmarkswork with
    controls
    function, or is mainly
    Data
    are
    defines
    OEM Protection
    primarily
    terms
    security of
    guides),
    SP-CMM1
    definition and isand
    N/A, other
    sincepersonnel
    enforcement a structured thatprocess
    of users’ workand
    roles on
    is -decentralized,
    -administrative
    Officers Physical
    The controls,
    HR(DPOs)
    function,
    Technologies are
    with administrative
    in conjunction
    configured
    the
    to ensure responsibility
    applicable processes
    with
    to in
    protect and
    IT security
    for data
    training
    statutory,
    behalf
    required of totherequire internal and third-party users employment,
    organization. including
    technologies and
    including
    cryptographic
    focus preventative
    on acceptable
    protections
    protecting nature
    and
    Highfor (e.g.,
    sensitive
    Value
    responsibilities. personnel,
    with
    users the
    and help
    strength
    & enforcing ensure
    and secure
    integrity
    policies practices
    beingcommensurate are
    --to
    - The sign
    Terms HR offunction,
    appropriate
    employment, inaccess
    conjunction
    agreements
    including with staffto policies
    ITprior
    acceptable
    regulatory
    unacceptable
    data.
    Assets
    implemented
    with
    andrules
    (HVAs),
    the
    contractual
    standards). of
    including
    inor personnel
    classification behavior
    or forassigned
    obligations
    environments
    management
    sensitivity the
    of
    are
    use
    where
    the
    to
    of
    A Human Resources (HR), or similar function, users’
    properly
    - IT supervisors
    addressed,
    personnel, aand managers,
    including
    similar the
    function, including
    storage,
    implement the
    personnel,
    being granted
    and unacceptable helpaccess.
    ensure
    rules secure
    ofpracticespractices
    behavior areuse sensitive
    forhiring,
    the technologies,
    operations
    information Data management
    data including
    toandis
    help stored,
    manage
    mostly consequences
    is decentralized
    transmitted
    risk
    conform and
    totoboth for
    where
    assets
    industry-
    provides guidance on HR for definition
    transmission and enforcement
    and processing of
    of users’
    sensitiveroles and
    implemented
    of technologies, in personnel
    including
    retaining and terminating employees, management
    consequences for and
    unacceptable
    business
    processed.
    and
    recognized
    maintain
    data. processan
    standards
    asset
    behavior.
    owners management
    for are expected
    hardening todata.
    capability,
    (e.g., take
    DISA
    responsibilities.
    including endpoint devices.
    operations
    contractorsto
    unacceptable andhelp
    behaviormanage
    other are atriskthe
    personnel tothat
    both assets
    discretion
    work of -the
    on --STIGs, Personnel
    A initiative
    Data
    HR, management
    to work
    protection
    or controls,
    CIS
    Physical similar
    Benchmarks with
    controls
    function, or is mainly
    Data
    are
    defines
    OEM
    administrative
    Protection
    primarily
    termsguides),
    security
    processes of and
    and data. -
    decentralized,
    Officers
    administrative Technologies
    (DPOs) are
    with
    to
    and configured
    the
    ensure to
    responsibility
    applicable
    preventative protect
    in data
    forsensitive
    training
    statutory,
    nature (e.g.,
    users’ management.
    behalf of the organization. employment,
    including
    technologies including
    cryptographic
    focus on acceptable
    protections
    protecting and
    Highfor Value
    -- Personnel
    The HR management
    function, in is decentralized,
    conjunction with IT with with
    staff
    users
    regulatory
    policies
    unacceptable
    data.
    the
    and&strength
    enforcing
    and
    standards).
    rules
    and
    of
    integrity
    policies
    contractual
    behavior beingcommensurate
    for assigned
    obligationsthe are
    use to
    of
    -the A Human Resources
    responsibility for (HR), orusers
    training similar andfunction, Assets with
    users’
    properly
    - IT
    (HVAs),
    the
    supervisors
    addressed,
    personnel,
    including
    classification
    or aand or environments
    sensitivity
    managers,
    including
    similar the
    function, of where
    the
    including
    storage,
    implement the
    personnel, help ensure secure practices are technologies,
    -information
    sensitive Data management
    data including
    andis stored,
    mostly consequences
    is decentralized
    transmitted
    conform andfor
    where
    to industry-
    provides guidance on HR practices tofor hiring, definition
    transmission and enforcement
    and processing of
    of users’
    sensitiveroles and
    enforcing
    implemented policies
    in being
    personnel assigned
    management users’ and
    unacceptable
    business
    processed.
    recognized
    maintain
    processan
    standards
    asset
    behavior.
    owners management
    for are expected
    hardening todata.
    capability,
    (e.g., take
    DISA
    retaining
    supervisors and andterminating
    managers, employees,
    including the responsibilities.
    including endpoint devices.
    operations to help manage risk tothat
    both assets -the
    -STIGs, Personnel
    initiative
    Data management
    to work
    protection
    CIS controls,
    Benchmarks with
    controls or is mainly
    Data
    are
    OEM Protection
    primarily
    security guides),
    contractors
    definition andand other
    enforcement personnel work
    of users’ roles on
    and -decentralized,
    Physical
    -administrative
    Technologies are administrative
    configured to processes
    protect data and
    and data. Officers
    including (DPOs) with
    to
    and
    cryptographic the
    ensure responsibility
    applicable
    preventative
    protections in forsensitive
    nature
    for training
    statutory,
    (e.g.,
    behalf of
    responsibilities.the organization. technologies
    with the focus
    strength on
    and protecting
    integrity High Value
    commensurate
    -- Personnel
    The management
    HRoffunction, is decentralized,
    in conjunction with with users
    IT staff
    regulatory
    policies
    data. and& enforcing
    and contractual
    standards). policiesobligations
    being assigned are to
    -theTerms employment, including acceptable Assets
    with
    users’ (HVAs),
    the including
    classification
    supervisors and or environments
    sensitivity
    managers, of where
    the
    including
    responsibility
    personnel,
    and
    for
    help ensure
    unacceptable
    training
    rules secure
    of
    users and
    practices
    behavior for areuse sensitive
    the
    properly
    - IT
    -information addressed,
    personnel,
    Data management
    data and
    or
    is a including
    similar
    stored,
    mostly
    the
    function,
    is decentralized
    transmitted
    conform to where the
    storage,
    implement
    and
    industry-
    enforcing policies being assigned to users’ definition
    transmission
    and
    business maintainand
    process enforcement
    and processing
    an asset
    owners management
    are of
    of users’
    sensitive
    expected roles and
    todata.
    capability,
    take
    implemented
    of technologies, in personnel management
    including consequences for processed.
    recognized standards for hardening (e.g., DISA
    supervisors and managers, including the responsibilities.
    including endpoint devices.
    operations
    unacceptable
    definition
    to help manage
    and behavior
    enforcement are atriskthe
    todiscretion
    of users’
    both assets
    roles and of the -STIGs,
    -Officers
    initiative
    Data to work
    protection
    CIS controls,
    Physical Benchmarks with
    controls or OEMDataprimarily
    are
    administrative
    Protection
    security guides),
    processes and
    and data. - Technologies
    administrative (DPOs) are
    to
    and configured
    ensure to
    applicable
    preventative protect
    in data
    statutory,
    nature (e.g.,
    users’ management.
    responsibilities. including
    technologies cryptographic
    focus on protections
    protecting Highfor sensitive
    Value
    - Personnel management is decentralized, with policies with
    regulatory the strength and integrity
    and contractual obligations are
    & standards). commensurate
    -the
    Terms of employment, including data.
    Assets (HVAs), including or environments where
    responsibility for training usersacceptable
    and with
    -properly
    IT the classification
    addressed,
    personnel, sensitivity
    including of
    the storage,the
    and unacceptable rules of behavior for the use -information
    Data management
    sensitive
    transmission data andisorstored,
    and
    a similar
    is
    mostly
    processing
    function,
    decentralized
    transmitted
    conform of to
    implement
    where
    and
    industry-
    sensitive
    enforcing policies being assigned to users’
    of technologies, including consequences
    and
    business maintain
    processed. processan asset
    owners management
    are expected todata.
    capability,
    take
    supervisors and managers, including the for recognized
    including
    the
    standards
    endpoint
    initiative to work
    for
    devices.
    with
    hardening
    Dataprimarily
    (e.g.,
    Protection
    DISA
    unacceptable behavior are at the discretion of -STIGs,
    Data protection
    CIS Benchmarks controls or are
    OEM security guides),
    definition and enforcement of users’ roles and Officers -administrative
    Technologies
    (DPOs) are configured
    to ensure to in
    applicable protect data
    statutory,
    users’ management. including and
    cryptographic preventative
    protections nature
    for (e.g.,
    sensitive
    responsibilities. with the&strength
    regulatory and and integrity
    contractual commensurate
    obligations are
    policies
    data. standards).
    - Terms of employment, including acceptable with the classification or sensitivity of the
    -properly
    IT
    Data addressed,
    personnel,
    management including
    or a similar
    is the storage,
    function,
    decentralized implement
    where
    and unacceptable rules of behavior for the use transmission information and
    and mostly
    processingconform of to industry-
    sensitive
    of technologies, including consequences for
    and maintain
    business
    recognized processan asset
    standards owners management
    for are expected
    hardening todata.
    capability,
    (e.g., take
    DISA
    including endpoint devices.
    unacceptable behavior are at the discretion of the initiative
    STIGs, to work
    CIS Benchmarks withor OEMData security
    Protection guides),
    address applicable statutory, regulatory and
    Management
    - IT personnel,(IAM) program
    or a similar that covers
    function, all data
    identify -contractual IAM controls are primarily
    requirements foradministrative
    Identify & Accessand
    users.
    protection and privacy controls that are preventative
    Management (IAM). in nature (e.g., policies &
    -appropriate IAM controls to are primarily
    address administrative
    applicable statutory,and standards)
    -- IT personnel,to manage accounts
    or a similar and implement
    function, permissions.
    preventative in nature (e.g., policies & to -and IT security
    Physical personnel
    controls, identify
    administrative data protection
    processes and
    regulatory and contractual requirements and maintain an Identity
    privacy controls that &areAccess Management
    appropriate to
    standards)
    implement and maintain an Identify & Access to manage accounts and permissions. technologies
    (IAM) capabilityfocus on protecting
    forstatutory, High
    all users. regulatory and Value
    -Management IAM is decentralized. Active that
    Directory (AD), or a address
    Assets applicable
    (HVAs), including environments where
    - IT personnel, (IAM) program
    or a similar function, covers all data
    identify -contractual IAM controls are primarily
    requirements foradministrative
    Identifyand and
    & Access
    similar
    users. technology, may be used to centrally- sensitive
    preventative data inis stored,
    nature transmitted
    (e.g., policies &
    protection
    manage and privacy
    identities and controls thatbut
    permissions, are Management (IAM).
    processed.
    -appropriate IAM controls are
    toowners primarily
    address administrative
    applicable statutory, and standards)
    -- IT to manage accounts and implement
    permissions.
    asset/process
    preventative in nature are authorized
    (e.g., policies &to operate -and IT personnel,
    Technologies
    security
    Physical
    or
    area configured
    personnel
    controls,
    similar function,
    identify
    administrative to protect
    data dataand
    protection
    processes
    regulatory
    astandards) decentralizedand contractual
    access accounts
    controlrequirements
    program totheir
    for with
    and maintain
    the strength
    privacy an Identity
    controls and & Access
    integrity
    that are Management
    commensurate
    appropriate to
    implement to
    and manage
    maintain an and permissions.
    Identify & Access technologies
    (IAM) capabilityfocus on protecting
    forstatutory,
    all or
    users. High Value
    specific
    -Management IAM is systems,
    decentralized.applications or services.
    Active that
    Directory (AD), or a with
    address
    Assets the classification
    applicable
    (HVAs), are including sensitivity of
    regulatory
    environments theand
    where
    -similar IT personnel
    personnel, (IAM)
    utilize program
    an informal
    or a similar covers
    process
    function, all data
    to
    identify -contractual
    information IAM controls and primarily
    mostly
    requirements foradministrative
    conform to industry-
    Identify and
    & Access
    users. technology, may be used to centrally- sensitive
    preventative data inis stored,
    nature transmitted
    (e.g., policies and
    &
    design,
    protection
    manage build andand
    identities maintain
    privacy
    and secure
    controls
    permissions, configurations
    that are
    but recognized
    Management (IAM).
    processed. standards for hardening (e.g., DISA
    -appropriate
    for IAM controls
    test, to are
    development, primarily
    address staging administrative
    applicableand production
    statutory, and standards)
    -STIGs, IT to manage
    CIS Benchmarks
    personnel, or accounts
    or OEM and implement
    permissions.
    security guides),
    asset/process
    preventative owners
    in nature are authorized
    (e.g., policies &to operate --including Technologies
    IT security
    Physical area configured
    personnel
    controls,
    similar function,
    identify
    administrative to protect
    data dataand
    protection
    processes
    environments,
    regulatory
    astandards) decentralizedand including
    contractual therequirements
    access accounts
    control implementation
    program for of
    totheir and
    with the cryptographic
    maintain
    strengthan Identity
    and protections
    & Access
    integrity for sensitive
    Management
    commensurate
    appropriate to manage
    data protection and and permissions.
    privacy and
    technologies
    data. privacy controls
    focus onthat are
    protecting appropriate
    High Value to
    implement
    specific and maintain an Identify & Access (IAM) capability forstatutory,
    all or
    users.
    -controls. IAM is systems,
    decentralized.applications or services.
    Active that
    Directory (AD), or a with
    address
    Assets
    -information
    the
    Active
    classification
    applicable
    (HVAs),
    Directory including
    (AD), or
    sensitivity
    environments
    a similar
    of
    regulatory theand
    where
    -Management
    similar IT personnel
    personnel,
    technology,
    (IAM)
    utilize
    or a program
    an informal
    similar
    may be function,
    used to
    covers
    process all data
    to
    identify
    centrally-
    -contractual
    sensitive
    IAM controls
    data and are primarily
    mostly
    requirements
    is stored, totechnology,
    foradministrative
    conform Identify
    transmitted industry-and is
    & Access
    and
    -users.
    design, Configurations
    build and mostly
    maintain conform
    secure to industry-
    configurations primarily
    preventative
    recognized used to
    in(IAM).centrally-manage
    naturefor
    standards (e.g., identities
    & DISAand
    policies (e.g.,
    hardening
    protection
    manage and
    identities privacy
    and controls
    permissions, that are DISA
    but Management
    processed.
    -recognized
    for
    appropriate IAM controls
    test, standards
    are
    development,
    to address
    for
    primarilyhardening
    staging
    applicableand (e.g.,
    administrative
    production
    statutory, and permissions.
    standards)
    -STIGs, IT to Due
    manage
    CIS Benchmarks
    personnel, or
    to technical
    accounts
    or OEM or business
    and permissions.
    security guides),
    asset/process
    STIGs,
    preventative CIS owners
    Benchmarks
    in nature are
    or authorized
    OEM
    (e.g., security
    policies &to guides).
    operate --limitations, Technologies
    IT security
    Physical area configured
    personnel similar
    asset/process
    controls,
    function,
    identify
    owners
    administrative to areimplement
    protect
    data dataand
    protection
    authorized
    processes
    environments,
    regulatory
    astandards) decentralizedand including
    contractual therequirements
    access accounts
    control implementation
    program for of
    totheir including
    and
    with the cryptographic
    maintain
    strengthan Identity
    and protections
    & Access
    integrity for sensitive
    Management
    commensurate
    appropriate to manage
    data protection and and permissions.
    privacy and
    to
    technologies
    data. privacy
    operate acontrols
    decentralized
    focus onthat are
    protecting appropriate
    access control
    High Value to
    implement
    specific and maintain an Identify & Access (IAM) capability for all or
    users.
    -controls. IAM is systems,
    decentralized.applications or services.
    Active that
    Directory (AD), or a with
    address
    program
    Assets
    -information
    the
    Active
    classification
    applicable
    for
    (HVAs), their
    Directory statutory,
    specific
    including
    (AD), or
    sensitivity
    systems,
    environments
    a similar
    of
    regulatory theand
    applications
    where
    -Management
    -- IT
    similar IT personnel
    personnel,
    technology,
    (IAM)
    utilize
    or a program
    an informal
    similar
    may be function,
    used to
    covers
    process all data
    to
    identify
    centrally-
    -contractual
    or
    sensitive
    IAM controls
    services.
    data and are primarily
    mostly
    requirements
    istostored, totechnology,
    foradministrative
    conform Identify
    transmitted industry-and is
    & Access
    and
    users.
    design, Configurations
    build and mostly
    maintain conform
    secure to industry-
    configurations primarily
    preventative
    recognized used in centrally-manage
    nature
    standards for hardening (e.g., DISAand
    (e.g., policies identities
    &
    protection
    manage and
    identities privacy
    and controls
    permissions, that are DISA
    but Management
    processed. (IAM).
    -recognized
    for
    appropriate IAM controls
    test, standards
    are
    development,
    to address
    for
    primarilyhardening
    staging
    applicableand (e.g.,
    administrative
    production
    statutory, and permissions.
    standards)
    -STIGs, IT to Due
    manage
    CIS Benchmarks
    personnel, or
    to technical
    accounts
    or OEM orsecurity
    business
    and permissions.
    guides),
    asset/process
    STIGs,
    preventative CIS owners
    Benchmarks
    in nature are
    or authorized
    OEM
    (e.g., security
    policies &to guides).
    operate --limitations, Technologies
    IT security
    Physical area configured
    personnel similar
    asset/process
    controls,
    function,
    identify
    owners
    administrative to areimplement
    protect
    data dataand
    protection
    authorized
    processes
    environments,
    regulatory
    astandards) decentralizedand including
    contractual therequirements
    access accounts
    control implementation
    program for of
    totheir including
    and
    with the cryptographic
    maintain
    strengthan Identity
    and protections
    & Access
    integrity for sensitive
    Management
    commensurate
    appropriate to manage
    data protection and and permissions.
    privacy and
    to
    technologies
    data. privacy
    operate acontrols
    decentralized
    focus onthat are
    protecting appropriate
    access control
    High Value to
    implement
    specific and
    systems, maintain an Identify
    applications or & Access
    services. (IAM)
    with
    address
    program capability
    the for
    classification
    applicable
    for their all or
    users.
    statutory,
    specific sensitivity of
    regulatory
    systems, theand
    applications
    -controls. IAM is decentralized. Active that
    Directory (AD), or a Assets
    -information Active (HVAs),
    Directory including
    (AD), orenvironments
    a similar where
    -Management
    -- IT
    similar IT personnel
    personnel,
    technology,
    (IAM)
    utilize
    ormostlyprogram
    an informal
    a similar
    may be function,
    used to
    covers
    process all data
    to
    identify
    centrally- contractual
    or
    sensitive
    IAM controls
    services.
    data and are primarily
    mostly
    requirements
    is stored, totechnology,
    foradministrative
    conform Identify
    transmitted industry-and is
    & Access
    and
    users.
    design, Configurations
    build and maintain conform
    secure industry-
    configurations primarily
    preventative
    recognized used to
    in(IAM).centrally-manage
    naturefor
    standards (e.g., identities
    & DISAand
    policies (e.g.,
    hardening
    protection
    manage and
    identities privacy
    and controls
    permissions, that are DISA
    but Management
    processed.
    -recognized
    for
    appropriate IAM controls
    test, standards
    are
    development,
    to address
    for
    primarilyhardening
    staging
    applicableand (e.g.,
    administrative
    production
    statutory, and permissions.
    standards)
    -STIGs, IT to Due
    manage
    CIS Benchmarks
    personnel, or
    to technical
    accounts
    or OEM or business
    and permissions.
    security guides),
    asset/process
    STIGs,
    preventative CIS owners
    Benchmarks
    in nature are
    or authorized
    OEM
    (e.g., security
    policies &to guides).
    operate -limitations,
    -and Technologies
    IT security
    Physical area configured
    personnel similar
    asset/process
    controls,
    function,
    identify
    owners
    administrative to areimplement
    protect
    data dataand
    protection
    authorized
    processes
    environments,
    regulatory
    astandards) decentralizedand including
    contractual therequirements
    access accounts
    control implementation
    program for of
    totheir including
    with the cryptographic
    maintain
    strengthan Identity
    and protections
    & Access
    integrity for sensitive
    Management
    commensurate
    appropriate to manage
    data protection and and permissions.
    privacy and
    to
    technologies
    data. privacy
    operate acontrols
    decentralized
    focus onthat are
    protecting appropriate
    access control
    High Value to
    implement
    specific and maintain an Identify & Access (IAM) capability for all or
    users.
    -controls. IAM is systems,
    decentralized.applications or services.
    Active that
    Directory
    covers(AD),
    all or a
    with
    address
    program
    Assets
    -information
    the
    Active
    classification
    applicable
    for
    (HVAs), their
    Directory statutory,
    specific
    including
    (AD), or
    sensitivity
    systems,
    environments
    a similar
    of
    regulatory theand
    applications
    where
    -Management
    similar IT personnel
    technology,
    (IAM) program
    utilizemayan informal
    be used process
    to to
    centrally- contractual
    or
    sensitive
    IAM controls
    services.
    data and are primarily
    mostly
    requirements
    is stored, totechnology,
    foradministrative
    conform Identify
    transmitted industry-and is
    & Access
    and
    -users.
    design, Configurations
    build mostly
    and maintain conform to industry-
    secure configurations primarily
    preventative
    recognized used to
    in(IAM).centrally-manage
    naturefor
    standards (e.g., identities
    & DISAand
    policies (e.g.,
    hardening
    manage identities Management
    -recognized
    for IAM controls
    test, are and
    standards
    development,
    permissions,
    for
    primarilyhardening
    staging
    but
    (e.g., DISA
    administrative
    and production and processed.
    permissions.
    standards)
    -STIGs, IT to Due
    manage
    CIS Benchmarks
    personnel, or
    to technical
    accounts
    or OEM or business
    and permissions.
    security guides),
    asset/process
    STIGs,
    preventative CIS owners
    Benchmarks
    in nature are
    or authorized
    OEM
    (e.g., security
    policies &to guides).
    operate -limitations,
    -and Technologies
    IT security
    Physical area configured
    personnel similar
    asset/process
    controls,
    function,
    identify
    owners
    administrative to areimplement
    protect
    data dataand
    protection
    authorized
    processes
    environments,
    astandards) decentralized including the implementation
    access accounts
    control program of
    for their including
    with the cryptographic
    maintain
    strengthan Identity
    and protections
    & Access
    integrity for sensitive
    Management
    commensurate
    appropriate todata
    manage
    protection and and permissions.
    privacy and
    to
    technologies
    data. privacy
    operate acontrols
    decentralized
    focus onthat are
    protecting appropriate
    access control
    High Value to
    specific (IAM) capability for all or
    users.
    -controls. IAM is systems,
    decentralized.applications or services.
    Active Directory (AD), or a with
    address
    program
    Assets
    -information
    the
    Active
    classification
    applicable
    for
    (HVAs), their
    Directory statutory,
    specific
    including
    (AD), or
    sensitivity
    systems,
    environments
    a similar
    of
    regulatory theand
    applications
    where
    -similar IT personnel
    personnel,
    technology,utilize
    or a an informal
    similar
    may be process
    function,
    used to to data
    identify
    centrally- contractual
    or
    sensitive
    IAM controls
    services.
    data and are primarily
    mostly
    requirements
    istostored, conform totechnology,
    foradministrative
    Identify
    transmitted industry-and is
    & Access
    and
    -design, Configurations
    build and mostly
    maintain conform
    secure to industry-
    configurations primarily
    preventative
    recognized used in centrally-manage
    nature
    standards for hardening (e.g., DISAand
    (e.g., policies identities
    &
    protection
    manage
    recognized and
    identities privacy
    standards andforcontrols
    permissions,
    hardeningthatbut
    are DISA
    (e.g., Management
    processed.
    permissions. (IAM).
    Due to technical orsecurity
    business
    for
    appropriate test, development,
    to address staging
    applicableandstatutory,
    production standards)
    -STIGs, IT to manage
    CIS Benchmarks
    personnel, or accounts
    or OEM and permissions.
    guides),
    asset/process
    STIGs, owners
    CIS Benchmarks are authorized
    orthe
    OEM securityto guides).
    operate --limitations, Technologies
    IT security
    Physical area configured
    personnel similar
    asset/process
    controls,
    function,
    identify
    owners
    administrative to
    dataareimplement
    protect dataand
    protection
    authorized
    processes
    environments,
    regulatory
    a decentralized and including
    contractual
    access control implementation
    requirements
    program for of
    totheir including
    and
    with cryptographic
    maintain
    the strengthan Identity
    and protections
    & Access
    integrity for sensitive
    Management
    commensurate
    appropriate datamaintain
    protection and privacy and
    to
    technologies
    data. privacy
    operate acontrols
    decentralized
    focus onthat are
    protecting appropriate
    access control
    High Value to
    implement
    specific systems, and an Identify
    applications & Access
    or services. (IAM)
    with
    address
    program capability
    the for
    classification
    applicable
    for their all or
    users.
    statutory,
    specific sensitivity of
    regulatory
    systems, theand
    applications
    controls. Assets
    -information Active (HVAs),
    Directory including
    (AD), orenvironments
    a similar where
    Management
    -SP-CMM1 IT personnel
    personnel, (IAM)
    utilize
    ormostly
    is N/A,
    program
    anainformal
    asince
    similar thatprocess
    function,
    structured
    covers all data
    to
    identify
    process is contractual
    or
    sensitive
    IAM controls
    services.
    data and are primarily
    mostly
    requirements
    istostored, totechnology,
    foradministrative
    conform Identify
    transmitted industry-and is
    & Access
    and
    -design,
    users. Configurations
    build and maintain conform
    secure toconfigurations
    industry- primarily
    preventative
    recognized used in centrally-manage
    nature
    standards for hardening (e.g., DISAand
    (e.g., policies identities
    &
    protection
    required to and privacy
    restrict and controls
    control that are
    privileged access Management
    processed. (IAM).
    -recognized
    for IAM controls
    test,
    appropriate
    standards
    to are
    development,
    address
    for
    primarilyhardening
    staging
    applicable
    (e.g., DISA
    administrative
    andstatutory,
    productionand permissions.
    standards)
    -STIGs, IT to Due
    manage
    CIS Benchmarks
    personnel, or
    to technical
    accounts
    or OEM orsecurity
    business
    and permissions.
    guides),
    rights
    STIGs,
    preventative for
    CIS users and
    Benchmarks
    in natureservices.
    or OEM
    (e.g., security
    policies & guides). -and Technologies
    -limitations,
    IT security
    Physical area configured
    personnel similar
    asset/process
    controls,
    function,
    identify
    owners
    administrative to areimplement
    protect
    data dataand
    protection
    authorized
    processes
    environments,
    regulatory and including
    contractual therequirements
    implementation to of including
    with cryptographic
    maintain
    the strengthan Identity
    and protections
    & Access
    integrity for sensitive
    Management
    commensurate
    standards) and
    to privacy
    operate acontrols
    decentralizedthat are appropriate
    access control to
    implement to
    appropriate manage
    data
    and accounts
    protection
    maintain andand permissions.
    privacy
    an Identify & Access technologies
    data.
    (IAM)
    with
    address
    program capability
    the
    focus
    applicable
    for their for
    classification
    on protecting
    all or
    users.
    statutory,
    specific sensitivity
    High Value
    of
    regulatory
    systems, theand
    applications
    -controls.
    IAM is decentralized. Active that
    Directory
    covers(AD),
    all or a Assets
    -information
    Active (HVAs),
    Directory including
    (AD), orenvironments
    a similar where
    Management
    similar technology,
    (IAM) program
    mayconform
    be used to centrally- or
    sensitive
    IAM
    contractual controls
    services.
    data and are primarily
    mostly
    requirements
    istostored, totechnology,
    foradministrative
    conform Identify
    transmitted industry-and is
    & Access
    and
    - Configurations
    users. mostly industry- primarily
    preventative
    recognized used in centrally-manage
    nature
    standards for hardening (e.g., DISAand
    (e.g., policies identities
    &
    manage identities Management (IAM).
    -recognized
    IAM controls are and
    standards permissions,
    for
    primarilyhardening but
    (e.g., DISA
    administrative and processed.
    permissions.
    standards)
    -STIGs, IT to Due
    manage
    CIS Benchmarks
    personnel, or
    to technical
    accounts
    or OEM orsecurity
    business
    and permissions.
    guides),
    asset/process
    preventative in nature (e.g., policies &to guides).
    STIGs, CIS owners
    Benchmarks are
    or authorized
    OEM security operate -limitations,
    -and Technologies
    Physical area configured
    similar
    asset/process
    controls,
    function,
    owners
    administrative areimplement
    to protect dataand
    authorized
    processes
    astandards)
    decentralized access accounts
    control program for their including
    with the cryptographic
    maintain
    strengthan Identity
    and protections
    & Access
    integrity for sensitive
    Management
    commensurate
    to manage and permissions. to operate
    technologies
    data. a decentralized
    focus on access
    protecting control
    High Value
    specific systems, applications or services. (IAM)
    with
    program capability
    the for
    classification
    for their all or
    specificusers.
    sensitivity
    systems, of the
    applications
    - IAM is decentralized. Active Directory (AD), or a Assets
    -information
    Active
    IAM (HVAs),
    Directory
    controls including
    are (AD), or
    primarily environments
    a similar where
    technology,
    administrative and is
    -similar
    IT personnel
    technology,utilizemayan informal
    be used to process to
    centrally- or services.
    sensitive data andisto mostly
    stored, conform
    transmitted to industry-
    and
    design, build and maintain secure configurations primarily
    preventative
    recognized used
    standards for hardening (e.g., DISAand
    in centrally-manage
    nature (e.g., policies identities
    &
    manage identities and permissions, but processed.
    permissions. Due to technical
    for test, development,
    asset/process owners are staging and production
    authorized to operate
    standards)
    STIGs, to manage
    CIS Benchmarks
    -- Technologies or OEMor
    accounts
    are configured
    business
    and permissions.
    tosecurity
    protect guides),
    dataand
    environments, including the implementation of limitations,
    Physical
    including asset/process
    controls,
    cryptographic owners
    administrative
    protections are authorized
    processes
    for sensitive
    a decentralized access control program for their with
    to the
    operatestrength
    a and
    decentralized integrity
    technologies focus on protecting High Valueaccesscommensurate
    control
    appropriate
    specific systems, data applications
    protection and privacy
    or services. data.
    with the classification or environments
    sensitivity of the
    controls. program
    Assets
    -information for their
    Active(HVAs),
    Directory specific
    including
    (AD), or systems,
    a similar applications
    where is
    technology,
    SP-CMM1
    - IT personnel is N/A, since
    utilize anainformal
    structured process
    process to is or services. and mostly conform to industry-
    -required
    Configurations sensitive data istostored, transmittedidentities
    and
    design, build andmostly
    to restrict and conform
    maintain tightly toconfigurations
    industry-
    control
    secure utility primarily
    recognized
    processed.
    used
    standards for hardening (e.g., DISAand
    centrally-manage
    recognized
    programs standards
    that for
    are capable
    for test, development, hardening
    staging (e.g.,system
    of overriding
    and production DISA permissions.
    STIGs, Due to technical
    CIS Benchmarks or OEMor business
    STIGs, CIS Benchmarks or OEM security guides). - Technologies
    limitations, are configured
    asset/process ownerstosecurity
    protect guides),
    data
    areforauthorized
    and application controls.
    environments, including the implementation of including cryptographic protections sensitive
    with
    to the strength
    operate a and integrity
    decentralized accesscommensurate
    control
    appropriate data protection and privacy data.
    with the classification or sensitivity of the
    controls. program
    -information for their (AD),
    Active Directory specific or systems,
    a similar applications
    technology,
    or services. and mostly conform to industry- is
    - Configurations mostly conform to industry- primarily
    recognized standards for hardening (e.g., DISAand
    used to centrally-manage identities
    recognized standards for hardening (e.g., DISA permissions. Due to technical
    STIGs, CIS Benchmarks or OEMorsecurity
    business guides),
    STIGs, CIS Benchmarks or OEM security guides). limitations, asset/process
    including cryptographic protections owners areforauthorized
    sensitive
    to operate a decentralized access control
    data.
    program for their (AD),
    - Active Directory specific or systems,
    a similar applications
    technology, is
    address applicable statutory, regulatory and
    Management
    - IT personnel,(IAM) program
    or a similar that covers
    function, all data -contractual
    identify IAM controls are primarily
    requirements foradministrative
    Identify & Access and
    users.
    protection and privacy controls that are preventative
    Management (IAM). in nature (e.g., policies &
    -appropriate IAM controls to are primarily
    address administrative
    applicable statutory,and standards)
    - IT personnel, to manage
    or a similar accounts and implement
    function, permissions.
    preventative in
    regulatory and contractual requirements to nature (e.g., policies & - Physical
    and maintain an Identity & Access Management controls, administrative processes and
    standards) to manage
    implement and maintain an Identify & Access accounts and permissions. technologies
    (IAM) capability for all users. focus on protecting High Value
    -Management IAM is decentralized.
    (IAM) programActive that Directory
    covers(AD),all or a Assets
    -- IAM (HVAs), are
    controls including
    primarily environments
    administrative where and
    similar technology, may be used to centrally- sensitive IT security
    data personnel
    is stored, identify
    transmitteddata protection
    and
    users. preventative
    and privacy controls that are appropriate to in nature (e.g., policies &
    manage
    - Incident identities
    IAM controls are and
    response permissions,
    operations
    primarily lack abut
    administrative formaland processed.
    standards) to manage accounts and permissions.
    asset/process
    Incident Response owners are
    Plan(e.g., authorized
    (IRP)policies
    to guide& to operate address
    -- Technologies applicable statutory,
    are configured regulatory
    to protect and
    dataand
    preventative in nature contractual Physical controls,
    requirements administrative
    for processes
    incident response.
    aoperations. decentralized access control
    standards) to manage accounts and permissions. technologies program for their with the strength and integrity
    focus on protecting commensurate
    High Value
    - IT security personnel implement
    sensitivityand maintain
    -specific IT
    IAM is systems,
    personnel applications
    utilize
    decentralized. anActive
    informal or services.
    process(AD),
    Directory to or a withAssets the classification
    (HVAs), including or environments of the
    where
    -facilitate IT personnel utilize an informal process to an
    information incident response
    and mostly capability
    conform using
    to a
    industry-
    similar technology, incident management
    may be usedoperations to centrally- that -sensitive IT security
    data personnel
    is stored, identify
    transmitteddata protection
    and
    design, build and maintain secure configurations documented
    recognized
    and and tested
    privacystandards
    controls forIncident
    that hardening Response
    are appropriate toPlan
    (e.g., DISA
    cover
    manage
    -for preparation,
    Incident identities
    responseand detection and
    permissions,
    operations lack analysis,
    abut
    formal processed.
    test, development, staging and production (IRP)
    STIGs,
    address toCIS
    facilitate
    Benchmarks
    applicable incident or
    statutory, management
    OEM security
    regulatory guides),
    and
    containment,
    asset/process
    Incident Responseeradication
    ownersPlanare and
    (IRP) torecovery.
    authorized
    guide to operate - Technologies are configured to protect dataand
    -environments,
    aoperations. IT personnel utilize
    decentralized including
    access the implementation
    ancontrol
    informal processfor
    program of operations
    totheir including
    contractual
    with the
    that
    strength
    cover
    cryptographic
    requirements
    and
    preparation,
    protections
    for incident
    integrity
    detection
    forresponse.
    commensuratesensitive
    appropriate data protection and privacy analysis,
    data.
    -with containment,
    IT security personnelor eradicationand
    implement andmaintain
    recovery.
    design,
    -specific build
    systems,
    IT personnel and maintain
    applications
    utilize an informalsecure configurations
    or services.
    process to the classification sensitivity of the
    controls. -anIT security
    Active personnel
    Directory (AD), update
    or a the
    similar IRP, based
    technology, onis
    for
    -facilitate IT test,
    -environments,
    development,
    personnel
    incident
    Configurations
    utilize anstaging
    informal
    management
    mostly conform
    and production
    process
    operations
    to
    tothat information
    industry- -lessons
    primarily ITincident
    security response
    learned
    used
    andfrommostly
    personnel
    to
    capability
    conform
    identify
    incidents.
    centrally-manage
    using
    data a
    to industry-
    protection
    identities and
    design, build and including
    maintain thesecure
    implementation
    configurations of documented
    recognized
    and and tested
    standards Incident
    forIncident
    hardening Response Plan
    (e.g., DISA
    cover
    recognized preparation,
    standards detection
    for and analysis,
    hardening (e.g., DISA -(IRP)
    permissions. An privacy
    Integrated
    to
    controls
    Due
    facilitate Security
    to that
    technical
    incident
    are appropriate
    or
    managementResponse
    business toTeam
    appropriate
    for
    containment, data
    test, development, protection
    eradication andand
    staging andprivacy
    production
    recovery. STIGs,
    address CIS Benchmarks
    applicable or OEM
    statutory, security
    regulatory guides),
    and
    STIGs, CIS Benchmarks orthe
    OEM security guides). (ISIRT),
    limitations,
    operations or similar function,
    asset/process
    that cover exists
    owners
    preparation, toareform an on-
    authorized
    detection and
    controls.
    -environments,
    IT personnel utilize including
    an informal implementation
    process to of contractual including cryptographic
    requirements protections
    for incident for sensitive
    response.
    demand,
    to
    analysis, operate integrated
    a decentralized
    containment, team of formally-assigned
    access
    eradication control
    and recovery.
    -appropriate
    Configurations data mostly
    protectionconform and to industry-
    privacy
    design, build and maintain secure configurations -cybersecurity, data. IT security
    recognized
    controls. standards for hardening (e.g., DISA program --anIT Active forpersonnel
    security IT, privacy
    their
    personnel
    Directory specific
    (AD),
    implement
    and
    systems,
    update
    orexecute the
    a similar
    and
    business
    IRP,
    maintain
    function
    applications
    based
    technology, onis
    for test, development, staging and production representatives
    -
    or ITincident
    security
    services. response
    that
    personnel capability
    canidentify using a
    coordinated
    data protection
    STIGs,
    -environments, CIS Benchmarks
    Configurations mostly or OEM
    conform security
    to guides).
    industry- lessons
    primarily
    documented learned
    used andtofrom incidents.
    centrally-manage
    tested Incident identities
    Response and
    Plan
    including the implementation of incident and response
    privacy controls operations.
    thatIncident
    are appropriate toTeam
    -recognized
    Incident response
    standards is decentralized,
    for hardening with
    (e.g., the
    DISA -
    permissions.
    (IRP) An Integrated
    to Due
    facilitate Security
    to technical
    incident or
    managementResponse
    business
    appropriate data protection and privacy -(ISIRT), IT personnel, or function,
    a statutory,
    similar function, implement
    responsibility
    STIGs, CIS Benchmarks
    controls. for training or users and enforcing
    OEM security guides). address limitations,
    operations
    and
    applicable
    or
    maintain
    similar
    asset/process
    thatan cover
    asset
    regulatory
    exists
    owners
    preparation,
    management
    toareform and
    an on-
    authorized
    detection
    capability,and
    policies being assigned to users’ supervisors and contractual
    demand,
    to operate arequirements
    integrated
    decentralizedteam for
    of incident
    access response.
    formally-assigned
    control
    - Configurations mostly conform to industry- analysis,
    including
    -cybersecurity, containment,
    IT securityendpoint eradication
    devices. and recovery.
    managers,
    recognized including
    standards the
    for definition
    hardeningand (e.g., DISA program
    --anIT forpersonnel
    security
    ITincident
    personnel,
    IT, privacy
    their
    personnelaspecific
    orthat
    implement
    and
    systems,
    update
    similar the
    function,
    and
    business
    IRP,
    maintain
    function
    applications
    based
    support on
    SP-CMM1
    enforcement is N/A, since a
    of users’ roles structured
    andsecurity process
    responsibilities is representatives
    -lessons
    or ITservices.
    security response
    personnel capability
    can execute
    identifybydatausing a
    coordinated
    protection
    STIGs, CIS Benchmarks or OEM guides). incident
    documented learned
    response from
    and tested incidents.
    operationsIncident provisioning
    Response Plan
    required
    for incidentto maintain
    response. and make available a incident
    and response operations.
    An privacy controls thatIncident
    areresponders
    appropriate toTeam
    (IRP) -(IRP)
    -current
    Incident response is decentralized, Integrated Security Response
    and viable Incident Responsewith Planthe and
    -
    address IT deprovisioning
    to facilitate
    personnel,
    applicableor a incident
    incident
    similar
    statutory, management
    function, with
    implement
    regulatory and
    responsibility for training users and enforcing (ISIRT),
    temporary
    operations or similar
    emergency
    that function, exists todetection
    accounts. form an on-
    to all stakeholders. and maintain ancover
    asset preparation,
    management capability,and
    policies being assigned to users’ supervisors and contractual demand,
    analysis,
    requirements
    integrated
    containment, team for
    of incident response.
    formally-assigned
    eradication and recovery.
    SP-CMM1 including
    -cybersecurity, endpoint
    IT security personnel devices.
    implement and maintain
    managers,isincluding N/A, since theadefinition
    structuredand process is
    --anIT security IT, privacy
    personnel and business
    update the IRP, function
    required to establish an integrated
    enforcement of users’ roles and responsibilities -lessons team of representatives IT
    IT
    personnel,
    incident
    security
    or
    response a
    that
    personnel
    similar
    can function,
    capability
    execute
    identify using a based on
    support
    coordinated
    data protection
    incident
    documented learned
    response from
    and tested incidents.
    operationsIncidentby provisioning
    Response Plan
    cybersecurity,
    for incident response. IT and business function incident
    and response operations.
    -representatives
    Incident response operations lack a formal -(IRP)
    and An privacy
    Integrated
    to
    controls
    deprovisioning
    facilitate Security thatIncident
    incident
    incident
    areresponders
    appropriate
    managementResponse toTeam
    with
    that are capable of addressing address -(ISIRT), IT personnel,
    applicableor a similar
    statutory, function, implement
    regulatory and
    Incident Response Plan (IRP) to guide temporary
    operations or similar
    emergency
    that function, exists todetection
    accounts. form an on-
    cybersecurity and privacy incident response and
    contractual
    demand, maintain ancover
    asset
    requirements
    integrated
    preparation,
    teammanagement
    for
    of incident capability,
    response.
    formally-assigned
    and
    operations. analysis,
    including
    -cybersecurity, containment,
    endpoint
    IT security personnel eradication
    devices.
    implement and recovery.
    and maintain
    -SP-CMM1
    IT personnel utilize
    is N/A, sinceanainformal
    structured process
    processto is --anIT security IT, privacy
    personnel and business
    update the IRP, function
    representatives ITincident
    personnel, orthat
    response a similar function,
    capability
    can execute using a based on
    support
    coordinated
    facilitate
    required to incident
    perform management
    digital forensics and that -lessons
    operations incident response
    documented
    IT security
    learnedpersonnel
    from
    and tested
    identify
    incidents.
    operationsIncident
    data protection
    by provisioning
    Response Plan
    cover
    maintain preparation,
    the integrity detection
    of the chain of custody, in incident
    and analysis, and
    -(IRP)
    and
    response
    An privacy
    Integratedcontrols
    deprovisioning
    to facilitate
    operations.
    Security thatIncident
    incident
    incident
    areresponders
    appropriate
    managementResponse toTeam
    with
    containment,
    accordance with eradication
    applicable and regulations and address
    recovery.
    laws, -(ISIRT), IT personnel,
    applicable
    or similaror function,
    a statutory,
    similar function,
    exists implement
    regulatory
    todetection
    form and
    an on-
    temporary
    operations
    and maintain emergency
    thatan cover
    asset accounts.
    preparation,
    management capability,and
    -industry-recognized
    IT personnel utilize secure an informal process
    practices. to contractual
    demand, requirements
    integrated team for
    of incident response.
    formally-assigned
    analysis,
    including containment,
    endpoint eradication
    devices. and recovery.
    design, build and maintain secure configurations -cybersecurity, IT security personnel
    IT, privacy implement
    and business and maintain
    function
    --anIT security
    ITincident
    personnel, personnel
    orthat
    response a similarupdate the
    function,
    capability IRP,
    using based
    support
    a on
    for test, development, staging and production representatives
    -lessons IT security personnel can execute
    identifybydata coordinated
    protection
    incident
    documented learned
    response
    and from
    tested incidents.
    operationsIncident provisioning
    Response Plan
    environments, including the implementation of incident and
    -(IRP) response
    An privacy
    Integratedcontrols operations.
    Security thatIncident
    areresponders
    appropriate
    Response toTeam
    appropriate data protection and privacy and
    -(ISIRT), deprovisioning
    to facilitate
    IT personnel, or a incident
    incident
    similar management
    function, with
    implement
    address
    temporary applicable
    or similar
    emergency statutory,
    function, regulatory
    exists
    accounts. to form and
    an on-
    controls. operations
    and
    contractual maintain thatancover
    asset
    requirements preparation,
    management
    for detection
    incident capability,
    response.and
    demand,
    analysis, integrated
    containment, team of formally-assigned
    eradication and recovery.
    - Configurations mostly conform to industry- including
    -cybersecurity, endpoint
    IT security personnel devices.
    implement and maintain
    SP-CMM1 IT, privacy and business function
    recognizedisstandardsN/A, sincefor a structured
    hardening (e.g., process is
    DISA --anIT security
    ITincident
    personnel, personnel
    orthat
    response a similarupdate the
    function,
    capability IRP,
    using a based on
    support
    required representatives can execute coordinated
    STIGs, CIStoBenchmarks
    incorporateorlessons learned guides).
    OEM security from lessons
    incident
    documented learned andfrom
    response incidents.
    operations
    tested Incidentby provisioning
    Response Plan
    analyzing incident response operations.
    - Incident and resolving
    response cybersecuritywith
    is decentralized, andthe -(IRP)
    and An Integrated
    deprovisioning
    to facilitate Securityincident
    incident Incident Response
    responders
    management withTeam
    privacy incidents -(ISIRT),
    IT personnel, or function,
    a similar function, implement
    responsibility for to reduce
    training the likelihood
    users and enforcing or temporary
    operations or similar
    emergency
    that exists
    accounts. to form an on-
    impact
    policiesof future
    being incidents.
    assigned to users’ supervisors and and demand, maintain ancover
    integrated asset preparation,
    teammanagement
    of
    detection
    capability,
    formally-assigned
    and
    -analysis,
    IT security
    including personnel
    containment,
    endpoint identify
    eradication
    devices. dataandprotection
    recovery.
    -managers,
    IT personnel utilize the
    including an informal
    definition process
    and to cybersecurity, IT, privacy and business function
    and
    -- IT privacy controls
    IT security
    personnel, personnel
    orthat that
    a similar are
    update appropriate
    the IRP,
    function, to on
    based
    support
    design,
    SP-CMM1 buildis and
    N/A, maintain
    since a secure
    structured configurations
    enforcement of users’ roles and responsibilities address process is representatives can execute coordinated
    lessons applicable
    learned from statutory,
    incidents. regulatory and
    for
    for test,
    required development,
    incidentto maintain stagingresponse
    response.incident and productioncontacts incident incident
    contractual
    response
    response
    requirements
    operations
    operations. by provisioning
    forresponders
    pre-production
    environments, including the implementation of -andAn deprovisioning
    Integrated SecurityincidentIncident Response withTeam
    with applicable regulatory and law enforcement -security IT personnel,
    and or function,
    privacy a similar
    control function,
    testing. implement
    appropriate (ISIRT),
    temporary or similar
    emergency exists
    accounts. to form an on-
    agencies. data protection and privacy and
    - IT maintain
    personnel, anor asset
    a management
    similar function, capability,
    implement
    controls. demand, integrated team of formally-assigned
    including endpoint devices.
    - IT personnel conduct limited control testing to and
    maintain
    cybersecurity, aIT,
    Information
    privacy andAssurance Program
    business function
    -(IAP)
    IT personnel,
    capability
    representatives or
    for a
    that similar
    all function,
    high-value
    can execute support
    projects.
    coordinated
    meet specific contractual requirements for pre- incident response operations by provisioning
    - IAP controls are primarily administrative and
    production security and privacy control testing. incident and
    response
    deprovisioning
    operations.
    incident responders
    preventative
    - IT personnel, inornature
    a similar(e.g.,function, & with
    policiesimplement
    - Data management is decentralized. temporary emergency accounts.
    standards) to manage technical controls for
    - All endpoint devices containing sensitive data and maintain an asset management capability,
    security
    including and privacydevices.
    endpoint requirements.
    utilize a cryptographic mechanism to prevent the
    - IAP operationsorfocus
    IT personnel, a similaron protecting High Value
    function, support
    unauthorized disclosure of information at rest
    Assets
    incident (HVAs),
    response including
    operationsenvironments
    by where
    provisioning
    (e.g., whole drive encryption).
    sensitive
    and data is stored,
    deprovisioning transmitted
    incident responders andwith
    - Configurations mostly conform to industry-
    processed.
    recognized standards for hardening (e.g., DISA temporary emergency accounts.
    STIGs, CIS Benchmarks or OEM security guides). - Business Process Owners (BPOs) are made
    aware of security and privacy risk(s).
    and privacy controls that are appropriate to
    address applicable statutory, regulatory and
    contractual requirements for pre-production
    security and privacy control testing.
    SP-CMM1 is N/A, since a structured process is -- IT IT personnel, or a similar
    security personnel function,
    identify implement
    data protection
    required to generate System Security Plans and maintain
    and privacy controls that are appropriate a Information Assurance Program
    to
    (SSPs), or similar document repositories, to (IAP) capability
    address applicable statutory, regulatory and for all high-value projects.
    identify and maintain key architectural -contractual IAP controls are primarilyfor
    requirements administrative
    pre-production and
    information on each critical system, application preventative security and privacy control testing. in nature (e.g., policies &
    or service, as well as influencing inputs, entities, standards) -- IT to manage technical controls for
    systems, applications and processes, providing a security IT personnel,
    security
    and
    or a similar
    personnel
    privacy
    function,
    identify
    requirements.
    implement
    data protection
    and
    and maintaincontrols
    a Information Assurance Program
    SP-CMM1
    historical record is N/A,ofsince a structured
    the data process is
    and its origins. -(IAP) IAPprivacy
    operations
    capability focus
    for
    that
    all on are appropriate
    protecting
    high-value
    to
    High Value
    projects.
    required to require system developers and address
    Assets applicable
    (HVAs),are statutory,
    including regulatory
    environments and
    where
    -contractual IAP controls primarily
    requirements administrative
    for pre-production and
    integrators to create and execute a Security Test sensitive data is stored, transmitted and
    preventative
    security and privacy control testing. in nature (e.g., policies &
    and Evaluation (ST&E) plan to identify and processed.
    standards)
    -- IT personnel,to manage
    or aOwners technical
    similar controls
    function, for
    implement
    remediate flaws during development. Business Process (BPOs) are made
    security
    and and
    maintain privacy requirements.
    a Information Assurance Program
    -aware
    -(IAP) IT of security
    IAPsecurity personnel
    operations and privacy
    focus develop
    on risk(s).
    and disseminate
    protecting High Value
    SP-CMM1 is N/A, since a structured process is guidance capability for
    to facilitate all high-value
    theenvironments projects.
    secure and timely
    required to ensure Assets (HVAs), including where
    - IT personnel utilizesystems, projects
    an informal and to
    process -implementation
    sensitive
    IAP controls
    data
    are
    is ofprimarily
    maintenance
    stored,
    administrative
    transmitted controls
    and
    and
    across
    services are officially authorized prior to "go
    facilitate the secure and timely implementation processed. live" preventative
    the enterprise, in nature
    including (e.g., policies
    preventative & and
    in - IT security personnel identify data protection
    of amaintenance
    production environment.
    controls across the enterprise, standards) reactionary
    -security
    and privacy Business
    to manage technical
    maintenance
    Process
    controls Owners (BPOs)
    controls
    operations. are
    that are appropriate to
    for
    made
    including preventative and reactionary -address and
    Maintenance privacy
    controlsrequirements.
    are primarily
    aware
    -administrative ofapplicable
    security
    IAP operations and privacy
    statutory,
    focus risk(s). Highand
    regulatory
    on protecting Value
    maintenance operations. contractual and preventative
    requirements for in nature
    Mobile Device (e.g.,
    - Maintenance controls are primarily Assets
    policies (HVAs),
    & including
    standards) to environments
    manage change where
    control
    Management (MDM).
    administrative and preventative in nature (e.g., sensitive processes
    -- IT
    data
    personnel,
    is stored,
    associated
    or a with
    similar
    transmitted
    maintenance
    function,
    and
    implement
    policies & standards) to manage change control operations. processed. IT security personnel identify data protection
    and
    --and maintain
    Business an MDM
    privacyProcess
    controls Owners
    that capability
    are(BPOs) for
    areallmade
    appropriate mobile
    to both
    processes associated with maintenance devices Maintenance
    in use operations
    at the are
    organization. decentralized
    operations. aware
    address
    in terms ofapplicable
    security
    of change and privacy regulatory
    statutory,
    management risk(s).
    and and
    execution.
    SP-CMM1 is N/A, since a structured process is - MDM controls are primarily administrative and
    -requiredMaintenance operations
    to enforce accessare decentralized
    control requirementsboth contractual -preventative requirements
    Asset custodiansin are expected
    nature
    for Mobile
    (e.g.,
    Deviceand
    to publish
    policies &
    in Management (MDM).to conduct controlled and
    forterms of change of
    the connection management and to
    mobile devices execution. maintain standards)
    -- IT
    procedures
    personnel,to manage
    or a similar bothfunction,
    configurations
    implementand
    organizational systems. timely
    access maintenance
    IT security
    controlpersonnel
    forMDM activities
    mobile identify throughout
    devices.data protectionthe
    and
    -lifecycle IT maintain
    of
    security the ansystem,
    personnel capability
    application
    identify datafor
    or all mobile
    service.
    protection
    SP-CMM1 is N/A, since a structured process is -and
    devices
    privacy
    Mobile in
    controls
    devices
    use at are
    the
    that are appropriate
    configured
    organization. to protect todata
    and
    address
    with privacy
    the controls
    applicable
    strength that
    statutory,
    and are
    integrity appropriate
    regulatory
    commensurate to
    and
    required to protect mobile devices from -address
    contractual MDM controls
    applicable arestatutory,
    requirementsprimarily for administrative
    regulatory
    Mobile and
    Device and
    tampering through inspecting devices returning with preventative
    contractual
    Management
    the classification
    in nature
    requirements
    (MDM).
    or sensitivity
    (e.g., policies
    for network
    of&the
    security
    from locations that the organization deems to be information standards)
    management.
    - IT personnel, toand mostlyboth
    manage
    or a similar
    conform to industry-
    configurations
    function, implementand
    of significant risk, prior to the device being recognized
    access standards
    controlan for mobilefor hardening
    devices. (e.g., DISA
    -and
    -STIGs, IT
    IT personnel,
    maintain
    CISdevices
    security or
    Benchmarks
    personnela
    MDM similar function,
    capability
    or OEM data
    identify for facilitate
    securityall mobile the
    guides),
    protection
    connected to the organization’s network. -implementation
    devices Mobile in use at are
    of
    the configured
    secure to protect
    networking
    organization. data
    practices
    including
    and
    with privacycryptographic
    controls
    thecontrols
    strength and that protections
    are appropriate
    integrity for sensitive
    commensurate to
    that
    -address
    data. MDM protect the are
    applicable confidentiality,
    primarily
    statutory, integrity,and and
    administrative
    regulatory
    SP-CMM1 is N/A, since a structured process is with the classification
    availability or sensitivity of&the
    required to remotely purge selected information preventative contractualand
    information
    in safety
    natureof
    requirements
    and mostly
    the
    (e.g.,
    conform
    organization’s
    forpolicies
    network
    to security
    industry-
    technology assets, data
    standards) to manage both configurations
    management. and network(s). and
    - IT personnel
    from utilize an informal process to
    mobile devices. recognized standards for hardening (e.g., DISA
    design, build and maintain secure networks for -access --STIGs, Administrative
    IT
    IT
    control for
    personnel,
    CISdevices
    security or processes
    Benchmarks
    personnelamobile
    similar and technologies
    devices.
    function,
    orValue
    OEM data
    identify facilitate
    security the
    guides),
    protection
    focus Mobileon
    -implementation protecting High
    aresecure
    of configured Assets (HVAs),
    to protect
    networking data
    practices
    test, development, staging and production including
    and privacycryptographic
    controls protections for sensitive
    environments, including the implementation of including with
    that environments
    the strength
    protect andthat are appropriate
    where
    integrity
    the confidentiality, sensitive to is
    integrity,data
    commensurate
    data.
    address
    stored, applicable
    transmitted
    with the classification statutory,
    and regulatory
    processed.
    or the
    sensitivity of the and
    appropriate data protection and privacy availability
    contractual and safety of
    requirements fororganization’s
    network security
    -information
    Technologies
    technology and are
    assets, configured
    mostly
    data conform
    and to protect
    to data
    industry-
    network(s).
    controls.
    - IT personnel utilize an informal process to management.
    with
    recognized the
    - Administrativestrength
    standards and integrity
    for hardeningcommensurate
    (e.g., DISA
    -design,Network management
    build and maintain is decentralized.
    secure networks for --with STIGs,IT
    IT personnel,
    the
    CIS
    security orprocesses
    Benchmarks
    personnela similar
    classification oror
    and technologies
    function,
    sensitivity
    OEM
    identify facilitate
    of
    security
    data the the
    guides),
    protection
    -test, Configurations mostly conform to industry- focus on protecting
    implementation of High Value
    secure Assets (HVAs),
    networking practices
    development, staging and production information
    including and mostly
    cryptographic conform
    controls thatprotections to industry-
    for sensitive
    recognized
    environments, standards
    includingforthe
    hardening (e.g., DISAof and
    implementation
    including
    that
    privacy
    protectenvironments
    the confidentiality,
    are appropriate
    where sensitive
    integrity,
    to is
    data
    recognized
    data.
    address
    stored, standards
    applicable
    transmitted for
    statutory,
    and hardening
    regulatory
    processed. (e.g., DISA
    and
    STIGs, CIS Benchmarks or OEM andsecurity
    privacyguides). availability and safety oforthe
    appropriate data protection STIGs,
    contractual
    - CIS Benchmarks
    Technologies requirements
    are configured fororganization’s
    OEM tosecurity
    network
    protect guides),
    security
    data
    controls. technology
    including
    management. assets,
    cryptographic data and network(s).
    protections for sensitive
    - IT personnel utilize an informal process to with the strength and integrity commensurate
    -design,
    Network management is decentralized. - Administrative orprocesses and technologies
    build and maintain secure networks for -data. with IT personnel,
    the a similar
    classification function,
    or sensitivity facilitate
    of the the
    -test,
    Configurations mostly conform to industry- focus
    - Activeon
    implementation protecting
    Directory of High
    (AD),
    secure orValue
    a Assets
    similar
    networking (HVAs),
    technology,
    practices is
    development, staging and production information and mostly conform to industry-
    recognized standards forthe
    hardening (e.g., DISAof including primarily environments
    used where sensitive
    thetoconfidentiality,
    centrally-manage data is
    identities
    environments, including implementation that
    recognized
    stored,
    protect standards
    transmitted and forprocessed.
    hardening (e.g., DISAand
    integrity,
    STIGs, CIS Benchmarks or OEM
    appropriate data protection and privacy security guides). permissions.
    availability andDue to
    safetytechnical
    of the or business
    organization’s
    STIGs,
    -technology CIS Benchmarks
    Technologies or OEMtosecurity
    are configured protect guides),
    data
    controls. limitations,
    including asset/process
    assets,
    cryptographic data andowners areforauthorized
    network(s).
    protections sensitive
    - IT personnel utilize an informal process to with
    to the
    operate strength
    a and
    decentralized integrityaccesscommensurate
    control
    -design,
    Network management is decentralized. - Administrative processes and technologies
    build and maintain secure networks for data. with
    program the classification
    for their (AD), or sensitivity
    specific systems, of the
    applications
    -test,
    Configurations mostly conform to industry- focus onDirectory
    -information
    Active protecting High orValue Assets
    a similar (HVAs), is
    technology,
    development, staging and production or services. and mostly conform to industry-
    recognized standards for hardening (e.g., DISA including
    primarily environments
    used to where sensitive
    centrally-manage data is
    environments, including the implementation of recognized
    stored, standards
    transmitted and hardening (e.g., DISAand
    forprocessed. identities
    STIGs, CIS Benchmarks or OEM security
    appropriate data protection and privacy guides). permissions. Due to technical or business
    STIGs, CIS Benchmarks
    -limitations,
    Technologies or OEMtosecurity
    are configured guides),
    controls. including asset/process
    cryptographic ownersprotect
    protections
    data
    areforauthorized
    sensitive
    with
    to the strength
    operate a and integrity
    decentralized accesscommensurate
    control
    - Network management is decentralized. data.
    with
    program the classification
    for their (AD), or sensitivity
    specific systems, of the
    applications
    - Configurations mostly conform to industry- -information
    Active Directory
    or services. and mostlyor a similar
    conform totechnology,
    industry- is
    recognized standards for hardening (e.g., DISA primarily used to centrally-manage identities and
    recognized standards for hardening (e.g., DISA
    STIGs, CIS Benchmarks or OEM security guides). permissions. Due to technical
    STIGs, CIS Benchmarks or OEMorsecurity
    business guides),
    limitations, asset/process
    including cryptographic protections owners areforauthorized
    sensitive
    to operate a decentralized access control
    data.
    program for their (AD),
    - Active Directory specific or systems,
    a similar applications
    technology, is
    or services.
    primarily used to centrally-manage identities and
    and privacy controls that are appropriate to
    that
    address protect the confidentiality,
    applicable statutory, regulatoryintegrity,and
    availability
    contractual requirements for network security and safety of the organization’s
    technology
    management. assets, data and network(s).
    - IT personnel utilize an informal process to
    design, build and maintain secure networks for -- IT - Administrative orprocesses and technologies
    focus IT personnel,
    security
    on protecting
    a similar
    personnel High
    function,
    identify
    Value data
    Assets
    facilitate the
    protection
    (HVAs),
    test, development, staging and production implementation
    and privacy of secure
    controls thatwhere networking
    are appropriate practices
    to is
    including environments sensitive data
    environments, including the implementation of that address protect the confidentiality,
    applicable statutory, integrity,
    regulatory and
    stored,
    availability transmitted
    and and
    safety of the processed.
    appropriate data protection and privacy -contractual Technologies requirements
    are configured fororganization’s
    network
    to protect security
    data
    controls. technology
    management. assets, data and network(s).
    - IT personnel utilize an informal process to with the strength and integrity commensurate
    -design, Network management is decentralized. - Administrative orprocesses and technologies
    build and maintain secure networks for --with IT
    IT personnel,
    the a similar
    classification
    security personnel or function,
    sensitivity
    identify data offacilitate
    the
    protection the
    -test, Configurations mostly conform to industry- focus
    implementation on protecting of High
    secure Value Assets
    networking (HVAs),
    practices
    development, staging and production information and mostly thatconform to industry-
    recognized
    environments, standards
    including forthe
    hardening (e.g., DISAof and
    implementation
    including
    that
    privacy
    protect
    controls
    environments
    the confidentiality,
    are appropriate
    where sensitive
    integrity,
    to is
    data
    recognized
    address
    stored, standards
    applicable
    transmitted forprocessed.
    statutory,
    and hardening
    regulatory (e.g.,and
    DISA
    STIGs, CIS Benchmarks or OEM andsecurity
    privacyguides). STIGs,
    availability and safety oforthe
    appropriate data protection
    -contractual CIS Benchmarks
    Technologies requirements
    are configured fororganization’s
    OEM tosecurity
    network
    protect guides),
    security
    data
    controls. technology
    including
    management. assets,
    cryptographicdata protections
    and network(s). for sensitive
    - IT personnel utilize an informal process to with the strength and integrity commensurate
    -design, Network management is decentralized. - Administrative orprocesses and technologies
    build and maintain secure networks for -data. with IT personnel,
    the a similar
    classification function,
    or sensitivity offacilitate
    the the
    -test, Configurations mostly conform to industry- focus
    -
    implementation Active on protecting
    Directory High
    (AD),
    of secure orValue
    a Assets
    similar
    networking (HVAs),
    technology,
    practices is
    development, staging and production information and mostly conform to industry-
    recognized standards for hardening (e.g., DISA including
    primarily
    that protectstandards environments
    used to where
    centrally-manage
    the confidentiality, sensitive data
    identities
    integrity, is
    and
    environments, including the implementation of recognized forprocessed.
    hardening (e.g., DISA
    STIGs, CIS Benchmarks or OEM stored, transmitted toand
    appropriate data protection andsecurity
    privacyguides). permissions.
    availability
    STIGs, CIS andDuesafety
    Benchmarks technical
    oforthe
    OEM orsecurity
    business
    organization’s guides),
    --technology
    limitations, Technologies
    IT security are configured
    asset/process
    personnel
    assets, owners
    datafacilitate
    and totheprotect data
    areforauthorized
    network(s).
    controls. including cryptographic protections sensitive
    with
    -to
    implementation the strength
    Administrative and
    operate a decentralized integrity
    of appropriate
    processes access
    and commensurate
    controlsecurity
    physical
    technologies
    - Network management is decentralized. data.
    with
    program the classification
    for
    thattheir or sensitivity
    specific systems, of the
    applications
    - Configurations mostly conform to industry- -practices
    focus
    information Active onDirectoryprotect
    protecting
    and
    High
    (AD),
    mostly
    theor confidentiality,
    Value
    a
    conform
    Assets
    similar to
    (HVAs), is
    technology,
    industry-
    recognized standards for hardening (e.g., DISA or
    integrity,
    including
    primarily services. availability
    environments
    used to and safety
    where
    centrally-manage of the
    sensitive data is
    identities and
    SP-CMM1
    -STIGs, is N/A,
    IT personnel since athe
    facilitate structured process of
    implementation is recognized
    organization’s standards
    technologyforprocessed.
    hardening
    assets and(e.g.,
    data.DISA
    CIS Benchmarks or OEM security guides). stored,
    permissions. transmitted
    Due to and
    technical or business
    required
    appropriate to implement Data Loss
    physical security Prevention
    practices that STIGs,
    --limitations, A CIS Benchmarks or team,
    OEMtosecurity guides),
    (DLP) to protect sensitive information as it is including IT facilities
    Technologies
    security maintenance
    are configured
    asset/process
    personnel
    cryptographic owners
    facilitate
    protections
    or
    the similar
    protect
    are for
    data
    authorized
    sensitive
    protect the confidentiality, integrity, availability function, with
    to
    implementation the facilitates
    strength and
    operate a decentralized the operation
    integrity
    of appropriate access of physical
    commensurate
    controlsecurity
    physical and
    stored,
    and safety transmitted and processed.
    of the organization’s technology data.
    environmental protection controls.
    with
    program the classification
    for their or
    specific sensitivity
    systems, of the
    applications
    assets and data. -practices
    -information Active
    Human
    that protect
    Directory
    Resources, (AD),
    and mostly or
    the
    aor
    confidentiality,
    a similar
    similar
    conform technology,
    industry- is
    function,
    tothe
    or
    integrity,
    primarily services. availability
    used to and safety of
    centrally-manage identities and
    -- Physical security
    IT personnel controls
    facilitate the are primarily
    implementation of maintains recognized
    organization’s astandards
    current listfor
    technology ofhardening
    personnel
    assets with
    and(e.g.,
    data.DISA
    administrative and preventative in nature permissions. Due to technical or business
    appropriate physical security practices that(e.g., authorized STIGs,
    --limitations, A
    IT facilities
    security
    access
    CIS Benchmarks to organizational
    maintenance
    asset/process
    personnel
    or team,
    OEM security
    owners
    facilitate orare
    the
    facilities
    similar and
    guides),
    authorized
    policies & standards).
    protect the confidentiality, integrity, availability to facilitates
    including
    function, the implementation
    cryptographic protectionsof physical
    for access
    sensitive
    -and Human Resources, or a similar technology
    function, implementation
    management
    data. operatefacilitates the operation
    a decentralized
    of appropriate
    controls. access of physical
    control
    physical and
    security
    safety of the organization’s environmental
    program for protection
    their specific controls.
    systems, applications
    maintains
    assets andadata. current list of personnel and -practices
    -integrity, Physical
    Active
    Human
    that protect
    security
    Directory
    Resources, (AD),
    or
    the
    controls confidentiality,
    aare
    aorsimilar primarily
    similar technology, is
    function,
    facilitates the implementation of physical access or
    administrative
    primarily services. availability
    used and
    to and safety of
    preventative
    centrally-manage in the
    nature
    identities(e.g.,
    and
    - Physical security controls are primarily maintains
    organization’s a current list of personnel
    technology assets andwithdata.
    management controls.
    administrative and preventative in nature (e.g., authorized policies
    permissions. & standards).
    Due
    access to technical
    to organizational or business
    facilities and
    -policies Physical --limitations, A
    IT facilities maintenance team, orare
    similar
    & access control is decentralized and
    standards). facilitates
    function,
    Physical
    securitycontrols,
    the administrative
    asset/process
    personnel
    implementation
    facilitates the
    owners
    facilitate
    operation oftheprocesses
    physical
    of
    and
    authorized
    access
    physical and
    focus on protecting High
    - Human Resources, or a similar function, Value Assets (HVAs). technologies
    to
    implementation
    management operate a are designed
    decentralized
    controls. and implemented
    access control
    of appropriate physical security for
    environmental
    offices,
    program rooms
    for protection
    and
    their facilities
    specific controls.
    that
    systems, focus on
    applications
    maintains
    SP-CMM1 ais current N/A, sincelist aofstructured
    personnelprocess
    and is -practices
    -integrity, Physical
    Human
    that protect
    security
    Resources,
    the confidentiality,
    controls
    or are primarily
    a similar function,
    facilitates the implementation of physical access protecting
    or
    administrative services. HighandValue
    availability Assets
    and safety
    preventative (HVAs),
    of
    inthe including
    nature (e.g.,
    required
    -management to enforce
    IT personnel controls. physical access
    facilitate the implementation of organization’s maintains
    environments a current
    where list of
    sensitive
    technology personnel
    assets dataand iswith
    stored,
    data.
    authorizations for all security
    physical practices
    access points policies
    authorized & standards).
    access to organizational facilities and
    appropriate physical that transmitted
    -- A and processed.
    -(including Physical access control
    designated is decentralized
    entry/exit points) toand facilitates IT facilities
    Physical
    security maintenance
    controls,
    personnel
    the
    team, the
    administrative
    facilitate
    implementation of
    orprocesses
    similar
    physical and
    access
    protect
    focus onthe confidentiality,
    protecting High integrity,
    Value Assets availability
    (HVAs). function,
    technologies facilitates
    are the
    designed operation
    and of physical
    implemented and
    for
    facilities
    and safety (excluding those areas within
    of the organization’s the facility implementation
    technology management
    environmental
    of appropriate physical security
    controls.
    protection controls.
    officially designated as publicly accessible). offices,
    -practices Physical rooms
    that and
    protect
    security facilities that focus
    the confidentiality,
    controls are primarily on
    assets and data. -integrity,
    protecting Human Resources,
    HighandValue
    availability or a similar
    Assets
    and safety function,
    (HVAs),
    of including
    -- Physical security controls are primarily administrative
    maintains a current preventative
    list of personnel inthe
    nature
    with (e.g.,
    IT personnel facilitate the implementation of organization’s environments
    policies & where sensitive
    technology
    standards). assets dataand is stored,
    data.
    administrative
    appropriate physical and preventative in nature
    security practices that(e.g., transmitted authorized
    -- A access to organizational
    and processed. facilities and
    policies & standards). IT facilities
    Physical
    facilitates security maintenance
    controls,
    personnel
    the
    team, the
    administrative
    facilitate
    implementation of
    orprocesses
    similar
    physical and
    access
    protect the confidentiality, integrity, availability technologies function,
    implementation facilitates
    are the
    designed operation
    and of physical
    implemented
    of appropriate physical security and
    for
    -and Human
    safetyResources, or a similar technology
    of the organization’s function, management
    environmental controls.
    protection controls.
    maintains offices,
    -practices rooms
    that and
    protectfacilities that focus
    the confidentiality, on
    assets andadata. current list of personnel and Physical
    -integrity,
    protecting
    security
    Human Resources,
    Highand
    controls
    Value
    availability or Assets
    and
    are primarily
    a similar
    safety function,
    (HVAs),
    of including
    facilitates
    -- Physical the implementation
    security controls are of physical
    primarily access administrative
    maintains a current preventative
    list of personnel inthe
    nature
    with (e.g.,
    IT
    management personnel facilitate
    controls. the implementation of environments
    organization’s
    policies & where sensitive
    technology
    standards). assets dataand is stored,
    data.
    administrative
    appropriate and preventative
    physical security in nature
    practices that (e.g., transmitted authorized
    -- A access to organizational
    and processed. facilities and
    -policies
    Physical& access control
    standards). is decentralized and IT facilities
    Physical
    facilitatessecurity maintenance
    controls,
    personnel
    the
    team, the
    administrative
    facilitate
    implementation of
    orprocesses
    similar
    physical and
    access
    protect
    focus onthe confidentiality,
    protecting High integrity,
    Value Assets availability
    (HVAs). function,
    technologies
    implementation facilitates
    are the
    designed operation
    and of physical
    implemented
    of appropriate physical security and
    for
    -and Human
    safetyResources, or a similar technology
    of the organization’s function, management
    environmental controls.
    protection controls.
    maintains offices,
    -practices rooms
    that and
    protectfacilities that focus
    the confidentiality, on
    assets andadata. current list of personnel and Physical
    -integrity,
    protecting
    security
    Human Resources,
    Highand
    controls
    Value
    availability or Assets
    and
    are primarily
    a similar
    safety function,
    (HVAs),
    of including
    facilitates
    -- Physical the implementation
    security controls are of physical
    primarily access administrative
    maintains a current preventative
    list of personnel inthe
    nature
    with (e.g.,
    IT personnel
    management facilitate
    controls. the implementation of environments
    organization’s
    policies & where sensitive
    technology
    standards). assets dataand is stored,
    data.
    administrative
    appropriate and preventative
    physical security in nature
    practices that (e.g., transmitted authorized
    -- A facilities access to organizational
    and processed.
    maintenance facilities and
    team, orprocesses
    similar
    -policies
    Physical& access control
    standards). is decentralized and Physical
    facilitates controls,
    the administrative
    implementation of physical and
    access
    protect
    focus onthe confidentiality,
    protecting High integrity,
    Value Assets availability
    (HVAs). function, facilitates
    technologies are the operation
    designed and of physical
    implemented and
    for
    -andHuman
    safetyResources, or a similar technology
    of the organization’s function, management
    environmental controls.
    protection controls.
    maintains offices, rooms and facilities that focus on
    assets andadata.current list of personnel and -- Physical
    protecting
    security controls
    Human Resources,
    HighandValue orAssets are primarily
    a similar function,
    (HVAs), including
    facilitates the implementation
    - Physical security controls are primarilyof physical access administrative
    maintains a current preventative
    list of personnel in nature
    with (e.g.,
    management controls. environments
    policies & where
    standards). sensitive data is stored,
    administrative and preventative in nature (e.g., transmitted authorized access to organizational facilities and
    and processed.
    -policies
    Physical& access control is decentralized and
    standards). -facilitates
    Physical controls, administrative
    the implementation processes
    of physical and
    access
    focus on protecting High Value
    - Human Resources, or a similar function, Assets (HVAs). technologies are
    management controls. designed and implemented for
    maintains a current list of personnel and offices, rooms and facilities
    - Physical security controls are primarilythat focus on
    facilitates the implementation of physical access protecting administrative HighandValue Assets (HVAs),
    preventative including
    in nature (e.g.,
    management controls. environments where
    policies & standards). sensitive data is stored,
    - Physical access control is decentralized and transmitted and processed.
    - Physical controls, administrative processes and
    focus on protecting High Value Assets (HVAs). technologies are designed and implemented for
    offices, rooms and facilities that focus on
    protecting High Value Assets (HVAs), including
    integrity, availability and safety of the
    - IT personnel facilitate the implementation of organization’s technology assets and data.
    appropriate physical security practices that -- A IT facilities
    security maintenance
    personnel facilitateteam, the or similar
    protect the confidentiality, integrity, availability function,
    implementation of appropriate physical facilitates the operation of physical and
    security
    and safety of the organization’s technology environmental
    practices that protect the confidentiality, protection controls.
    assets and data. -integrity, Human Resources,
    availability or and a similar
    safety of function,
    the
    -- Physical security
    IT personnel controls
    facilitate the are primarily
    implementation of maintains
    organization’s technology assets andwith a current list of personnel data.
    administrative and
    appropriate physical security practices preventative in naturethat(e.g., authorized
    -- A facilities access to organizational
    maintenance team, or facilities and
    similar
    policies & standards). facilitates IT security the personnel facilitateofthe
    implementation physical access
    protect the confidentiality, integrity, availability function,
    implementation facilitates the operation
    of appropriate of physical
    physical and
    security
    -and Human
    safetyResources, or a similar technology
    of the organization’s function, management
    environmental controls.
    protection controls.
    maintains a current list of personnel and practices
    -- Physical that protect
    security the confidentiality,
    controls are primarily
    assets and data. integrity, Human Resources,
    availability or
    and a similar
    safety of function,
    facilitates
    -- Physical the implementation
    security controls of
    primarily access
    physical administrative and preventative inthe
    nature (e.g.,
    management IT personnel facilitate
    controls. the are
    implementation of maintains
    organization’s
    policies &
    a current list
    technology
    standards).
    of personnel
    assets andwithdata.
    administrative
    appropriate and preventative
    physical security in nature
    practices (e.g.,
    that authorized access to organizational facilities and
    -policies Physical access
    & standards).control is decentralized and --facilitates A facilities
    Physical
    A qualified maintenance
    controls,
    theindividual
    team,
    administrative
    is formally
    implementation
    or similar
    processes
    assignedaccess
    of physical and
    the
    protect
    focus onthe confidentiality,
    protecting High integrity,
    Value Assets availability
    (HVAs). function,
    technologies
    role as a Privacy facilitates
    are the
    designed operation
    and
    Officer to lead the of physical
    implemented and
    for
    -and Human
    safetyResources, or a similar
    of the organization’s function,
    technology management
    environmental controls.
    protection controls.
    maintains offices,
    organization’s rooms and facilities
    privacy program. that focus on
    This individual
    assets andadata. current list of personnel and -- Physical
    protecting
    may Human security
    Resources,
    Highand
    be assigned
    controls
    Value orAssets
    topreventative
    multiple
    are primarily
    a similar function,
    (HVAs),
    duties, including
    including
    facilitates
    - Physical security the implementation
    controls are of physical access
    primarily administrative
    maintains a current list of personnel in nature
    with (e.g.,
    management controls. environments
    that
    policies as a& Data where
    Protection
    standards). sensitive
    Officer data is
    (DPO). stored,
    administrative and preventative in nature (e.g., authorized
    transmitted access
    and to organizational
    processed. facilities and
    -policies Physical& access control is decentralized and
    standards). --facilitates The privacy
    Physical program
    controls,
    the
    is developedprocesses
    administrative
    implementation of
    to
    physical
    work withand
    access
    focus IT and cybersecurity staff toand ensure that
    - Human Resources,High
    on protecting Value Assets
    or a similar function,(HVAs). technologies
    management
    applicable
    are designed
    controls.
    statutory, regulatory
    implemented
    and contractual
    for
    SP-CMM1
    maintains ais current N/A, sincelist aofstructured
    personnelprocess
    and is offices,
    -privacy Physical rooms and facilities
    security controls that focus
    are primarily on
    protecting obligations
    Highand areAssets
    Value properly identified
    (HVAs), and
    including
    required
    facilitatestothe appoints a Chief Privacy
    implementation Officeraccess
    of physical administrative
    implemented across preventative
    the in nature
    organization. (e.g.,
    (CPO)
    management or similar role, with the authority, mission,
    controls. environments
    policies where sensitive data is stored,
    & standards).
    - The Privacy
    transmitted Officer
    and identifies appropriate
    processed.
    accountability
    - Physical access and resources
    control to coordinate,
    is decentralized and -“privacy Physicalprinciples”
    controls, administrative processes and
    that systems, applications,
    develop
    focus onand implement,
    protecting High applicable
    Value Assets privacy
    (HVAs). technologies
    services, processes and third-parties must for
    are designed and implemented
    requirements and manage privacy risks through offices, rooms andonfacilities that focus on
    SP-CMM1 is N/A, sinceprivacy
    a structured process is adhere
    SP-CMM2 to, isbased
    N/A,Value
    sinceleading privacy
    a well-defined practices.
    process is
    the organization-wide program. protecting High Assets (HVAs), including
    required to implement a process for ensuring --required The Privacy
    A Project Officer works
    toManagement
    implement closely
    a Office
    process with
    (PMO),
    for business
    or project
    environments
    units and project where
    teams sensitive
    to ensuredata isensuring
    stored,
    privacy
    that organizational plans for conducting security management
    that
    transmitted organizational function,
    and plans
    processed. facilitates
    for conductingthe security
    and privacy testing, training and monitoring principles
    implementation
    and privacy are appropriately
    of security
    testing, trainingand designed and
    andprivacy-related
    monitoring
    activities associated with organizational systems implemented.
    resource
    activities planning associated controls across the System
    with organizational systems
    are developed and performed. -Development
    are IT,developed
    or securityLifecycle
    engineering
    and (SDLC)
    performed. staff,
    for conduct limited
    all high-value
    SP-CMM1 is N/A, since a structured process is functional
    projects. testing of applicable privacy controls
    -asApart Project“business
    Management Officepre-production
    (PMO), or project
    required
    - IT personnel to facilitate theinformal
    utilize an implementation
    process to of -management Projectofmanagement as usual”
    function,isfacilitates
    mainly decentralized,
    the
    security and privacy-related resource planning testing.
    with the responsibility for enforcing security and
    design, build and maintain secure configurations implementation of security and privacy-related
    controls
    for test, development,that define a viablestaging plan
    andfor achieving
    production privacy control implementation
    resource planning controls across the System being assigned
    cybersecurity & privacy objectives.
    environments, including the implementation of to users’ supervisors
    Development Lifecycle (SDLC) for all high-value and managers.
    appropriate data protection and privacy -projects. IT security personnel identify data protection
    - A Project
    and privacy Management
    controls that Office (PMO), or to
    are appropriate project
    controls.
    - IT personnel utilize an informal process to -management Project management
    function, isfacilitates
    mainly decentralized,
    the and
    -design, Projectbuild
    management is decentralized and address
    with applicable
    the responsibility statutory, regulatory
    for enforcing security and
    and maintain secure configurations implementation
    contractual of security
    requirements and
    for privacy-related
    project
    generally lacks formal project
    for test, development, staging and production management privacy
    -resource control
    A Projectplanning implementation
    Management controls Office
    across being
    (PMO), assigned
    or project
    the System
    managers or broader oversight. management.
    to users’ supervisors and managers.
    environments, including the implementation of management
    Development function, facilitates
    Lifecycle (SDLC) for the
    all high-value
    -appropriateIT staff work data protection process
    with business and privacyowners to -implementation
    projects. IT security personnel identify
    of security anddata protection
    privacy-related
    help
    controls. ensure secure practices are implemented and
    resource privacy
    - Project management controls
    planning controls that are appropriate
    across
    is mainly the System
    decentralized, to
    -throughoutIT personnel theutilize
    Systeman Development
    informal process to
    Lifecycle -address A Projectapplicable
    Management statutory,Officeregulatory
    (PMO), orand
    project
    -design, Projectbuild
    management is decentralized and Development
    with the responsibility Lifecycle for (SDLC) for all security
    enforcing high-value and
    (SDLC) forlacks and maintain
    all high-value secure
    projects. configurations contractual
    management requirements
    function, for project
    facilitates the
    generally formal project projects.
    for test, development, stagingmanagement
    and production privacy
    -implementation control
    A Project Management implementation Office being
    and(PMO),
    assigned
    or project
    managers or broader oversight. -management.
    to
    managementProject
    users’ management
    supervisorsof security
    function, isfacilitates
    and mainly
    managers. privacy-related
    decentralized,
    the
    environments, including the implementation of
    -appropriate
    IT staff work withprotection
    data business process
    and privacyowners to -resource
    with IT security
    implementation
    planning
    the responsibility controls
    personnel across
    for enforcing
    identify
    of security data
    andfor
    the Systemand
    security
    protection
    privacy-related
    help ensure secure practices are implemented Development
    privacy
    and control
    privacy Lifecycle
    controls that(SDLC)
    implementation are all high-value
    being
    appropriate assigned
    to
    controls. resource
    projects. planning controls across the System
    -throughout
    IT personnel theutilize
    Systeman Development
    informal process to
    Lifecycle to
    address users’ supervisors
    applicable and
    statutory,managers.
    regulatory and
    -design,
    Projectbuild
    management is decentralized and Development
    -contractual
    Project Lifecycle is(SDLC)
    management mainly fordecentralized,
    all high-value
    (SDLC) forlacks and maintain
    all high-value secure
    projects. configurations IT security personnel identify
    requirements data protection
    for project
    generally formal project projects.
    for test, development, stagingmanagement
    and production with
    and
    management. the responsibility
    privacy controls that forareenforcing
    appropriate security
    to and
    managers or broader oversight. -privacyProject management
    control is mainly
    implementation decentralized,
    being assigned
    environments, including the implementation of address applicable statutory, regulatory and
    -appropriate
    IT staff work withprotection
    data business process
    and privacyowners to with
    to the responsibility
    users’ supervisors formanagers.
    and enforcing security and
    contractual
    privacy control requirements
    implementation for project
    being assigned
    help
    controls. ensure secure practices are implemented -management.
    IT security personnel identify data protection
    -throughout
    IT personnel theutilize
    Systeman Development
    informal process to
    Lifecycle to users’ supervisors and managers.
    -design,
    Projectbuild
    management
    and is decentralized
    maintain secure and
    configurations -and
    -address
    privacy
    Project
    IT security
    controls(PMs),
    Managers
    personnel
    that are work
    identify
    appropriate
    withprotection
    data
    to
    IT security
    (SDLC)
    generally forlacks
    all high-value projects.
    formal project applicable statutory, regulatory and
    for test, development, stagingmanagement
    and production and
    and privacy personnel,
    privacy requirements
    controls that areto conduct Data
    managers or broader oversight. contractual
    Protection Impact Assessments for appropriate
    project
    (DPIAs) for
    to
    environments, including the implementation of address applicable statutory, regulatory and
    -appropriate
    IT staff work withprotection
    business process owners to management.
    projects thatrequirements
    involve Personal Data (PD)
    data and privacy contractual
    help ensure secure practices are implemented -considerations.
    Project Managers (PMs), for work project
    with IT security
    controls. management.
    throughout the SystemisDevelopment and privacy personnel, to conduct Data
    - Project management decentralizedLifecycle
    and -Protection
    Project Managers (PMs), work (DPIAs) with IT security
    (SDLC) for all high-value projects. Impact Assessments for
    generally lacks formal project management and
    projects that involve Personal DataData
    privacy personnel, to conduct (PD)
    managers or broader oversight. Protection Impact Assessments (DPIAs) for
    considerations.
    - IT staff work with business process owners to projects that involvefacilitates
    Personal project
    Data (PD)
    - The PMO governs
    help ensure secure practices are implemented considerations.
    involvement for Information Assurance Program
    throughout the System Development Lifecycle
    (IAP) as part of the organization’s established
    (SDLC) for all high-value projects.
    project management processes to ensure both
    security and privacy principles are identified and
    implemented.
    assessed,
    contractual remediated and for reported.
    including
    -- Risk therequirements
    managementidentification,
    is decentralized
    risk management.
    remediation where and
    reporting IT securityof personnel,
    risks. or a similar function,
    business
    implements process owners are
    and maintains expected to self-
    a rudimentary Risk
    -manage Risk management
    IT security
    riskspersonnel processes
    associated identify (e.g.,
    with their risk
    datasystems,
    protection
    Management
    assessments)
    and Program
    and
    privacy controls (RMP)
    technologies that provides
    focus on
    applications,
    operational servicesthat
    guidance and
    on
    are
    data,
    how
    appropriate
    based
    risk
    to
    on the
    is identified,
    - IT personnel utilize an informal process to protecting
    address High
    applicable Value Assets
    statutory, (HVAs),
    regulatory including
    and
    organization’s
    assessed, published
    remediated policies
    and forreported. and standards,
    identify, assess, remediate and report on risk. environments
    contractual where sensitive data is stored,
    including
    -- Risk therequirements
    managementidentification,
    is decentralized
    risk management.
    remediation where and
    -SP-CMM1 Data management
    is N/A, since is decentralized.
    a structured process is transmitted IT security and processed.
    personnel, or a similar function,
    reporting
    business of risks.
    process owners are expected to self-
    -required Risk management
    to facilitateisthedecentralized
    implementation whereof risk --implements Data management is decentralized
    and maintains a rudimentary where Risk
    manage Risk management
    IT security
    riskspersonnel processes
    associated identify
    with (e.g., risk
    datasystems,
    their protection
    business
    management process owners are expected to self-
    controls. business
    Management process owners
    Program are
    (RMP) expected
    that to take
    provides
    assessments)
    and
    applications, and
    privacy controls technologies
    services that
    and are
    data, focus
    appropriate
    based on to
    on the
    manage
    - IT personnel risks associated with their
    utilize an informal systems,
    process to the
    operational initiative to work
    guidance with
    on Data
    how Protection
    risk is identified,
    protecting
    address
    organization’s High
    applicable Value Assets
    statutory,
    published (HVAs),
    regulatory
    policies and including
    and
    standards,
    applications,
    identify, assess, remediate and report on
    services and data, based on the Officers (DPOs) to ensure andapplicable
    risk. assessed,
    environments
    contractual
    including
    remediated
    the where
    requirements
    identification,
    reported.
    sensitive
    for data
    risk isstatutory,
    stored,
    management.
    remediation and
    organization’s
    - Data management published policies and standards,
    is decentralized. regulatory
    -transmitted Risk and
    management contractual
    is obligations
    decentralized are
    where
    -reporting IT securityof and processed.
    personnel,
    risks. or a similar function,
    including
    - Risk management the identification, remediation
    is decentralized where and properly
    business addressed,
    process including
    owners are the storage,
    expected to self-
    --implements Data
    Risk management
    and
    management is decentralized
    maintains
    processes a of
    rudimentary
    (e.g., where
    risk Risk
    reporting of risks. -transmission IT security personnel
    and identify
    processing data protection
    sensitive
    business process owners are expected to self- manage
    business
    Management
    assessments)
    risks
    processassociated
    owners
    Program
    and
    with
    are
    (RMP)
    technologies
    their
    expected
    that todata.
    systems,
    provides
    focus on take
    -manage Risk management
    risks associatedprocesses (e.g.,systems,
    with their risk and
    -the
    applications, privacy controls
    Technologies are
    services that
    configured
    and are
    data,appropriate
    toProtection
    protect
    based to
    ondata
    the
    - IT personnel utilize an informal process to operational
    protecting initiative
    Highto work
    guidance
    Value with
    on
    AssetsData
    how risk
    (HVAs),is identified,
    including
    assessments)
    applications, and technologies
    services and data, focus
    basedon on address
    with
    organization’s the applicable
    strength statutory,
    and
    published integrity regulatory
    policies commensurate
    and and
    standards,
    identify,
    protecting assess,
    High remediate
    Value Assets and report
    (HVAs), on the
    risk.
    including
    Officers
    assessed,
    environments
    contractual
    with
    (DPOs) to ensure
    remediated
    where
    requirements
    the classification and applicable
    reported.
    sensitive
    for data
    risk
    or sensitivity isstatutory,
    stored,
    management.
    of the
    organization’s published policies and standards, including
    regulatory
    -transmitted Risk the
    and
    managementidentification,
    contractual
    is remediation
    obligations
    decentralized are
    where and
    -environments Data management is decentralized.
    where sensitive data is stored, -information IT security and processed.
    personnel,
    and mostly or a similar
    conform to function,
    industry-
    including the identification, remediation and reporting
    properly
    business of risks.
    addressed,
    process including
    owners are the storage,
    expected to self-
    - Risk management
    transmitted and is decentralized
    processed. where --implements
    recognized Data management
    and isfor
    maintains
    standards decentralized
    a of
    rudimentary
    hardening where
    (e.g., Risk
    DISA
    reporting of risks. -transmission
    manage Risk management
    IT security
    riskspersonnel
    and processes
    identify
    processing
    associated with (e.g.,
    data
    their risk
    protection
    sensitive
    systems, data.
    -business
    -manage
    processmostly
    Configurations
    Risk management
    ownersconform
    are expected
    processes (e.g., risk
    to self-
    to industry- business
    Management
    STIGs,
    assessments) CISprocess owners
    Program
    Benchmarks
    and orare
    (RMP)
    OEM
    technologies expected
    that toguides),
    provides
    security
    focus on take
    risks associated with their systems, and
    -the
    applications, privacy controls
    Technologies
    initiative toare
    services
    work that
    configured
    and
    with are
    data,
    Data appropriate
    toProtection
    protect
    based on to
    data
    the
    recognized
    - IT personnel and
    assessments) standards
    utilize for hardening
    an informalfocus
    technologies (e.g.,
    process to DISA operational
    including
    protecting guidance
    cryptographic
    High Value on how risk
    protections
    Assets (HVAs),is identified,
    for sensitive
    including
    applications, services and data, basedon on the address
    with
    organization’s
    Officers the applicable
    strength
    (DPOs) statutory,
    and
    published
    to ensure integrity regulatory
    policies
    applicablecommensurate
    and and
    standards,
    STIGs,
    identify,
    protecting
    organization’s
    CIS Benchmarks
    assess, remediate
    Highpublished or
    Value Assets OEM
    and security
    report
    (HVAs),
    policies
    onguides).
    risk.
    and including
    standards,
    assessed,
    data.
    environments
    contractual
    with
    including
    remediated
    where
    requirements
    the classification
    the
    and reported.
    sensitive
    for data
    risk
    or sensitivity
    identification, remediation isstatutory,
    of stored,
    management.
    the and is
    -environments Data management issensitive
    decentralized. regulatory
    -transmitted Risk
    Active and
    management
    Directory
    and contractual
    is
    (AD),
    processed. or a obligations
    decentralized
    similar are
    where
    technology,
    including the where
    identification, data is stored,
    remediation and -information
    reporting IT securityof personnel,
    and
    risks.mostly or a similar
    conform to function,
    industry-
    properly
    business
    -primarily addressed,
    process
    used including
    owners
    tomaintains are
    centrally-manage the storage,
    expected to self-
    identities
    - Risk management
    transmitted
    reporting of and
    risks.
    is decentralized where
    processed. -implements
    recognized
    transmission
    Data
    Risk management
    and
    standards
    management
    IT security personnel
    and
    isfor
    decentralized
    processes a of
    identify
    processing rudimentary
    hardening
    (e.g.,
    data
    where
    (e.g.,
    risk Riskand
    DISA
    protection
    sensitive data.
    -business processmostly
    Configurations ownersconform
    are expected to self-
    to industry- manage
    permissions.
    business
    Management
    STIGs, risks
    processassociated
    Due to
    owners
    Program
    CIS Benchmarks with
    technical
    are
    (RMP)
    or are
    OEM their
    or
    expected
    that systems,
    business to
    provides take
    -manage Risk management
    risks processes
    associated with (e.g.,
    their risk
    systems,
    assessments)
    and
    -the
    applications,
    limitations, privacy
    Technologies
    initiative
    and
    controls
    are technologies
    services that
    configured
    asset/process
    to work and
    with data,
    owners
    Data tosecurity
    focus
    appropriate
    protect
    based
    are on
    Protectionon
    guides),
    to
    data
    the
    authorized
    recognized
    - IT personnel and
    assessments) standards
    utilize for hardening
    an informalfocus
    technologies (e.g.,
    process to DISA operational
    including
    protecting guidance
    cryptographic
    High Value on how risk
    protections
    Assets (HVAs),is identified,
    for sensitive
    including
    applications,
    STIGs,
    identify, CIS services
    Benchmarks
    assess, remediateand
    or data,
    OEM
    and basedon
    security
    report on
    on the
    guides).
    risk.
    address
    with
    organization’s
    to
    Officers
    assessed,
    data.
    the
    operateapplicable
    strength
    a
    (DPOs) to
    remediated
    statutory,
    and
    published
    decentralized
    ensureintegrity
    and
    regulatory
    policies
    access
    applicablecommensurate
    reported. and and
    standards,
    control
    statutory,
    protecting Highpublished
    Value Assets (HVAs), environments where sensitive data is stored,
    organization’s
    -environments Data management policies
    issensitive
    decentralized.and including
    standards, contractual
    with
    including
    program
    regulatory
    --information Risk
    Active the
    for requirements
    the classification
    and
    managementidentification,
    their
    Directory specific
    contractual
    is
    (AD), or
    for
    a
    risk
    or sensitivity management.
    remediation
    systems,
    obligations
    decentralized
    similar
    of the
    are
    where and is
    applications
    technology,
    where data is stored, transmitted
    reporting
    or IT security
    services.of and processed.
    personnel,
    risks.mostly or a similar
    conform to function,
    industry-
    including the identification, remediation and properly
    business addressed,
    process including
    owners are the storage,
    expected to self-
    - Risk management
    transmitted and is decentralized where
    processed. -primarily
    -implements
    recognized Data
    Risk
    used
    management
    andtomaintains
    centrally-manage
    standards
    management isfor
    decentralized
    a of
    rudimentary
    hardening identities
    where
    (e.g., Riskand
    DISA
    reporting
    -business
    of risks.
    processmostly
    Configurations ownersconform
    are expected to self-
    to industry-
    transmission
    manage
    permissions.
    business
    Management
    STIGs,
    IT security
    risks
    CIS Due
    process toprocesses
    personnel
    and owners
    Program
    Benchmarks
    identify
    processing
    associated with
    technical
    are
    (RMP)
    or OEM
    (e.g.,
    data
    that
    risk
    protection
    sensitive
    their
    or systems,
    business
    expected to
    provides
    security
    data.
    take
    guides),
    -manage Risk management processes (e.g., risk assessments)
    and
    -the
    applications,
    limitations, Technologies and
    are technologies
    privacy asset/process
    controls
    services that
    configured
    and are
    data,
    owners tofocus
    appropriate
    protect
    based
    are on
    on to
    data
    the
    authorized
    recognized
    - IT personnel and risks associated
    standards
    utilize forwith their
    hardening
    an informalfocus systems,
    (e.g.,
    process to DISA operational
    including initiative to work
    guidance
    cryptographic with
    on Data
    how Protection
    risk
    protections is identified,
    for sensitive
    assessments) technologies protecting High Value Assets (HVAs), including
    applications, services and data, basedon on the address
    with
    organization’s
    to
    Officers the
    operateapplicable
    strength
    a
    (DPOs) statutory,
    and
    published
    decentralized
    to ensure integrity regulatory
    policies
    access
    applicablecommensurate
    and and
    standards,
    control
    STIGs,
    identify,
    protecting CIS Benchmarks
    assess, remediate
    Highpublished or
    Value Assets OEM
    and security
    report
    (HVAs), onguides).
    risk. assessed,
    data.
    environments remediated
    where and reported.
    sensitive data isstatutory,
    stored,
    organization’s
    -environments Data management policies
    issensitive
    decentralized.and including
    standards, contractual
    with
    including
    program
    regulatory
    -transmitted Risk
    Active the
    for requirements
    the classification
    and
    managementidentification,
    their
    Directory specific
    contractual
    is
    (AD), or
    for
    a
    risk
    or sensitivity management.
    remediation
    systems,
    obligations
    decentralized
    similar
    of the
    are
    where and is
    applications
    technology,
    where data is stored, -information
    reporting
    or IT security
    services.of and
    and processed.
    personnel,
    risks.mostly or a similar
    conform to function,
    industry-
    including the identification, remediation and properly
    business addressed,
    process including
    owners are the storage,
    expected to self-
    - Risk management
    transmitted and is decentralized where
    processed. -primarily
    -implements
    recognized Data
    Risk
    used
    management
    andtomaintains
    centrally-manage
    standards
    management isfor
    decentralized
    a of
    rudimentary
    hardening identities
    where
    (e.g., Riskand
    DISA
    reporting
    -business
    of risks.
    processmostly
    Configurations ownersconform
    are expected to self-
    to industry-
    transmission
    manage
    permissions.
    business
    Management
    STIGs,
    IT security
    risks
    CIS Due
    process toprocesses
    personnel
    and owners
    Program
    Benchmarks
    identify
    processing
    associated with
    technical
    are
    (RMP)
    or OEM
    (e.g.,
    data
    that
    risk
    protection
    sensitive
    their
    or systems,
    business
    expected to
    provides
    security
    data.
    take
    guides),
    -manage Risk management processes (e.g., risk assessments)
    and
    -the
    applications,
    limitations, Technologies and
    are technologies
    privacy asset/process
    controls
    services that
    configured
    and are
    data,
    owners tofocus
    appropriate
    protect
    based
    are on
    on to
    data
    the
    authorized
    recognized risks associated
    standards forwith their
    hardening systems,
    (e.g., DISA operational
    including initiative to work
    guidance
    cryptographic with
    on Data
    how Protection
    risk
    protections is identified,
    for sensitive
    assessments) and technologies focus protecting High Value Assets (HVAs), including
    applications, services and basedon
    data, security onguides).
    the address
    with
    organization’s
    to
    Officers the
    operateapplicable
    strength
    a
    (DPOs) statutory,
    and
    published
    decentralized
    to ensure integrity regulatory
    policies
    access
    applicablecommensurate
    and and
    standards,
    control
    STIGs,
    protecting CIS Benchmarks
    Highpublished or
    Value Assets OEM (HVAs), assessed,
    data.
    environments remediated
    where and reported.
    sensitive data isstatutory,
    stored,
    organization’s policies and including
    standards, contractual
    with
    including
    program
    regulatory
    -transmitted Risk
    Active the
    for requirements
    the classification
    and
    managementidentification,
    their
    Directory specific
    contractual
    is
    (AD),
    for risk
    or sensitivity management.
    remediation
    systems,
    obligations
    decentralized
    or a similar
    of the and is
    applications
    are
    where
    technology,
    environments where sensitive data is stored, -information
    reporting
    or IT security
    services.of and
    and processed.
    personnel,
    risks.mostly or a similar
    conform to function,
    industry-
    including the identification, remediation and properly
    business
    -primarily addressed,
    process
    used including
    owners
    tomaintains are
    centrally-manage the storage,
    expected to self-
    identities
    transmitted
    reporting of and risks.processed. -implements
    recognized
    -transmission
    Data
    Risk management
    and
    standards
    management
    IT security personnel
    and
    isfor
    decentralized
    processes a of
    identify
    processing rudimentary
    hardening
    (e.g.,
    data
    where
    (e.g.,
    risk Riskand
    DISA
    protection
    sensitive data.
    -- Configurations mostly conform to industry- manage
    permissions.
    business
    Management
    STIGs, risks
    processassociated
    Due to
    Program
    CIS Benchmarks with
    technical
    owners are
    (RMP)
    or are
    OEM their
    or
    expected
    that systems,
    business to
    provides take
    Risk management processes (e.g., risk assessments)
    and
    -the
    applications,
    limitations, privacy
    Technologies
    initiative
    and
    controls
    are technologies
    services that
    configured
    asset/process
    to work and
    with data,
    owners
    Data tosecurity
    focus
    appropriate
    protect
    based
    are on
    Protectionon
    guides),
    to
    data
    the
    authorized
    recognized
    -assessments) standards
    IT personnel andutilize for hardening
    an informalfocus
    technologies (e.g.,
    process
    on to DISA operational
    including
    protecting
    address guidance
    cryptographic
    High
    applicable Value on how
    Assets
    statutory, risk
    protections
    (HVAs),is
    regulatory identified,
    for sensitive
    including
    and
    with
    organization’s
    to
    Officers the
    operate strength
    a
    (DPOs) and
    published
    decentralized
    to ensureintegrity
    policies
    access
    applicablecommensurate
    and standards,
    control
    statutory,
    STIGs,
    identify,
    SP-CMM1 CIS
    protecting isHigh Benchmarks
    assess, remediate
    N/A,Value or
    sinceAssets OEM
    and security
    report
    a structured on
    (HVAs),process guides).
    risk.
    includingis assessed,
    data.
    environments
    contractual remediated
    where
    requirements and reported.
    sensitive
    for data
    risk is stored,
    management.
    with
    including
    program
    regulatory the classification
    the
    for
    andtheir or sensitivity
    identification,
    specific
    contractual remediation
    systems,
    obligations of the and is
    applications
    are
    -requiredData management
    environments whereisupdate
    to routinely decentralized.
    sensitive risk assessments
    data is stored, --information
    transmitted Risk
    Active
    IT management
    Directory
    security and is
    (AD), decentralized
    processed.
    personnel,
    and mostly or
    or a
    a similar
    similar
    conform to where
    technology,
    function,
    industry-
    reporting
    or
    properly
    business services.of risks.
    addressed,
    process including
    owners are the storage,
    expected to self-
    -and Riskreact
    transmitted management
    accordingly is decentralized
    and processed.upon identifying where
    new -primarily
    -implements
    recognized Data used
    management
    andtomaintains
    centrally-manage
    standards
    Risk management isfor
    decentralized
    a of
    rudimentary
    hardening identities
    where
    (e.g., Riskand
    DISA
    business
    security processmostly
    ownersincluding
    vulnerabilities,
    - Configurations are expected
    conform using
    to to self-
    outside
    industry-
    transmission
    manage
    permissions.
    business
    Management
    STIGs, risks
    CIS
    and
    Due
    process toprocesses
    processing
    associated
    owners
    Program
    Benchmarks with
    technical
    are
    (RMP)
    or OEM
    (e.g.,
    or
    expected
    that
    risk
    sensitive
    their systems,
    business to
    provides
    security
    data.
    take
    guides),
    assessments)
    -the
    applications,
    limitations, Technologies and
    are technologies
    servicesconfigured
    asset/process and data,
    owners tofocus
    protect
    based
    are on
    on data
    the
    authorized
    manage
    sources
    recognized risks
    for associated
    security
    standards forwith
    vulnerabilitytheir
    hardening
    - IT personnel utilize an informal process to systems,
    information.
    (e.g., DISA operational
    including initiative to work
    guidance
    cryptographic with
    on Data
    how Protection
    risk
    protections is identified,
    for sensitive
    protecting
    with
    organization’s
    to the
    operate High
    strength
    a Value
    and
    published
    decentralized Assets
    integrity (HVAs),
    policies
    access including
    commensurate
    and standards,
    control
    applications,
    STIGs, CISassess,
    identify, services
    Benchmarks
    remediateand data,
    or OEM based on
    and security
    report the
    onguides).
    risk. Officers
    assessed,
    data. (DPOs) to
    remediated ensureand applicable
    reported. statutory,
    environments
    with
    including
    program the
    for where
    the classification sensitive
    or sensitivity
    identification,
    their specific dataapplications
    remediation
    systems, is stored,
    of the and is
    organization’s
    - Data management published policies and standards,
    is decentralized. regulatory
    -information Risk
    Active and
    management
    Directory contractual
    is
    (AD), obligations
    decentralized
    or a similar are
    where
    technology,
    transmitted
    reporting
    or services.of and processed.
    risks.mostly conform to industry-
    including the identification, remediation and properly
    business addressed,
    process including
    to owners are the storage,
    expected to self-
    - Risk management is decentralized where -primarily
    -recognized Data used
    management centrally-manage
    standards
    Risk management isfor
    decentralized
    hardening identities
    where
    (e.g., DISAand
    reporting of risks.
    business process owners are expected to self- transmission
    manage
    permissions.
    business
    STIGs, risks
    CIS
    and
    Due
    process
    Benchmarkstoprocesses
    processing
    associated with
    technical
    owners orare
    OEM
    of (e.g.,
    or risk
    sensitive
    their systems,
    business
    expected
    security to data.
    take
    guides),
    -manageRisk management processes (e.g.,systems,
    risk assessments)
    -the Technologies
    applications,
    limitations, and
    are technologies
    servicesconfigured
    asset/process and data,
    owners tofocus
    protect
    based
    areforon
    on data
    the
    authorized
    - IT personnelrisks associated
    utilize with their
    an informal process to including initiative to work
    cryptographic with Data
    protections Protection sensitive
    assessments) and technologies focus protecting High Value Assets (HVAs), including
    applications,
    identify, services
    assess, remediateand data,
    and basedon
    report on
    on the
    risk.
    with
    organization’s
    to
    Officers
    data.
    environments
    the
    operate strength
    a
    (DPOs) to and
    published
    decentralized
    whereensureintegrity
    policies
    access
    applicable
    sensitive
    commensurate
    and standards,
    control
    statutory,
    dataapplications
    is stored,
    protecting
    organization’s High Value
    published Assets (HVAs), including
    policies and standards, with
    including
    program the classification
    the
    for or sensitivity
    identification,
    their specific remediation
    systems, of the and is
    -environments
    Data management is decentralized. regulatory
    -information
    transmitted and
    Active Directory
    and contractual
    (AD),
    processed. or aobligations
    similar are
    technology,
    including where sensitive
    the identification, data is stored,
    remediation and reporting
    or services.of and
    risks.mostly conform to industry-
    properly
    -primarily addressed,
    used including
    to centrally-manage the storage,
    identities
    - Risk management
    transmitted and is decentralized
    processed. where Data
    -recognized management
    standards
    Risk management isfor
    decentralized
    hardening where
    (e.g., DISAand
    reporting
    -business
    of risks.
    processmostly
    Configurations ownersconform
    are expected to self-
    to industry-
    transmission
    permissions.
    business
    STIGs, CIS Due
    process
    Benchmarkstoprocesses
    and owners
    processing
    technical
    orare
    OEM
    of (e.g.,
    or
    expected
    risk
    sensitive
    business
    security to data.
    take
    guides),
    -manage
    Risk management processes (e.g., risk assessments)
    -the Technologies and technologies tofocus on
    recognized risks associated
    standards forwith their
    hardening systems,
    (e.g., DISA limitations,
    includinginitiative
    protecting toare
    work
    cryptographic
    High
    configured
    asset/process
    Value with owners
    Data
    protections
    Assets
    protect
    arefor
    Protection
    (HVAs),
    data
    authorized
    sensitive
    including
    assessments)
    applications, and technologies
    services and focus
    basedon
    data, security onguides).
    the with
    to the
    operate strength
    a and
    decentralized integrity
    access commensurate
    control
    STIGs, CIS Benchmarks or OEM Officers
    data.
    environments (DPOs) to
    whereensure applicable
    sensitive statutory,
    dataapplications
    is stored,
    protecting
    organization’s Highpublished
    Value Assets (HVAs),
    policies and including
    standards, with
    program the classification
    forand
    their or sensitivity
    specific systems, of the
    regulatory
    -information
    Active Directory
    transmitted and contractual
    (AD),
    processed. or aobligations
    similar are
    technology, is
    environments where sensitive
    including the identification, remediation data is stored,
    and or services. and mostly conform to industry-
    properly
    -primarily
    Data addressed,
    used
    management to including
    centrally-manage
    is the
    decentralized storage,
    identities
    where and
    transmitted
    reporting of and risks.processed. recognized standards for hardening (e.g.,data.
    DISA
    transmission
    permissions.
    business and owners
    Due
    process processing
    to technical
    are of sensitive
    orsecurity
    business
    expected toguides),
    take
    -- Configurations
    Risk management mostly conform
    processes to industry-
    (e.g., risk STIGs, CIS Benchmarks or OEM
    -theTechnologies
    limitations,
    initiative toare configured
    asset/process
    work with DatatoProtection
    owners protect data
    areforauthorized
    recognized
    assessments) and technologies focus(e.g.,
    standards for hardening on DISA including cryptographic protections sensitive
    with
    to
    Officersthe(DPOs)
    operate strength
    a and
    decentralized
    to ensureintegrity
    access
    applicablecommensurate
    control
    statutory,
    STIGs, CIS Benchmarks or OEM security
    protecting High Value Assets (HVAs), including guides). data.
    with
    program the classification
    regulatory forand
    their or sensitivity
    specific
    contractual systems, of the
    applications
    environments where sensitive data is stored, -information
    Active Directory
    and (AD),
    mostly or aobligations
    similar
    conform to
    are
    technology,
    industry- is
    or services.
    properly
    primarily addressed,
    used including
    to centrally-manage the storage,
    identities
    transmitted and processed. recognized
    transmission standards for hardening
    and processing DISAand
    (e.g.,data.
    oforsensitive
    - Configurations mostly conform to industry- permissions.
    STIGs, CIS Due
    Benchmarksto technical
    or OEM business
    security guides),
    - Technologies
    limitations, are configured
    asset/process owners to protect data
    areforauthorized
    recognized standards for hardening (e.g., DISA including cryptographic protections sensitive
    with
    to the strength
    operate a and integrity
    decentralized access commensurate
    control
    STIGs, CIS Benchmarks or OEM security guides). data.
    with
    programthe classification
    for their specific or sensitivity of the
    systems, applications
    availability
    contractualand safety of the
    requirements fororganization’s
    network security
    technology
    management. assets, data and network(s).
    -- IT IT engineeringorgovernance is decentralized,
    -with IT personnel,
    security
    the
    a similar
    personnel
    responsibility
    function,
    identify
    for
    facilitate the
    data protection
    implementing and
    implementation
    and privacy of secure
    controls that engineering
    are appropriate practices
    to
    testing
    that cybersecurity
    protect and
    the confidentiality,privacy controls
    integrity,and being
    SP-CMM1 is N/A, since a structured process is address
    assigned applicable
    to the statutory,
    business process regulatory
    owner(s),
    availability
    contractual and safety of the
    requirements organization’s
    forenforcement
    network security
    required to facilitate the implementation of including
    technology the definition
    assets, data and
    and network(s). of roles
    industry-recognized security and privacy management.
    and responsibilities.
    -- IT IT engineering
    personnel, orgovernance
    a similar is decentralized,
    function, facilitate the
    practices in the specification, design, --with A Change
    IT security
    the Advisory
    personnel
    responsibility Board
    identify
    for (CAB),data
    implementingorprotection
    similar
    and
    development, implementation and modification implementation structure,
    and
    testing privacy exists of
    to secure
    govern
    controls that
    cybersecurity and are
    engineering
    changes to
    appropriate
    privacy
    practices
    controls to being
    SP-CMM1
    of systemsisand N/A, since a structured process is
    services. that
    systems/applications/services
    address protect the confidentiality,
    applicable statutory, tointegrity,
    ensure and
    regulatory their
    assigned to the business process owner(s),
    required to develop an enterprise architecture, availability stability,
    contractual and safety
    reliability andofpredictability.
    requirements the organization’s
    forenforcement
    network security
    including
    technology the definition
    assets, data and
    and network(s). of roles
    aligned with industry-recognized leading -and
    management. Administrative processes and technologies
    -focus responsibilities.
    practices,
    - IT personnel withutilize
    consideration
    an informal for cybersecurity
    process to -- IT IT engineering
    personnel,
    A Change orgovernance
    on protecting
    Advisory High
    a similar
    Board Value is decentralized,
    Assets
    function,
    (CAB), (HVAs),the
    or facilitate
    similar
    and privacy principles that addresses risk to with
    including
    implementation the responsibility
    environments
    of governfor implementing
    where
    secure engineering sensitive and is
    data
    design, build and maintain secure solutions. structure,
    testing exists to
    cybersecurity and changes
    privacy to practices
    controls being
    organizational operations, assets,
    - IT engineering governance is decentralized, individuals, stored,
    that transmitted
    protect personnel and processed.
    the confidentiality, integrity,
    systems/applications/services
    -
    assigned IT security
    to the business identify
    process to ensure
    data their
    protection
    owner(s),
    other
    with the organizations.
    responsibility for implementing and -stability,
    availability Technologies and are configured
    safety to protect data
    ofpredictability.
    the organization’s
    and
    including reliability
    privacythecontrols and
    definition that andareenforcement
    appropriate to roles
    of
    testing cybersecurity and privacy controls being technology with
    -and the strength
    Administrativeassets, and
    data integrity
    processes and commensurate
    network(s).
    and technologies
    address
    with applicable
    responsibilities.
    the statutory, regulatory and
    assigned
    - IT personnel to theutilize
    business process process
    an informal owner(s), to
    -focus
    contractual
    -with on classification
    IT engineering
    A Change protecting
    requirements
    Advisory
    or sensitivity
    governance
    High
    Board Value
    for isnetwork
    (CAB),
    of the
    decentralized,
    Assets
    or (HVAs),
    security
    similar
    including the definition and enforcement of roles information
    including the and mostly
    responsibility
    environments forconform
    where to
    implementing industry-
    sensitive and is
    data
    design, build and maintain secure solutions. management.
    structure,
    recognized exists to
    standards govern changes
    forprocessed.
    hardening to(e.g., DISA
    and responsibilities. testing
    stored,
    --STIGs, IT cybersecurity
    transmitted
    personnel, and
    and
    or a similar privacy
    function, controls being
    facilitate
    - IT engineering governance is decentralized, systems/applications/services
    assigned IT security
    CISto personnel
    Benchmarks
    the business identify
    or OEM
    process to ensure
    data
    security
    owner(s), theirthe
    protection
    guides),
    -with Configurations mostlyforconform to industry- -stability,
    implementation Technologies areof configured
    secure to protect
    engineering data
    recognized
    the responsibility
    standardsand
    implementing
    for hardening
    and
    (e.g., DISA and
    including
    with the
    reliability
    privacythecontrols
    cryptographicand
    definition
    strength and thatpredictability.
    are appropriate
    protections
    and
    integrity enforcement forpractices
    commensurate to roles
    sensitive
    of
    testing cybersecurity privacy controls being that -and
    address
    data. protect
    Administrative the
    applicable confidentiality,
    processes
    statutory, and integrity,
    technologies
    regulatory and
    STIGs, CIStoBenchmarks orprocess
    OEM security guides). with responsibilities.
    the
    assigned
    - IT personnel theutilize
    business
    an informal owner(s),
    process to
    availability
    focus
    contractual
    -technology on classification
    A Change
    and safety
    protecting
    requirements
    Advisory
    or the
    of
    High
    Board
    sensitivity
    Value
    for
    (CAB),
    of the
    organization’s
    Assets
    network
    or (HVAs),
    security
    similar
    including the definition and enforcement of roles information
    including and
    assets,mostly
    environments data conform
    and
    where to
    network(s).industry-
    sensitive data is
    design, build and maintain secure solutions. management.
    structure,
    recognized exists to
    standards govern changes
    forprocessed.
    hardening to(e.g., with
    DISA
    and responsibilities. -
    stored, IT security
    -systems/applications/services
    IT governance
    transmitted
    personnel, and
    or a similar is decentralized,
    function, facilitate
    - IT security governance is decentralized, with -the
    STIGs, IT security
    CIS personnel
    Benchmarks
    responsibility for identify
    or OEM
    developing to ensure
    data
    security
    and theirthe
    protection
    guides),
    operating
    -the Configurations mostly conform to industry-
    responsibility for developing and operating implementation -stability, Technologies areof configured
    secure to protect
    engineering data
    practices
    reliability and predictability.
    recognized
    cybersecurity standards
    and privacyfor hardening
    procedures (e.g.,
    beingDISA and including
    cybersecurity
    with
    that
    privacy
    the controls
    cryptographic
    and
    strength
    protect the and that
    privacy are
    integrity
    confidentiality,
    appropriate
    protections
    procedures forbeing
    commensurate
    integrity,
    to
    sensitive
    -assigned
    address
    data. Administrative
    applicable
    toand processes
    the safety statutory,
    business and
    process technologies
    regulatory
    owner(s), and
    STIGs, CIStoBenchmarks orprocess
    OEM security guides). with the
    assigned
    - IT personnel theutilize
    business
    an informal owner(s),
    process to
    availability
    focus
    contractual
    including on classification
    protecting
    therequirements
    definition
    or the
    of
    High sensitivity
    Value
    and
    of the
    organization’s
    Assets
    forenforcement
    network (HVAs),
    security
    of roles
    including the definition and enforcement of roles information
    technology
    including and
    assets,mostly
    environments data conform
    and
    where to
    network(s).industry-
    sensitive data is
    design, build and maintain secure solutions. management.
    and
    recognized responsibilities.
    standards for hardening (e.g., DISA
    and responsibilities. -
    stored,
    -STIGs, IT
    IT security governance
    transmitted
    personnel, is decentralized,
    and processed.
    orprocesses
    a similar function, with
    facilitate the
    - IT security governance is decentralized, with Administrative
    CIS Benchmarks or OEM and technologies
    security guides),
    -the Configurations mostly conform to industry- the
    -
    implementation responsibility
    Technologies are for
    of developing
    configured
    secure and operating
    toAssets
    engineeringprotect data
    practices
    responsibility for developing and operating including focus on protecting
    cryptographic High Value
    protections for(HVAs),
    sensitive
    recognized
    cybersecurity standards
    and privacyfor hardening
    procedures (e.g.,
    beingDISA cybersecurity with
    that the strength
    protect and
    the privacy
    and procedures
    integrity
    confidentiality, being
    commensurate
    integrity,
    including
    data.
    assigned environments
    to the business where
    process sensitive
    owner(s), data is
    STIGs, CIS Benchmarks or OEM
    assigned to the business process owner(s), security guides). with
    availability the classification
    and safety or sensitivity
    ofprocessed. of
    the organization’s the
    stored,
    including transmitted
    the definitionand
    including the definition and enforcement of roles information -technology Technologies and
    assets,
    are data and
    mostly and
    configured
    enforcement
    conform to industry-
    network(s).
    to protect
    of roles
    data
    SP-CMM1 is N/A, since a structured process is and
    recognized
    - IT responsibilities.
    security standards
    governance for ishardening
    decentralized, (e.g., DISA
    with
    and responsibilities. with the strengthprocesses
    and integrity
    required to develop a security Concept of -the
    STIGs, Administrative
    CISclassification
    Benchmarks
    responsibility for developing and commensurate
    orsensitivity
    OEM technologies
    security guides),
    andofoperating
    - Configurations mostly conform to industry- with the or the
    Operations (CONOPS),for or hardening
    a similarly-defined plan cybersecurity focus
    including on protecting
    cryptographic
    and High
    privacy Value
    protections Assets
    procedures for(HVAs),
    sensitive
    being
    recognized standards (e.g., DISA information and mostly conform to industry-
    including environments where sensitive data is
    for achieving
    STIGs, cybersecurity
    CIS Benchmarks or OEM objectives, guides). data.
    securitythat assigned
    -recognized
    - An
    A Human to the business
    application development
    standards
    Resources for
    (HR), process
    or team
    hardening owner(s),
    similar has anDISA
    (e.g.,
    function,
    -documents
    A Human Resources (HR), or similar
    management, operational and function, stored,
    including transmitted
    the and processed.
    informal
    STIGs,
    -works with
    Technologies IT definition
    CISsoftware
    security and
    are development
    Benchmarks or OEM
    personnel
    configured
    enforcement
    process
    tosecurity
    of roles
    that
    datais
    guides),
    to facilitate
    protect
    works
    technical with IT personnel
    measures conduct security
    implemented to apply and
    based
    including
    workforce responsibilities.
    on secure coding
    cryptographic
    development principles.
    protections
    and awareness for sensitive
    to help
    awareness
    defense-in-depth and training.
    techniques that is with
    -ensure the strengthprocesses
    Administrative and integrity and commensurate
    technologies
    data. A Project Management
    secure practices Office
    are (PMO),
    implemented. or project
    -communicated
    Security awareness methods are with
    and training stakeholders.
    to all appropriate focus
    management
    the
    on classification
    protecting
    function,
    or sensitivity
    High Value
    facilitates
    of the
    Assets
    the (HVAs),
    -informationSecurity awareness
    and mostlyand training
    conform methods
    to industry- are
    mainly generic, without organization-specific including
    implementation environments
    of securitywhere and sensitive data is
    privacy-related
    mainly
    -
    recognized
    -resource An
    A Human generic,
    application without
    development
    standards
    Resources for
    (HR),organization-specific
    team
    hardening
    or similar has an
    (e.g., DISA
    content.
    - A Human Resources (HR), or similar function, stored, content.
    informal
    transmitted
    planning
    CISsoftware
    and
    controls processed.
    development across thefunction,
    process System
    that
    -works
    Personnel management is mainly
    with IT personnel conduct security
    STIGs,
    works
    -
    -
    with
    Technologies
    Development
    Personnel
    Benchmarks
    IT security
    are
    management
    or OEM
    personnel
    configured
    Lifecycle (SDLC)
    is tosecurity
    for
    mainly
    to
    protect
    all datais
    guides),
    facilitate
    high-value
    decentralized, based
    including
    workforce on secure coding
    cryptographic
    development principles.
    protections
    and awareness for sensitive
    to help
    awareness andwith the responsibility for training with
    training. projects.
    decentralized,
    -ensure
    data. A
    the strength
    Project withand
    Management theintegrity
    Office
    commensurate
    responsibility
    (PMO), for
    or training
    project
    users on new technologies and enforcing policies secure practices are implemented.
    - Security awareness and training methods are -with users
    management
    the
    on classification
    Project management
    new technologies
    function,
    or sensitivity
    isfacilitates
    mainly of the policies
    decentralized,
    and enforcing
    the
    being -with Security awareness and training methods are
    mainlyassigned
    generic, to users’ organization-specific
    without supervisors and information
    being the
    implementationassigned and tomostly
    responsibility
    ofusers’ for
    security
    conform
    enforcing
    supervisors to industry-
    security
    and
    and privacy-related and
    managers. mainly
    recognized
    privacy generic,
    control without
    standards for
    implementationorganization-specific
    hardening being (e.g., DISA
    assigned
    content.
    SP-CMM1 is N/A, since a structured process is managers.
    resource planning controls across the System
    content.
    STIGs,
    to CISsupervisors
    users’ Benchmarks and or managers.
    OEM security guides),
    -required
    Personnel management
    to obtain, protectis and
    mainly
    distribute Development Lifecycle (SDLC) for all high-value
    --including
    Personnel
    Procurement management
    cryptographic
    contracts is mainly
    protections
    require for sensitive
    third-party
    decentralized, with the responsibility
    administrator documentation for training
    for systems that projects.
    users on
    describe: new technologies and enforcing policies decentralized, data.
    developers
    -usersProject
    with the system
    of systems,
    management
    responsibility
    is mainly componentsfor training
    decentralized, or
    services on new
    to technologies
    follow secure and
    engineeringenforcing policies
    practices.
    being assigned to users’ supervisors
    ▪ Secure configuration, installation and and with the responsibility for enforcing security and
    being
    -privacy assigned
    IT security to users’identify
    personnel supervisors and
    managers.
    operation of the system; managers. control implementationdata beingprotection
    assigned
    and privacy
    to users’ controls that
    supervisors are appropriate to
    and managers.
    ▪ Effective use and maintenance of security
    address
    - applicable
    Procurement statutory,
    contracts require regulatory
    third-partyand
    features/functions; and
    contractual requirements for security
    ▪ Known vulnerabilities regarding configuration developers of systems, system components or
    management.
    services to follow secure engineering practices.
    and use of isadministrative
    SP-CMM1 (e.g., privileged)
    N/A, since a structured process is -- IT
    IT personnel, or a similar
    security personnel function,
    identify facilitate the
    data protection
    functions.
    required to develop applications based on implementation
    and privacy controls that are appropriateprotect
    of secure practices that to
    secure coding principles. the confidentiality, integrity, availability
    address applicable statutory, regulatory and and
    safety of therequirements
    contractual organization’sfor technology
    security assets,
    data and
    management. network(s).
    -- Technologies
    IT personnel, or area configured
    similar function, to protect datathe
    facilitate
    with the strengthofand
    implementation integrity
    secure practicescommensurate
    that protect
    with the classification
    the confidentiality, or sensitivity
    integrity, of theand
    availability
    information and mostly conform
    safety of the organization’s technology to industry-
    assets,
    recognized standards
    data and network(s). for hardening (e.g., DISA
    STIGs, CIS Benchmarks or OEM security guides),
    -management Project managementfunction,isfacilitates
    mainly decentralized,
    the
    with
    implementation the responsibility
    of for
    security enforcing
    and security and
    privacy-related
    - IT personnel utilize an informal process to -privacy An application
    control development team
    implementation beinghasassigned
    an
    resource
    informal planning development
    software controls across the System
    process that is
    govern technology development and acquisition. to
    Development users’ supervisors
    Lifecycleand managers.
    - Project management is decentralized and based
    -projects. on secure
    Procurement coding(SDLC)
    contracts
    for all high-value
    principles.
    require third-party
    generally lacks formal project management -developers A Project Management Office (PMO), or project
    of systems,issystem
    -management Project managementfunction, mainlycomponents
    facilitates decentralized,
    the practices.
    or
    managers or broader oversight. services
    with to follow
    the responsibilitysecure engineering
    for enforcing security and
    -- IT implementation of security and privacy-related
    IT staff work with
    personnel utilizebusiness process
    an informal owners
    process to to -privacy
    resource
    IT security
    An application
    controlpersonnel
    planning
    identify
    development
    implementation
    controls
    data
    team
    across beingprotection
    has an
    assigned
    the System
    help ensure secure practices are implemented
    govern technology development and acquisition. and
    informal
    to privacy controls
    software
    users’ supervisors that are
    development
    and appropriate
    managers. process to is
    that
    throughout the SystemisDevelopment Development Lifecycle (SDLC) for all high-value
    - Project management decentralizedLifecycle
    and address
    based
    -projects. onapplicable
    Procurement secure statutory,
    coding
    contracts regulatory
    principles.
    require third-partyand
    (SDLC) for all high-value projects.
    generally lacks formal project management contractual
    -developers requirements
    A Project Management
    of systems,issystem for security
    Office (PMO), or project
    -managers
    Configurations mostly conform to industry- -management
    management. Project managementfunction, mainlycomponents
    facilitates decentralized,
    the practices.
    or
    or broader oversight. services
    with to follow
    the responsibilitysecure engineering
    for enforcing security and
    recognized
    -- IT standards for hardening (e.g., DISA - IT
    implementation IT personnel, orofa security
    similar function,
    and facilitate
    privacy-related the
    IT staff
    STIGs, CIS
    work with
    personnel utilizebusiness
    Benchmarks anor process
    informal
    OEM
    owners
    process
    security to to
    guides). -privacy
    implementation
    resource
    An security
    application
    controlpersonnel
    planning
    identify
    development
    implementation
    of secure
    controls
    data
    team
    practices
    across being
    the
    protection
    has an
    assigned
    that protect
    System
    help
    govern ensure secure development
    technology practices are implemented
    and acquisition. and
    informal
    to privacy
    users’ controls
    software
    supervisors that are appropriate
    development
    and managers. process and to is
    that
    throughout the SystemisDevelopment the
    Development confidentiality, integrity,
    Lifecycle (SDLC) availability
    for all high-value
    - Project management decentralizedLifecycle
    and address
    based
    -safety
    projects.
    on applicable
    Procurement secure statutory,
    coding
    contracts
    of therequirements require
    organization’sfor
    regulatory
    principles. third-party
    technology
    and
    assets,
    (SDLC)
    generally forlacks
    all high-value projects.
    formal project management contractual
    -developers A Project Management Office
    of systems,issystem security
    (PMO), or project
    components or
    -managers
    Configurations mostly conform to industry- -data
    management.
    management
    and
    Project network(s).
    management
    function, mainly
    facilitates decentralized,
    the
    or broader oversight. services
    -- Technologies
    with to follow secure engineering
    area configured
    the responsibility to protect
    for enforcing practices.
    dataand
    security
    recognized standards for
    - IT staff work with business hardening
    process(e.g.,
    ownersDISA
    to implementation
    -privacy IT
    IT personnel,
    security or similar
    ofand
    personnel security function,
    identifyand facilitate
    privacy-related
    data protection the
    STIGs, CIS Benchmarks or OEM security guides). -with
    implementation An application
    thecontrol
    strength development
    of integrity
    implementation
    secure team
    practices has
    commensurate
    being an
    assigned
    that protect
    help ensure secure practices are implemented resource
    and
    informal
    with privacyplanning
    controls
    software
    the classification controls
    that across the
    are appropriate
    development
    or sensitivity process System
    to is
    that
    of theand
    to
    the
    Development users’ supervisors
    confidentiality, and managers.
    integrity,
    Lifecycle (SDLC) availability
    fortoallindustry-
    high-value
    throughout the System Development Lifecycle address
    based
    -information on applicable
    Procurement secure
    and statutory,
    coding
    mostly
    contracts regulatory
    principles.
    conform
    require third-partyand
    (SDLC) for all high-value projects. safety
    projects.
    contractual of therequirements
    organization’sfor technology
    security assets,
    -developers
    recognized A Project Management
    standards
    of systems,for Office
    hardening
    system (PMO), or DISA
    (e.g.,
    components project
    or
    -SP-CMM1
    Configurations -data and
    Project network(s).
    management is mainly decentralized,
    is N/A,mostly
    since aconform to industry-
    structured process is management.
    management
    STIGs,
    services
    -- Technologies
    with
    CISto function,
    Benchmarks
    follow secure facilitates
    or OEM
    engineering
    area configured
    the responsibility for
    the
    security
    to protect
    enforcing
    guides),
    practices.
    dataand
    security
    recognized
    required to approve, document and (e.g.,
    standards for hardening controlDISA
    the implementation
    including
    -privacy IT
    IT personnel,
    security or
    cryptographic
    personnel similar
    ofand
    security function,
    identifyand
    protections facilitate
    privacy-related
    data for the
    sensitive
    protection
    STIGs, CIS Benchmarks or OEM security guides). -with
    implementation An application
    thecontrol
    strength development
    of integrity
    implementation
    secure team
    practices has
    commensurate
    being an
    assigned
    that protect
    use of live data in development and test resource
    data.
    and
    informal
    with privacyplanning
    controls
    software
    the classification controls
    that across the
    are appropriate
    development
    or sensitivity process System
    to is
    that
    of theand
    to
    the
    Development users’ supervisors
    confidentiality, and managers.
    integrity,
    Lifecycle (SDLC) availability
    fortoallindustry-
    high-value
    environments. address
    based
    -information on applicable
    Procurement secure
    and statutory,
    coding
    mostly
    contracts regulatory
    principles.
    conform
    require third-partyand
    safety
    projects.
    contractual of therequirements
    organization’sfor technology
    security assets,
    -developers
    recognized A Project Management
    standards
    of systems,for Office
    hardening
    system (PMO), or DISA
    (e.g.,
    components project
    or
    SP-CMM1 is N/A, since a structured process is -data
    management.
    management
    STIGs,
    and
    ProjectCIS
    network(s).
    management
    function,
    Benchmarks is mainly
    facilitates
    or OEM decentralized,
    the
    security guides),
    services
    -- Technologies
    with to follow secure engineering
    area configured
    the responsibility for to protect
    enforcing practices.
    dataand
    security
    required to require system developers and IT
    implementation
    including
    -privacy
    with IT personnel,
    security
    thecontrol
    or
    personnel
    strength
    similar
    ofand
    cryptographicsecurity function,
    identify
    integrity
    implementation
    anddata
    protections facilitate
    privacy-related
    for
    commensurate
    being
    the
    sensitive
    protection
    assigned
    integrators to perform configuration implementation
    resource
    data. planning of secure
    controls practices
    across thethat protect
    System
    and
    with
    to privacy
    users’ controls that
    the classification
    supervisors are appropriate
    or sensitivity
    and managers. of theandto
    management during system design, the
    Development confidentiality, integrity,
    Lifecycle (SDLC) availability
    fortoallindustry-
    high-value
    address
    -information applicable
    Procurement and statutory,
    mostly
    contracts conform
    requireregulatory
    third-partyand
    development, implementation and operation. safety
    projects. of therequirements
    organization’sfor technology assets,
    contractual
    recognized
    developers standards
    of systems, forsystem security
    hardening (e.g., DISA
    components or
    SP-CMM1 is N/A, since a structured process is -data
    management. and
    Procurement
    Project network(s).
    contracts
    management is require
    mainly third-party
    decentralized,
    STIGs,
    services
    -- Technologies CISto Benchmarks
    follow secure
    areto or OEM security
    engineering guides),
    practices.
    required to require system developers and service
    with
    including
    -practices. IT theproviders
    security or a configured
    responsibility
    IT personnel,
    cryptographic
    personnel
    follow
    for
    similar to protect
    secure
    enforcing
    function,
    protections
    identify data
    dataand
    engineering
    security
    facilitate
    for the
    sensitive
    protection
    integrators to create a Security Test and with
    privacy
    implementation thecontrol
    strength ofand integrity
    implementation
    secure commensurate
    practicesbeing assigned
    that protect
    data.
    and privacy controls that are appropriate to
    Evaluation (ST&E) plan and implement the plan -with
    toAusers’
    the the classification
    Project Management
    supervisors
    confidentiality, or sensitivity
    and Office
    managers.
    integrity, of the
    (PMO),
    availability orand
    project
    address
    -information
    management applicable
    Procurement and statutory,
    mostly
    function,
    contracts conform regulatory
    facilitates
    require to
    the and
    industry-
    third-party
    under the witness of an independent party. safety of therequirements
    organization’sfor technology assets,
    contractual
    recognized
    implementation
    developers standards for
    of security
    of systems, system security
    hardening
    and (e.g., DISA
    privacy-related
    components or
    -data
    management. and
    Procurementnetwork(s).
    contracts require third-party
    STIGs,
    resource
    services
    -- Technologies CISto Benchmarks
    planning
    follow secure
    areto or
    controls OEMacrosssecurity
    engineering the guides),
    System
    practices.
    SP-CMM1 is N/A, since a structured process is service
    including
    Development
    -practices. IT providers
    IT personnel,
    security or a configured
    cryptographic
    followfunction,
    similar
    Lifecycle
    personnel
    to protect
    secure
    protections
    (SDLC)
    identify for
    data for
    datathe
    engineering
    facilitate
    sensitive
    allprotection
    high-value
    required to limit privileges to change software with
    implementation the strength ofand integrity
    secure commensurate
    practices that protect
    data.
    projects.
    and privacy controls that are appropriate to
    resident within software libraries. -with
    the the classification
    A Project Management
    confidentiality, or sensitivity
    Office
    integrity, of the
    (PMO),
    availability orand
    project
    -address
    information
    management IT security personnel
    applicable
    and mostly
    function, identify
    statutory,
    conform
    facilitatesdata
    to
    theprotection
    regulatory and
    industry-
    safety
    and
    contractual of therequirements
    privacy organization’s
    controls that are
    fortechnology
    appropriate
    security assets,
    to
    recognized
    implementation
    -data and
    Procurement standards
    network(s).
    contractsfor require
    of security hardening
    and (e.g., DISA
    privacy-related
    third-party
    address
    management.
    STIGs,
    resource CISapplicable
    Benchmarks
    planning statutory,
    or
    controls OEM regulatory
    acrosssecurity
    the and
    guides),
    System
    SP-CMM1 is N/A, since a structured process is -- Technologies
    service
    contractual providers
    IT personnel, areto
    a configured
    followfor
    requirements
    or similar to protect
    secure
    function, datathe
    engineering
    security facilitate
    including
    Development
    with
    practices. the cryptographic
    strengthLifecycle
    and protections
    (SDLC)
    integrity for allfor sensitive
    high-value
    commensurate
    required to facilitate the implementation of management.
    implementation
    data.
    projects. of secure practices that protect
    third-party management controls. -with A
    IT the classification
    Project Management or sensitivity
    Office of
    (PMO), the
    orand
    project
    the IT personnel,
    -management
    information
    confidentiality,
    security and
    or a similar
    personnel integrity,
    mostly
    function,
    function,
    identify
    conform
    facilitatesdata
    to
    the
    facilitate
    availability
    protection
    industry-
    the
    implementation
    safety
    and of the of secure
    organization’s
    privacystandards
    controls that practices
    technology
    areand that
    appropriate protect
    assets,
    to
    recognized
    implementation
    the
    -data confidentiality,
    andapplicable
    Procurementnetwork(s). for require
    of security hardening
    integrity,
    contracts (e.g.,and
    availability
    third-party DISA
    privacy-related
    address
    STIGs,
    resource CIS Benchmarks
    planning statutory,
    or OEM regulatory
    security and
    guides),
    SP-CMM1 is N/A, since a structured process is safety
    - Technologies
    service
    contractual ofproviders
    the aretocontrols
    organization’s
    configured
    followfor
    requirements
    across the
    technology
    to protect
    secure System
    assets,
    data
    engineering
    security
    including
    Development
    data
    with
    practices. and
    the cryptographic
    Lifecycle
    network(s).
    strength and protections
    (SDLC)
    integrity for allfor sensitive
    high-value
    commensurate
    required to evaluate security risks associated management.
    data.
    projects.
    with the services and product supply chain. -with
    -- A Technologies
    IT Project area configured
    the classification
    Management Office to(PMO),
    or sensitivity protect
    of ordata
    the project
    with IT personnel,
    security
    the
    information
    management strength
    and
    or
    personnel similar
    and
    mostly
    function,
    function,
    identify
    integrity
    conform
    facilitatesdata facilitate
    protection
    commensurate
    to
    theindustry-
    the
    implementation
    and privacy of
    controls secure
    that practices
    areand that
    appropriate protect
    to
    with
    recognizedthe classification
    implementation
    the standards
    confidentiality, or sensitivity
    for
    of security hardening
    integrity, of theand
    (e.g., DISA
    privacy-related
    availability
    address
    information
    STIGs,
    resource CISapplicable
    and
    Benchmarks
    planning statutory,
    mostly conform
    or OEM
    controls across regulatory
    to
    security and
    industry-
    guides),
    the System
    SP-CMM1 is N/A, since a structured process is safety of the organization’s technology assets,
    contractual
    recognized
    including
    Development requirements
    standards
    Lifecyclefor
    cryptographic for security
    hardening
    protections
    (SDLC) (e.g.,
    for allfor DISA
    sensitive
    high-value
    required to mitigate
    - IT personnel utilize the risks associated
    an informal process with
    to data and network(s).
    management.
    STIGs,
    data.
    projects. CIS Benchmarks or OEM security guides),
    third-party
    govern third-party service providers. systems
    access to the organization’s -- Technologies area configured to protect datathe
    IT
    IT personnel,
    including
    -with security or
    cryptographic
    personnel similar function,
    protections
    identify data facilitate
    for sensitive
    protection
    and data.management is decentralized and
    - Project the strength and integrity commensurate
    implementation
    data.
    and privacy of secure
    controls that practices
    are that protect
    appropriate to
    generally lacks formal project management with
    the the classification
    confidentiality, or sensitivity
    integrity, of theand
    availability
    address
    information applicable
    and statutory,
    mostly conform regulatory
    to and
    industry-
    managers or broader oversight. safety of therequirements
    organization’sfor technology assets,
    contractual
    recognized standards for hardening security (e.g., DISA
    - IT staff work with business process owners to data and network(s).
    management.
    STIGs, CIS Benchmarks or OEMtosecurity guides),
    help ensure secure practices are implemented -- Technologies area configured protect datathe
    IT personnel,
    including or
    cryptographicsimilar function,
    protections facilitate
    for sensitive
    throughout the System Development Lifecycle with the strength and integrity commensurate
    implementation of secure practices that protect
    data.
    (SDLC) for all high-value projects. with the classification or sensitivity of theand
    the confidentiality, integrity, availability
    - Configurations mostly conform to industry- information and mostly conform to industry-
    safety of the organization’s technology assets,
    recognized standards for hardening (e.g., DISA recognized standards for hardening (e.g., DISA
    data and network(s).
    STIGs, CIS Benchmarks or OEM security guides). STIGs, CIS Benchmarks or OEMtosecurity
    - Technologies are configured protectguides),
    data
    including cryptographic protections
    with the strength and integrity commensurate for sensitive
    data.
    with the classification or sensitivity of the
    information and mostly conform to industry-
    - Procurement contracts require third-party
    resource
    service providers planningtocontrols across the
    follow secure System
    engineering
    Development
    practices. Lifecycle (SDLC) for all high-value
    projects.
    - A Project Management Office (PMO), or project
    -management IT security personnel
    function,identify
    facilitates datatheprotection
    and
    implementation privacy controls that
    of security are appropriate
    and privacy-related to
    -address Procurement contracts
    applicable require
    statutory, third-party
    regulatory and
    SP-CMM1 is N/A, since a structured process is resource
    service planningtocontrols
    providers followfor across the
    secure System
    engineering
    contractual requirements security
    required to monitor, regularly review and audit Development practices.
    management.
    Lifecycle (SDLC) for all high-value
    supplier service delivery for compliance with projects.
    -- A Project Management Office (PMO), or project
    -management IT
    IT personnel, or a similar
    security personnel function,
    identify data facilitate
    protection the
    established contract agreements. function, facilitates the
    implementation
    and privacy controlsof secure practices
    that are appropriate that protect
    to
    implementation
    the confidentiality, of security
    integrity,and privacy-related
    availability and
    SP-CMM1 is N/A, since a structured process is address
    resource applicable
    planning statutory,
    controls across regulatory
    the Systemand
    required to address weaknesses or deficiencies safety contractual
    Development
    of the organization’s
    requirements
    Lifecycle (SDLC) fortechnology
    security assets,
    for all high-value
    in supply chain elements identified during data
    management. and network(s).
    projects.
    -- IT Technologies area configured
    security personnel identify to protect
    data datathe
    protection
    independent or organizational assessments of -and IT
    IT personnel,
    security or
    personnel similar function,
    identify data facilitate
    protection
    such elements. with
    implementation the strength
    privacy controlsand integrity
    that
    of secure are commensurate
    appropriate
    practices to
    that protect
    and
    with
    address privacy
    the controls
    classification
    applicable that
    or are appropriate
    sensitivity
    statutory, of
    regulatory the to
    and
    SP-CMM1 is N/A, since a structured process is the
    address confidentiality,
    applicable integrity, availability
    statutory, regulatory and
    and
    information
    contractual
    safety and mostly
    of therequirements conform
    organization’sfor to industry-
    network security
    technology assets,
    required to control changes to services by contractual
    recognized
    management. requirements
    standards for security
    for hardening (e.g., DISA
    suppliers, taking into account the criticality of data
    management. and network(s).
    -STIGs,
    --including IT CIS Benchmarks
    security
    Technologies
    IT personnel or OEMto
    provide
    area configured security
    oversight
    protect guides),
    for
    data
    business information, systems and processes vulnerability IT security
    personnel, personnel
    or
    cryptographic
    management
    identify
    similarprotections
    and
    data
    function,
    direct
    protection
    facilitate
    for the
    sensitive
    that are in scope by the third-party. with
    and
    implementation the strength
    privacy controls
    ofand integrity
    that
    secure are commensurate
    appropriate
    practices that to
    protect
    data.
    remediation
    with effortsstatutory,
    theapplicable
    classification to or
    IT sensitivity
    functions. of theand
    address
    the confidentiality, integrity, regulatory
    availability and
    SP-CMM1 is N/A, since a structured process is -
    information
    contractual IT personnel, andor a similar
    mostly
    requirements function,
    conform
    for to
    network facilitate
    industry-
    securitythe
    safety
    implementation of the organization’s
    of software technology
    patches andassets,
    other
    required to facilitate the implementation and recognized
    management.
    data standards
    and network(s). for hardening (e.g., DISA
    vulnerability
    -STIGs, IT security remediation
    CIS Benchmarks
    personnel efforts.
    or OEM
    provide security
    oversight guides),
    for
    monitoring of vulnerability management --including Technologies
    IT security are configured
    personnel identify to protect
    data data
    protection
    vulnerability IT security personnel
    cryptographic
    management conduct
    protections
    and recurring
    direct for sensitive
    controls. with
    and the strength
    privacy controlsandthat
    integrity commensurate
    are appropriate to
    vulnerability
    data.
    remediation scanning
    efforts of
    to or internal
    IT sensitivity
    functions. and external
    with
    address
    network theapplicable
    classification
    segments. statutory, of theand
    regulatory
    -information
    contractual IT personnel, andormostly
    a similar function,
    conform facilitate
    securitythe
    to industry-
    SP-CMM1 is N/A, since a structured process is -implementation IT security requirements
    personnel
    of software
    for
    conduct network
    annual
    patches and other
    recognized
    management.
    penetration standards
    testing for hardening
    on network segments DISA
    (e.g.,
    required to ensure that vulnerabilities are vulnerability
    -STIGs, IT CIS
    security remediation
    Benchmarks
    personnel efforts.
    or OEM
    provide security guides),
    oversight for
    properly identified, tracked and remediated. -housing
    -vulnerability
    including IT High
    IT security
    security Value Assets
    personnel
    personnel
    cryptographic conduct(HVAs).
    identify
    protectionsdata protection
    recurring
    for sensitive
    -vulnerability
    and Administrative management
    privacy controlsprocesses
    that and
    areand direct
    technologies
    appropriate to
    data.
    remediation scanning
    efforts to of
    IT internal
    functions. and external
    focus
    address
    network on protecting
    applicable
    segments. HVAs,
    statutory, including
    regulatory and
    -environments IT personnel, or a similar
    where sensitivefunction,
    data isfacilitate
    securitythe
    stored,
    SP-CMM1 is N/A, since a structured process is -contractual IT security requirements
    implementation personnel
    of software
    for
    conduct network
    annual
    patches and other
    required to address new threats and transmitted
    management.
    penetration and processed.
    testing on network segments
    vulnerability remediation efforts.
    vulnerabilities on an ongoing basis and ensure --housing IT
    IT security
    Highpersonnel
    Value Assetsprovide oversight
    (HVAs). for
    assets are protected against known attacks. IT security
    -vulnerability security personnel
    personnel
    management
    identify
    conductand
    data protection
    recurring
    direct
    -vulnerability
    and Administrative
    privacy controlsprocesses
    scanning that
    of technologies
    are appropriate to
    - IT personnel utilize an informal process to remediation
    focus
    address on efforts
    protecting
    applicable to IT internal
    HVAs, functions.
    statutory, including
    and external
    regulatory and
    network
    -environments segments.
    IT personnel, or a similar function,
    design,
    SP-CMM1 build and maintain
    is N/A, secure networks
    since a structured process for
    is -contractual where
    IT security requirements
    personnel sensitive
    for
    conduct data
    network
    annualisfacilitate
    securitythe
    stored,
    test, development, staging and production implementation
    transmitted
    management. and of software
    processed. patches and other
    required to identify and correct flaws related to penetration - IT security personnel testing on identify
    network segments
    data protection
    environments, including
    the collection, usage, the implementation
    processing or of vulnerability -and
    housing IT security
    High
    privacy
    remediation
    personnel
    Value
    controls Assets
    that
    efforts.
    provide oversight for
    (HVAs).
    are appropriate to
    appropriate data protection and(PD).
    privacy - IT security
    vulnerability personnel
    management conductand recurring
    direct
    dissemination of Personal Data -vulnerability
    addressAdministrative
    applicable processes
    statutory, and technologies
    regulatory and
    controls. remediation scanning
    efforts to of
    IT internal
    functions. and external
    focus
    contractual
    network on segments.
    protecting HVAs,
    requirements including
    for network security
    - IT personnel, or a similar function, facilitate the -environments IT personnel, where
    management. or a similar
    sensitivefunction,
    data isfacilitate
    stored, the
    implementation of software patches through an -implementation IT security personnel
    -transmitted
    IT personnel, and or
    conduct
    ofa software
    processed.
    similar
    annual
    patches
    function, and other
    informal process. penetration testing
    - IT security personnel
    vulnerability on identify
    remediation network
    efforts. protectionthe
    facilitate
    segments
    data
    implementation
    housing
    and privacy of
    Highcontrols secure
    Value Assets
    that networking
    (HVAs).
    are appropriate practices
    to
    - Network management is decentralized. -that IT security
    protect personnel
    the conduct
    confidentiality, recurring
    integrity,
    - Configurations mostly conform to industry- - Administrative
    address
    vulnerability applicable processes
    scanningstatutory,
    of the and technologies
    regulatory
    internal and
    and external
    availability
    focus
    contractual and
    on segments. safety
    protecting of
    HVAs,
    requirements organization’s
    including
    for network security
    recognized standards for hardening (e.g.,
    SP-CMM1 is N/A, since a structured process is DISA network
    technology assets, data and network(s).
    STIGs, CIStoBenchmarks orimplementation
    OEM security guides). environments
    management. where sensitive data is stored,
    required facilitate the of an ---transmitted IT
    IT
    security personnel
    Administrative
    personnel, and orprocessesconduct
    processed.
    a similar
    annual
    and technologies
    function, facilitate the
    -enterprise-wide
    Occasional vulnerability scanning is
    web management conducted
    policy, as well penetration focus testing on
    on protecting Highnetwork
    Value segments
    Assets (HVAs),
    on High Valuestandards,
    Assets (HVAs). implementation
    housing High of secure
    Value Assets networking
    (HVAs). practices
    as associated controls and including
    that protectenvironments
    the where
    confidentiality, sensitive
    integrity, data is
    -procedures.
    Penetration testing services are not internal -stored,
    Administrative
    transmitted processes
    and and technologies
    processed.
    competencies and have to be outsourced. availability
    focus and safety
    on protecting of the
    HVAs, organization’s
    -technology
    Network management
    assets, data is including
    and decentralized.
    network(s).
    SP-CMM1 is N/A, since a structured process is environments
    -- Technologies where
    are sensitive
    configured data is stored,
    Administrative
    transmitted and processes
    processed. andtotechnologies
    protect data
    required to utilize a Demilitarized Zone (DMZ) to with the strength and integrity commensurate
    focus on protecting High Value Assets (HVAs),
    restrict inbound traffic to authorized devices on with the classification or sensitivity of the
    including environments where sensitive data is
    certain services, protocols and ports. information and mostly
    stored, transmitted and conform
    processed. to industry-
    recognized standards forishardening
    - Network management decentralized.(e.g., DISA
    STIGs,
    - Technologies are configured to protectguides),
    CIS Benchmarks or OEM security data
    including cryptographic
    with the strength protections
    and integrity for sensitive
    commensurate
    data.
    with the classification or sensitivity of the
    information and mostly conform to industry-
    recognized standards for hardening (e.g., DISA
    STIGs, CIS Benchmarks or OEM security guides),
    including cryptographic protections for sensitive
    data.
    - Metrics are used to evaluate the effectiveness
    of the governance program, based on historical
    - A Governance, Risk & Compliance (GRC) team,
    trends.
    or similar function, provides governance
    - Formal governance program exists for both
    oversight for the implementation of applicable security and privacy.
    statutory, regulatory and contractual - Metrics are used to &evaluate the coverage of
    SP-CMM 3 Well Definedthat A Governance,
    SP-CMM 4 Risk Compliance
    Quantitatively (GRC) team,
    Controlled
    cybersecurity and privacy obligations policies and standards against obligations.
    or similar function, provides governance
    facilitate the implementation of secure practices
    team, -oversight Metrics are
    - A Governance,
    to protect the
    Risk & Compliance
    confidentiality, integrity,
    (GRC) for used to evaluate theof
    the implementation number
    execution
    applicable ofof
    or similar function, provides governance violations
    key or
    procedures. exceptions
    statutory, regulatory and contractual to policies and
    availability
    -oversight A Governance,forandthesafety
    Risk &ofCompliance
    implementationthe organization’s
    of(GRC) team, standards.
    applicable -cybersecurity A Governance,
    applications, systems, services and data. andRisk & Compliance
    privacy obligations (GRC)
    that team,
    or
    statutory, similar function,
    regulatory provides
    and governance
    contractual -or
    facilitate Asimilar
    Governance,
    function,
    the Riskprovides
    implementation & Compliance governance
    of secure (GRC) team,
    practices
    -oversight Formal governance
    for
    cybersecurity and privacy obligations that the program
    implementation existsof for both
    applicable or
    oversight similar function, provides governance
    to protectfor thethe implementation
    confidentiality, of applicable
    integrity,
    security
    facilitateand
    statutory, privacy.
    regulatory and contractual of secure practices oversight
    the implementation availabilityfor
    statutory, thesafety
    regulatory
    and implementation
    and
    of the contractual of applicable
    organization’s
    -cybersecurity
    toGovernance protect thefunction
    and privacy is formally
    confidentiality, obligations assigned
    integrity, that with statutory,
    cybersecurity regulatory
    and privacy and contractual
    obligations that
    applications, systems, services and data.
    defined
    facilitate
    availability roles
    the and and associated
    implementation
    safety responsibilities.
    of secure practices cybersecurity
    of the organization’s facilitate and privacy
    the implementation obligations
    of secure that practices
    - Governance function is formally assigned with
    -applications,
    to Compliance requirements
    protect thesystems, confidentiality,
    services forintegrity,
    security
    and data.and facilitate
    to protect thetheimplementation
    confidentiality, of secure practices
    integrity,
    defined roles and associated responsibilities.
    privacy
    -availability A are and
    Governance,
    Cybersecurity identifiedRisk &and
    safety
    policies and documented.
    ofCompliance
    the (GRC)
    organization’s
    standards are team, to availability protect the and confidentiality,
    safety of thefor integrity,
    organization’s
    - Compliance requirements security and
    -or
    applications,
    verified Controls are
    similartofunction, assigned
    systems,
    address all to
    provides sensitive
    services
    applicable governance
    and assets to
    data.
    statutory, availability
    applications, and safety
    systems, of the
    services organization’s
    and data.
    adhere privacy are identified and documented.
    oversight
    -regulatory Formaltoreviewspecific
    for
    and the compliance
    implementation
    process
    contractual is performedrequirements.
    of applicable
    requirements. on an applications,Controls aresystems,
    - Cybersecurity policiesservices
    assigned and
    to and data.
    standards
    sensitive assetsare to
    statutory,
    annual basis,regulatory
    or
    - Documentation is made available to internal as and
    business contractual
    conditions require a -verified
    adhere Formalto review
    to address
    specific process is performed
    all applicable
    compliance statutory,
    requirements.on an
    cybersecurity
    personnel andand
    review. privacy obligations
    third-party stakeholders. that annual
    regulatory basis, andascontractual
    business conditions requirements. require a
    facilitate
    - Review Procedures the implementation
    process includes the of
    are standardized secure
    scope
    across ofthe practices review,
    both - Documentation or as metrics is madeindicate a review
    available is
    to internal
    to
    currently-applicable
    organization protect thetoconfidentiality,
    ensure and pending
    uniformity and consistent -necessary.
    integrity,
    statutory, personnel Metrics
    Processes areand developed
    exist to collect
    third-party that provide
    detailed
    stakeholders. metrics that
    availability
    regulatory
    execution. and and contractual
    safety of theobligations.organization’s management
    are
    See
    - Review capable
    SP-CMM3.
    Procedures process oversight
    ofare
    providing
    SP-CMM4
    includes
    standardized toaisthe
    ensure
    quantitative
    N/A,scope theofthe
    since
    across process
    aboth is
    applications,
    -- Recommendations systems, forservices
    edits areand data.
    submitted for operating
    understanding
    quantitatively-controlled
    currently-applicable in an optimal
    of process
    and capacity.
    capabilities
    process
    pending is not and
    statutory, an
    A Governance, Risk & Compliance (GRC) team, organization to ensure uniformity and consistent
    -review A Humanand Resources
    are handled (HR),
    in or similar
    accordance function,
    with -improved
    necessary
    regulatory
    execution. Metrics reporting
    ability
    toandassign to includes
    predict
    a
    contractual qualified thisindividual
    process so
    performance.
    obligations. it can
    with
    or similar function, provides governance be quantitatively analyzed.
    ensures
    documentation
    oversight industry-recognized
    for thechange control
    implementation HRprocesses.
    practices
    of applicable are -
    the A Governance,
    mission and resources
    - Recommendations Risk & Compliance
    for edits (GRC)
    to centrally-manage,
    are submitted for team,
    implemented
    - Stakeholders
    statutory, for
    areassigning
    regulatory involved and
    in the
    and contractual managing roles -or
    review process coordinate,
    review Asimilar
    Governance,
    andfunction, Riskprovides
    develop,
    are handled & Compliance
    implement
    in accordance and(GRC)
    governance withteam,an
    maintain
    and
    for proposed changes. responsibilities. or
    oversight similar
    enterprise-wide function,
    for the provides
    implementation
    cybersecurity
    documentation change control processes. governance
    and of applicable
    privacy
    cybersecurity and privacy obligations that
    -facilitate The rolethe
    Updated and
    version responsibilities
    is publishedof
    implementation ofatsecure
    governing
    least annually, the oversight
    practices statutory,
    program.
    - Stakeholders for the
    areimplementation
    regulatory involved in the of
    and contractual applicable
    review process
    organization's
    based on the cybersecurity
    review process. program is formally statutory,
    cybersecurity
    for
    - proposed
    Metrics regulatory
    are and
    changes.
    developed and
    privacy contractual
    obligations
    that provide that
    to protect the confidentiality, integrity,
    assigned
    - People affected
    availability toanda qualifiedby the
    safety individual
    of changes (e.g.,provided
    are
    the organization’s Chief cybersecurity
    facilitate
    - Updatedthe
    management and privacy
    implementation
    version to obligations
    is published
    oversight ensure the that
    ofatsecure
    least practices
    annually,
    process is
    Information
    notification ofsystems, Security
    the changes.Officer). facilitate
    to
    based on the
    operating protect thethe
    in animplementation
    confidentiality,
    review
    optimal process.
    capacity. of secure
    integrity, practices
    applications,
    -- A Governance, services
    Risk & Compliance and data.
    (GRC) team, to
    -orThe role and responsibilities of Team availability protect the
    andconfidentiality,
    safety of changes
    thethis integrity,
    organization’s
    An Integrated
    Comprehensive
    similar function, Security
    metrics
    provides Incident
    exist togoverning
    provide the
    Response
    governance
    - People
    availability
    Metrics
    applications,
    affected
    reporting
    and
    byincludes
    safety
    systems,
    the
    of
    are provided
    process
    the organization’s
    services and data.
    so it can
    organization's
    (ISIRT),
    oversight or similar
    of privacy
    function,
    organization-wide program exists is formally
    to form
    cybersecurity an on-
    & notification
    be quantitatively of the changes.
    analyzed.
    oversight
    assigned fora the
    to implementation
    qualified individual of applicable
    (e.g., Chief applications,
    -- Process exists
    A Governance, systems,
    toRisk &services
    routinely and data.
    analyze
    Compliance metrics.
    (GRC) team,
    demand,
    privacy
    statutory, integrated
    controls.
    regulatory team
    and of formally-assigned
    contractual -orAn Integrated Security Incident Response Team
    Privacy
    cybersecurity, Officer or
    IT, Data
    privacy Protection
    and businessOfficer).
    function Scope
    similar of metrics
    function, covers
    provides organization-wide
    governance
    - Organizational
    cybersecurity and leadership maintains that
    privacy obligations a formal (ISIRT), or similar function, exists to form an on-
    cybersecurity & privacy controls, including
    representatives
    process
    facilitatetothe review thatandcan
    implementation execute
    respond coordinated
    oftosecure
    metrics (e.g., oversight
    practices -functions
    demand,
    for developed
    Metrics integrated
    are the implementation
    team that provide of applicable
    of formally-assigned
    incident response operations. statutory, operated
    regulatory by third-parties.
    and contractual
    monthly or quarterly review). management oversight toandensure the process
    to protect the confidentiality, integrity,
    -availability Incident response personnel identify and
    cybersecurity,
    -cybersecurity
    Organizational IT,leadership
    and privacy
    privacy business
    maintains
    obligations thatformalis
    afunction
    and safety of the organization’s -operating
    Metricstoare
    representatives
    process developed
    inobjectively
    an optimal
    that can that
    capacity.
    execute
    review provide
    and coordinated
    respond to
    maintain
    -applications, Inventories contactare
    systems, information
    servicesfor
    predominately local
    automated,
    and data. and but facilitate management
    -incident the
    Metrics(e.g., implementation
    reportingoversight includestoquarterly
    ensureof process
    this secure
    the practices
    process is
    so it can
    national law enforcement (e.g., FBI field office) metrics
    to protect response
    the monthly operations.
    or
    confidentiality, review).
    integrity,
    may
    -- Cybersecurity have
    Organizationalsome manual
    and privacy components
    policies incidents personnel
    and standards (e.g., cloud-
    identify
    cover operating
    be
    -availability in
    quantitatively
    Incident response an optimal
    analyzed. capacity.
    personnel identify and
    in
    based case of cybersecurity
    assets that are out of scope that require
    for local, -maintain
    Metrics
    Inventories andaresafety
    reporting of thethis
    includes
    predominately organization’s
    process
    automated, so itbut
    can
    and
    software maintain contact
    licensing information
    restrictions for for
    users, as part applications, contactsystems,information
    services forandlocal
    data. and
    law
    automated
    regional enforcement
    andinventory
    national involvement.
    scans).
    cybersecurity / privacy be
    may quantitatively
    havelaw some analyzed.
    manual components (e.g., cloud-
    of acceptable and unacceptable behaviors. national enforcement (e.g., FBI field office)
    ---groups Designated
    Inventory
    and of incident
    IT assetsresponse
    associations. covers personnel
    both physical sign
    andup -based -inCybersecurity
    Organizational
    assets thatand
    policies
    are privacy ofpersonnel
    and
    outincidents standards
    scope for identify
    cover
    An IT Asset Management (ITAM) program, or case of cybersecurity that require
    for
    -virtual
    similar
    membership
    assets
    Cybersecurity
    function, toand in public/private
    create
    governs a holistic
    privacy assetpersonnel information
    visibility
    management in intothatthe and softwaremaintain
    automated
    law licensing
    enforcement
    contact
    inventory information
    restrictions
    scans).
    involvement.
    for local,
    for users, as part
    sharing
    organization's organizationsassets. (e.g., InfraGard). regional
    of
    - Inventory and
    acceptable ofnational
    and
    IT cybersecurity
    unacceptable
    assets covers both / privacyand
    behaviors.
    physical
    supervisory
    ensures positions
    compliance subscribe
    with requirementsto news feeds - Designated
    for asset groups and associations. incident response personnel sign up
    --from Contact
    Inventories
    groups information
    are
    and is verified
    configured
    associations toto beduring
    recurring
    facilitate incident - An
    virtual IT Asset
    assets Management
    to create a (ITAM)
    holistic program,
    visibility intoorthe
    management. for
    - membership
    Cybersecurity in
    and public/private
    privacy personnel information
    in
    response
    scans,
    ongoing based exercises
    educationon the and
    IT is
    Asset updatedManagementon at least an Metrics
    similar are
    function,
    organization's developed
    governs
    assets. that
    asset provide
    management that
    -annual ITAM leverages
    basis. anand training. Configuration
    established sharing
    supervisory
    management
    organizations
    positions
    oversight
    (e.g., InfraGard).
    subscribe
    to ensure tothenews feeds
    process is
    (ITAM) tool
    - CybersecurityDatabase configuration
    and privacy settings.
    personnel are tool, -from ensures
    - Inventories
    Contact compliance
    are
    information with
    configured requirements
    is verified to be recurring for asset
    Management
    -encouraged
    ITAM leverages an
    (CMDB),
    established
    or similar
    Configuration operatinggroups
    management.
    scans, based in and
    an
    on associations
    optimal
    the IT capacity.
    Asset to during
    facilitate
    Management
    incident
    to attend
    as the authoritative source of IT assets. and be involved in local responseeducation
    exercises and and training.
    is updated on at least an
    Management
    groups
    - ITAM function Database
    and associations.is formally (CMDB),
    assigned or similar tool, -ongoing
    with defined
    Metrics
    (ITAM)
    annual reporting
    ITAM leverages
    tool
    basis. anincludes
    configuration established this Configuration
    settings. process so it can
    as theand
    authoritative source of IT assets. -
    be Cybersecurity
    quantitatively
    Management and
    Database privacy
    analyzed. (CMDB),
    - ITAM leverages an established Configuration personnel are tool,
    or similar
    roles
    -- Inventories associated responsibilities, including encouraged to attend and be involved in local
    Quarterly
    software ITare
    asset
    licensing.
    predominately
    inventories are automated,
    reviewed but and -as Inventories
    the authoritative
    Management are predominately
    Database source (CMDB),of IT automated,
    assets.
    or similar but
    tool,
    may
    shared have
    with some manual components
    appropriate stakeholders. (e.g., cloud- may groups
    -asITAM
    thehaveand
    functionassociations.
    some is
    authoritative manual
    formally
    source components
    assigned
    of IT assets. (e.g.,defined
    with cloud-
    -basedInventories
    assets are thatconfigured
    are out of scope to be recurring
    for based assets
    scans,
    roles and
    - Quarterly ITthat
    assetare
    associated out of scope
    responsibilities,
    inventories andfor including
    metrics are
    automated inventory scans). configuration
    based on the ITAM tool automated
    software
    reviewed inventory
    licensing.
    and shared scans).
    with appropriate
    settings.
    - IT Asset Management (ITAM) program Inventory ofare IT assets covers toboth physical and
    on -stakeholders.
    Inventories configured be recurring
    -maintains
    ITAM toolanis inventory
    configuredoftoITdetect assets and covers alertboth virtual based
    assetson to the
    create a holistic visibility into the
    scans, ITAM tool configuration
    instances
    physical and of unauthorized
    virtual assets software. and centrally- organization's assets.
    settings.
    -manages
    Softwareasset license violations
    ownership are investigated by - Inventories
    assignments. ITAM tool isare configured
    configured to be recurring
    to detect and alert on
    the
    - ITAMITAM team, inancoordination
    leverages established with Configuration scans, based on the IT Asset Management
    instances of unauthorized software.
    cybersecurity
    Management personnel, Database (CMDB), when necessary.or similar tool, (ITAM) toollicense
    configuration settings.
    - Software violations are investigated by
    -asSoftware
    the authoritative source of IT(SAM)
    Asset Management assets. solution is - ITAM leverages an established Configuration
    utilized to centrally-manage deployed software. Management Database (CMDB),with
    the ITAM team, in coordination
    cybersecurity personnel, when necessary. or similar tool,
    as the authoritative
    - Software Asset Managementsource of IT(SAM) assets. solution is
    -utilized
    Quarterly IT asset inventories
    to centrally-manage and metrics
    deployed software.are
    reviewed and shared with appropriate
    stakeholders.
    centralized repository of sensitive data flows. - Metrics reporting includes this process so it can
    - Application/system/process owners categorize be quantitatively analyzed.
    data in accordance with organizational policies -- Data Metrics Protection
    are developed Officerthat (DPO) maintains a
    provide
    and standards. centralized repository
    management oversight into the distribution of sensitive data flows.of
    - Application/system/process owners, in -media Application/system/process
    via local devices (e.g., USBs) and owners categorize
    ad hoc
    conjunction with IT and cybersecurity personnel, data in accordance with
    transfers (e.g., ShareFile, Box, etc.) to ensure organizational policies the
    -document Data Losswhere Prevention personal (DLP) technologies
    data is stored, and standards.
    process is operating in an optimal capacity.
    prevent
    transmitted unauthorized
    and processed devices from connecting
    in order to document -- Application/system/process owners, in so it can
    Metrics reporting includes this process
    to
    sensitive endpoint data devices
    flows.to control the distribution of conjunction with IT and cybersecurity personnel,
    be quantitatively analyzed.
    sensitive
    - Application/system/process data. owners, in document
    - Data Losswhere Prevention personal (DLP) data is stored,
    technologies
    -conjunction Content filtering with ITblocks users from performing
    and cybersecurity personnel, transmitted and processed in order to document
    -ad File Integrity Monitoring (FIM) is deployed prevent unauthorized devices from connecting
    generate hoc fileData
    transfers through
    Flow Diagrams unapproved
    (DFDs) and fileon sensitive data flows.
    systems
    transfer
    network services that store,
    diagrams. process
    (e.g., or transmit
    Box, Dropbox, sensitive to
    Google -sensitive
    endpoint devices to control the distribution of
    Application/system/process owners, in
    data toetc.).
    monitor the integrity of critical files to data.
    Drive,
    - On at least an annual basis, or after any major conjunction with IT and cybersecurity personnel,
    detect - Content filtering blocks users from performing
    -technology Users tampering.
    are educated
    or processon their responsibilities
    change, the to generate Data Flow Diagrams (DFDs) and
    -strictly Host-based Intrusion ad hoc file transfers through unapproved file
    application/system/process control sensitivePrevention
    media (e.g.,
    owner System
    USBs,(HIPS)
    updates the network diagrams.
    is deployed ondocumentation.
    unattended systems transfer services (e.g., Box, Dropbox, Google
    mobile
    data devices,
    mapping external drives, etc.).to identify -See On at least
    SP-CMM3. an SP-CMM4
    annual basis, or after
    is N/A, sinceany a major
    and block hostilepolicies activities. Drive, etc.).
    - Organizational and standards cover technology
    quantitatively-controlled or process change,
    process the is not
    -media Periodic physical
    handling inspections for
    requirements performed to -application/system/process
    areusers. Users are educated on their responsibilities to
    owner updates
    validate the integrity of the unattended systems.
    necessary
    strictly to implement
    control sensitive media enhanced USBs, the
    (e.g.,protection
    -- Data classification and handling
    Third-party providers are utilized to provide criteria govern data
    -
    measuresMetricsmapping are documentation.
    developed
    for unattended that provide
    systems to protect
    -world-wide Organizational mobile devices, external drives, etc.).
    user behavior forpolicies
    media and standards
    handling. cover management oversight of asset management
    enhanced
    coverage to securely dispose of, against
    - tampering
    Organizational and unauthorized
    policies and standards cover to
    access.
    destroy or security repurpose requirements
    system components for unattended using ensure
    media the process
    handlingSP-CMM4 is operating
    requirements in an
    forsince optimal
    users.a
    systems
    -organization-defined An IT Asset (e.g.,Management
    kiosks, ATMs, techniques etc.).and
    (ITAM) program,
    methods or to Seecapacity.
    - Data
    SP-CMM3.
    classification and
    is N/A,
    handling criteria govern
    -prevent Hardened quantitatively-controlled process is not so
    similar suchsystem
    function, components configurations
    governs asset are used
    frommanagement.
    entering thefor -user Metrics
    behavior reportingfor mediaincludes this process
    handling. it can
    unattended
    -gray ITAM leveragessystems an to enforce
    established the principle
    Configuration of necessary
    be quantitativelyto securely destroy
    analyzed. technology assets
    market.
    "least
    Management
    - Organizational functionality" Database by removing
    policies (CMDB),
    and standards orunnecessary
    similarcovertool, -and An media
    - Metrics IT Asset arewhen it is no that
    developed
    Management longer needed
    provide
    (ITAM) program, for or
    accounts, applications and services. business
    management or legal reasons.
    oversight to ensure Business
    as
    requirements the authoritative for users source of IT assets
    to dispose assigned
    of, destroy or -similar Metrics are developed
    function, governsthat asset provide
    management.
    to
    repurpose users. system components when it is no Continuity
    management
    - ITAM leverages / Disaster
    oversight Recovery
    to ensure
    an established (BC/DR) is
    the process
    Configuration is
    --longer Formal
    Departing Disaster
    needed user's Recovery
    supervisor
    for business (DR) program
    collects
    or legal assets exists
    reasons.and and functioning
    operating
    Management in and
    an tested.
    optimal
    Database capacity.
    (CMDB), or similar tool,
    -for Anti-theft
    boththe software
    security and isprivacy.
    installed on laptops -- Metrics reporting includes this
    returns
    mobile devices assets to to ITAM
    track assetspersonnel.
    that are removed as the authoritative
    Metrics are developed source thatof IT process so it can
    assets assigned
    provide
    -- DR function
    Devices are is formally assigned
    "escrowed" in storage with for defined
    a period be
    to quantitatively
    users.
    management analyzed.
    oversight to ensure Business
    from
    roles facilities.
    and associatedIf possible, alerting is enabled for Formal Disaster Recovery (DR) program exists
    of
    sensitive time before
    assets. being responsibilities,
    wiped and reissued, including
    in case -Continuity
    - Anti-theft
    Departing/software user's
    Disaster is installed
    supervisor
    Recovery on laptops
    collects
    (BC/DR) is and
    assets and
    critical
    -data Formalon roles
    the that
    devices
    Disaster require
    are
    Recovery redundancies
    needed(DR) for
    program and/or
    exists for
    mobile
    returns
    functioningboth security
    devices
    the assets
    and to and
    track
    to
    tested. privacy.
    ITAM assets that
    personnel. are removed
    cross Physical access points are monitored or staffed - DR function is formally assigned with defined
    training.
    investigations or business purposes. from facilities. If possible, alerting is for
    enabled it for
    for
    toDR both
    identify security
    personnel
    requirements
    and who
    for
    privacy. bringand
    security in or remove
    privacy are IT -roles Devices
    Metrics
    and
    are "escrowed"
    reporting
    associated
    includes in storage
    this process
    responsibilities,
    asoperiod
    including
    can
    -assets
    - DR function Assets not returned are reported as a security
    is formally assigned with defined be quantitatively analyzed. sensitive
    of time assets.
    before being wiped and reissued, in case
    identified into facilities.
    and documented.
    incident,
    roles
    -- Users and are based
    associated
    trained on theand data that maytoincluding
    responsibilities,
    encouraged exist
    stopto on
    and the critical
    --data Formal onroles
    Physical the that points
    access
    devices
    Disaster require
    are are
    Recovery redundancies
    neededmonitored
    (DR) for
    program and/or
    or staffed
    exists
    device(s).
    critical Controls roles are assigned
    that require to sensitive
    redundancies assets and/or cross
    to training.
    identify
    investigations
    for both personnel
    security or business
    and who
    privacy.bring
    purposes. in or remove IT
    question
    comply anyone
    with specificattempting
    DR to install or
    requirements to remove -assets DR requirements for security and privacy are
    cross training. - Assets into
    not facilities.
    returned are reported
    DR function is formally assigned with defined as a security
    -IT
    facilitate assets
    Formal from
    Disaster
    recovery facilities.
    Recovery
    operations (DR) program
    inandaccordance exists
    with -incident,
    identified
    Users are and
    based documented.
    trained on theand encouraged
    data that maytoincluding
    stopon
    exist and the
    --for
    Recovery
    DRboth
    requirements
    Organizational
    security
    Time
    for
    policies security
    and privacy.
    Objectives and standards privacy cover
    (RTOs) and Recovery -critical
    are roles
    Controls
    and associated
    arethatassigned
    responsibilities,
    toredundancies
    sensitive assets to
    identified and documented. question
    device(s). anyone
    roles attempting
    require to install orand/or
    remove
    requirements
    -Point DR function
    Objectives isfor approving
    formally
    (RPOs). assetswith
    assigned fromdefined
    entering comply with specific DR requirements to
    -roles
    or Controls
    existing are assigned
    facilities. to sensitive assets to IT
    cross assets from facilities.
    training.
    -comply and
    On at least associated
    an annual responsibilities
    basis, DR to
    personnel restore facilitate
    - Organizational recovery operations
    policies inand
    and standardsaccordance cover with
    the
    -conduct site with
    Formal thespecific
    inreal-world
    Disaster event ofDRarequirements
    exercises
    Recovery catastrophe,
    to
    (DR) validate
    program
    to
    the
    exists
    - DR requirements
    Recovery
    requirements Time for
    for security
    Objectives
    approving (RTOs)
    assets
    privacy
    and
    from Recovery
    are
    entering
    facilitate
    emergency, recovery operations
    or similar-type in accordance
    disruptive incident with
    in identified and documented.
    viability
    for
    Recovery both disaster
    security
    Time recovery
    and privacy.
    Objectives and
    (RTOs) contingency
    and Recovery plans. Point
    or
    - ControlsObjectives
    existing are (RPOs).to sensitive assets to
    facilities.
    assigned
    accordance
    -Point DR personnel with the
    work Continuity
    with business of Operations
    stakeholders - On at least an annual
    (COOP)
    function
    Objectives
    plan.
    is formally
    (RPOs). assigned with defined comply Metricswith are specific
    developed DRbasis, DR personnel
    that provide
    requirements to
    to
    roles
    -- On identify
    and
    at least business-critical
    associated
    an annual systems
    responsibilities
    basis, DR and
    to restore facilitate recovery operationsto
    personnel services. conduct
    management real-world
    oversight exercises
    to ensure
    in validate
    Business
    accordance the with
    -conduct
    the DR requirements
    IT personnel
    site inreal-world eventfor
    the develop of security
    Disaster
    a and
    catastrophe, privacyPlans
    Recovery are Continuityviability disaster
    / DisasterrecoveryRecovery and contingency
    (BC/DR) is plans.
    identified and exercises to validate the
    documented. Recovery Time Objectives (RTOs) and Recovery
    (DRP)
    -emergency,
    viability Formal to recover
    Disaster
    or
    disaster business-critical
    Recovery
    similar-type
    recovery (DR) systems
    program
    disruptive
    and contingency and
    exists
    incident in - DR
    functioningpersonnel and work
    tested. with business stakeholders
    -services. Controls are assigned to sensitive assets toplans. Point to
    Objectives (RPOs).
    identify business-critical
    for
    accordance
    -comply DRboth security
    personnel with andwith
    the
    work privacy.
    Continuitybusiness of Operations
    stakeholders -See
    - Metrics
    On SP-CMM3.
    at reporting
    least an SP-CMM4
    annual includes issystems
    basis, this
    DR process
    N/A, sinceanda services.
    personnel so it can
    -(COOP) Business
    DR with
    function
    plan. specific
    stakeholders
    is formally DR requirements
    develop
    assigned Business
    with to
    defined -
    be IT personnel
    quantitatively develop
    analyzed. Disaster Recovery Plans
    to identify business-critical systems and services, quantitatively-controlled
    conduct real-world exercises process
    to is not the
    validate
    facilitate
    -Continuity
    roles DR and recovery
    Plans
    associated
    requirements operations
    (BCPs)
    for to ensureinand
    responsibilities,
    security accordance
    business
    including
    privacy arewith -(DRP) Formal to recover
    Disaster business-critical
    Recovery (DR) systems
    program and
    exists
    including related plans (e.g., incident necessary to establish an alternate storage site
    Recovery
    functions
    critical
    identified rolesTime
    are
    and that Objectives
    sustainable
    require
    documented. (RTOs)
    both
    redundancies and response,
    during Recovery
    and after
    and/or
    viability disaster
    services.
    for both security
    recovery
    and privacy.
    and contingency plans.
    breach notification, etc.). that
    - DR includes
    personnel bothwork thewithassets and necessary
    business stakeholders
    Point
    an Objectives
    incident. (RPOs).to sensitive assets to
    cross
    -- Controls
    --comply IT
    On
    training.
    personnel
    at least
    are assigned
    an develop
    annual Disaster
    basis, DR Recovery
    personnel Plans -agreementstoBusiness
    DR function
    identify stakeholders
    toispermit
    formally
    business-critical thedevelop
    assigned
    storage
    systems Business
    with
    and defined
    andrecovery
    services,
    (DRP) DR requirements
    to with
    recover specific forDR security
    requirements
    business-critical andsystems
    privacy
    to and are roles Continuity
    of system
    including Plans
    and related
    associated
    backup (BCPs) to
    information.
    plans (e.g.,ensure
    responsibilities,
    incidentbusiness
    including
    response,
    conduct
    identified real-world
    and documented. exercises to validate
    operations in accordance with critical the functions rolesarethatsustainable
    require both during
    sinceand after
    facilitate
    services.
    viability
    recovery
    disaster recovery and contingency plans. breach
    See SP-CMM3. notification, SP-CMM4 etc.).redundancies
    is N/A, aand/or
    -Recovery Controls
    -- Business are
    Time assigned
    Objectives
    stakeholders to sensitive
    (RTOs)
    develop andassets to
    Recovery an
    cross incident.
    training.
    quantitatively-controlled process is not
    comply
    Point Dedicated with
    Objectives alternate
    specific
    (RPOs). DRstorage siteBusiness
    requirements is identified
    to
    - IT personnel develop Disaster Recovery Plans
    -necessary
    DR requirements to establish for security
    an alternate andsystems
    privacy
    processing are
    Continuity
    and Plans (BCPs) to ensure business (DRP) to recover business-critical and
    On documented.
    facilitate
    -functions at least recovery
    are an operations
    annual
    sustainable basis,
    both induring
    DR accordance
    personnel and with identified
    after site and documented.
    that provides
    services. security measures equivalent
    -conduct
    Technologies
    Recovery Time exist to conduct
    Objectives to full,
    (RTOs) and incremental
    Recovery -to
    an
    or incident. real-world
    differential backups
    exercises validate the - Controls
    that of the
    Business are assignedsite.
    primary
    stakeholders to sensitive
    develop assets to
    Business
    Point
    viability Objectives
    disaster (RPOs).(e.g.,
    recovery and tape/disk,
    contingency hybrid plans. comply with specific DR
    Continuity Plans (BCPs) to ensure business requirements to
    cloud
    - On atorleast
    Organization direct-to-cloud).
    anacquires
    annual basis, spaceDR personnel
    to serve as the facilitate recovery operations in accordance with
    -conduct
    IT personnel utilize functions are sustainable both during and after
    alternate real-world
    site that aa safe
    backup
    isexercises tomethodology
    distancevalidate
    fromthe the Recovery Time Objectives (RTOs) and Recovery
    (e.g.,
    viability
    inaccessiblegrandfather,
    disasterfacility father
    recovery &and
    (e.g., dedicatedsoncontingency
    rotation)
    facility toor store an
    plans.
    incident.
    Point Objectives (RPOs).
    backups
    -cloud
    DR personnel offsite, separate from the primary
    instance).work with business stakeholders - On at least an annual basis, DR personnel
    storage
    to
    - ITidentify site.
    personnel business-critical
    maintain technologies systems and thatservices.
    are conduct real-world exercises to validate the
    -compatible
    IT personnel with develop
    existing Disaster
    network Recovery
    and Plans viability disaster recovery and contingency plans.
    (DRP) to recover
    infrastructure business-critical systems and
    configuration. - DR personnel work with business stakeholders
    services.
    - IT personnel maintain network connectivity to identify business-critical systems and services.
    -from
    Technologies
    the alternate existsiteto conduct
    to the businessfull, incremental
    locations - IT personnel develop Disaster Recovery Plans
    or differential
    - providing thebackups
    ability for (e.g.,
    data tape/disk,
    communications hybrid (DRP) to recover business-critical systems and
    cloud or direct-to-cloud).
    to support business processes. services.
    -ensures IT personnel
    that no work with business
    unnecessary changes stakeholders
    are made, -beMetrics reporting includes this process so it can
    quantitatively analyzed.
    to
    that all changes are documented, that identify business-critical systems andservices
    services. be quantitatively analyzed.
    -are IT infrastructure personnel create and maintain -- Metrics IT resourceare utilization
    developedisthat monitored,
    provide analyzed
    not unnecessarily disrupted and that -and
    management Formal CM program
    optimized. oversightensures to ensure thatChange
    no
    aresources model ofare infrastructure
    used efficiently. performance to unnecessary changes are made, that all changes
    understand current resource needs. Technology -Management Demand is managed for computing
    (CM) process is operating resources
    in an
    -- CM Formalprogram
    Change leverages
    Management Information(CM) program are
    based
    optimal capacity. documented,
    on that
    stakeholder-provided services are not
    prioritization.
    -Infrastructure IT infrastructure personnel produce a capacity
    ensures
    plan that that
    coversnoLibrary
    unnecessary
    current
    (ITIL) Service
    use, changes
    forecasted
    Management
    areneeds
    made, unnecessarily
    -- Metrics IT personnel disrupted
    reporting withand
    workincludes businessthatprocess
    this resources so itare
    stakeholders can
    practices
    that all to govern
    changes are CM operationsthat
    documented, (includes
    services used
    to
    be quantitatively analyzed. efficiently.
    identify business-critical systems and services.
    and
    SecDevOps supportconsiderations).
    costs for new -- CM IT program
    infrastructure leverages
    personnel Information
    create andTechnology
    maintain
    are
    systems/applications/services. not unnecessarily disrupted and that Formal CM program ensures that no
    -resources CM function is formally
    are used assigned with defined
    efficiently. Infrastructure
    aunnecessary Library
    model of infrastructure (ITIL) Service
    performance
    changes are made, that all changes Management
    to
    -roles IT infrastructure
    and associated personnel build the annual
    responsibilities. practices to current
    govern CM operations (includes
    -infrastructure CM program growth leverages Information Technology understand
    are documented, that resource
    services needs.
    are not
    -Infrastructure CM requirements plan
    for(ITIL) with
    security input
    and from both
    privacy are SecDevOps considerations).
    Library Service Management - IT infrastructure
    unnecessarily personnel
    disrupted and that produce a capacity
    resources are
    technology
    identified andand business
    documented. stakeholders. -plan CM that
    function is formally assigned with defined
    practices to govern CMfor operations (includes used covers
    efficiently. current use, forecasted needs
    -- Demand A ChangeisAdvisorymanaged Boardcomputing
    (CAB), or similar resources roles and associated
    SecDevOps considerations). and
    - CMsupport program costs forresponsibilities.
    leverages new Information Technology
    based
    structure, on stakeholder-provided
    governs changes to prioritization. -systems/applications/services.
    CM requirements for security andManagement
    privacy are
    -- CM function
    IT architects is formally
    identify assigned
    "right-size" with defined
    solutions to Infrastructure Library (ITIL) Service
    systems/applications/services
    roles and associated responsibilities.to ensure their identified
    - IT infrastructure
    practices and
    to documented.
    govern personnel
    CM operations build the annual
    (includes
    make
    stability, sure service
    reliability and levels can be
    predictability.met. -infrastructure A Change Advisory
    -- CM requirements growthBoard plan with(CAB),input or similar
    from both
    -identified A Governance,
    Changes are Riskfor
    tracked
    security
    &through
    Compliance and (GRC)
    privacyteam,
    a centralized
    are SecDevOps
    structure,
    technology
    considerations).
    governs
    and changes to
    or and
    similar function, documented. - CM function is business
    formally stakeholders.
    assigned with defined
    technology
    -regulatory A Change and solutionensures
    Advisory to submit,
    Board
    thatreview,
    (CAB),
    statutory, approve
    or similar systems/applications/services
    -roles IT architects identify "right-size"
    and associated responsibilities. to ensure
    solutions their
    to
    and assign contractual
    Requests for cybersecurity
    Change (RFC). and stability,
    make sure reliability
    service and
    levels predictability.
    can be met.
    structure,
    privacy governs changes to governed. - CM requirements for security and privacy are
    -systems/applications/services Prior toobligations
    changes being are properly
    made,to RFCsensureare their -identified Changes and are tracked
    documented. through a centralized
    -reviewed Clear delineation is established
    for cybersecurity that
    and privacy business technology solution to submit, review, approve
    -stability, IT personnel utilize
    reliability and a dedicated
    predictability. -See A Change Advisory Board
    process
    -ramifications. A owners and
    Governance, Riskother&through stakeholders
    Compliance (GRC) own the
    team, and SP-CMM3.
    assign SP-CMM4
    Requests for is(CAB),
    Change N/A,(RFC). or similar
    since a
    development/test/staging
    -compliance Changes are tracked
    requirements, environments
    while a centralized
    the GRC to structure,
    quantitatively-controlled governs changes to
    process is not
    -technology
    or
    deploy File Integrity
    similar and Monitoring
    function,
    evaluate
    solution ensures
    changes.
    to (FIM)
    submit, alerts
    thatreview,
    statutory,are -systems/applications/services
    Prior to changes being made, RFCs are their
    function
    investigated
    regulatory merely
    andfor provides
    unauthorized
    contractual oversight
    changes.
    cybersecurity andapprove
    expertise
    and the necessary
    reviewed to test
    for and document
    cybersecurity and
    to ensure
    proposed
    privacy
    -and
    consulting. A structured
    assign set
    Requests of controls
    for Change are tested
    (RFC). after stability, reliability and predictability.
    -change changes in a non-production environment
    -- Access
    privacy Prior
    The to
    GRC
    control
    obligations
    is changes is being
    implemented governed
    are properly
    function isleverages to
    made, to RFCs
    ensure limit IT the
    governed. ability
    security
    are
    industry-leading andof ramifications.
    -before Changes are tracked
    changes through a centralized
    are implemented in a production
    -non-administrators
    privacy
    reviewed Clear delineation
    controls
    forgovern from
    are operating
    cybersecurity making
    established configuration
    that
    andproperly.
    privacy business -technology File Integrity Monitoring
    solution to (FIM)review,
    submit, alerts are
    approve
    practices
    changes to
    to andcompliance-related
    systems/applications/services. environment.
    investigated for unauthorized changes.
    -process
    ramifications.
    requirements. Results owners
    from testing other
    changes stakeholders
    are own the
    documented. -and
    See assign
    Metrics areRequests
    developed
    SP-CMM3. SP-CMM4 for Change
    that
    is N/A, (RFC).
    provide
    since a
    compliance requirements, while the GRC -management
    - Access Prior tocontrol is being
    governed to RFCs
    limit the
    are ability of
    --function File Integrity
    The GRCmerely Monitoring
    function is formally
    provides
    (FIM) alerts are
    assigned
    oversight and with
    expertise quantitatively-controlled
    non-administrators
    changes oversight
    from
    made,
    to ensure
    process
    making
    security
    is not
    configuration
    investigated
    defined roles for
    and unauthorized
    associated changes.
    responsibilities. reviewed
    assessments
    necessary for cybersecurity
    operate inthe and privacy
    anidentification
    optimal
    tosystems/applications/services.
    facilitate capacity.and
    -consulting.
    -- A Governance,
    Access control Risk
    is & Compliance
    governed to limit (GRC)
    the team,
    ability changes to
    or
    -non-administrators The GRC
    similar
    The function
    function provides
    GRC function, ensures
    leverages stakeholders
    that statutory,
    industry-leading with of -ramifications. Metrics reporting
    implementation of relevant legislative includes this process so it can
    statutory,
    status reports on from making
    control execution configuration
    to enable -regulatory
    be File Integrity
    quantitatively Monitoring
    analyzed.
    and contractual controls. (FIM) alerts are
    regulatory
    practices
    changes toand
    to contractual
    govern cybersecurity
    compliance-related
    systems/applications/services. and
    security controls oversight. -investigated A Governance, for unauthorized
    Risk & Compliance changes. (GRC) team,
    privacy
    requirements. obligations are properly governed. -or Access control is governed to limit thea ability of
    -- Statutory, regulatory and contractual See similar
    SP-CMM3.function, ensures
    SP-CMM4 is that
    N/A, statutory,
    since
    The GRC function is formally assigned with non-administrators from making configuration
    requirements for security andresponsibilities.
    privacy are regulatory
    quantitatively-controlled and contractual cybersecurity
    process is not and
    defined roles and associated changes totosystems/applications/services.
    identified and documented. privacy
    necessary obligations
    provide area security
    properlycontrols governed.
    - Statutory, The GRC function regulatory and contractual
    provides stakeholders with
    -status Auditreports
    Committee, or similar -oversight The GRCfunction.
    function is formally assigned with
    requirements for
    on security
    control andstructure,
    privacy
    execution to aregoverns
    enable
    changes to compliance operations to ensure its defined
    - Metrics are developed roles and associated responsibilities.
    that provide
    identified
    security controls oversight. and documented.
    stability, reliability and predictability. - Statutory, regulatory
    management oversightand contractual
    to ensure functional
    - The GRC function
    Statutory, regulatory conducts security and privacy
    and contractual
    Compliance tasks and controls arethat managed requirements
    reviews of for security
    security controls and privacyinare
    -control
    requirements A Governance, forRisk
    assessments, &
    onCompliance
    security a and
    cadence
    privacy (GRC)
    areis team, -identified Metrics are anddeveloped
    documented. that provide an
    operate
    through
    -or
    defined
    identified A similar a
    Governance, centralized
    function,
    byand Risk
    thedocumented. &technology
    ensuresCompliance
    that solution
    (GRC)
    statutory,
    applicable statutory, regulatory (e.g.,
    team, optimal
    management capacity. oversight to ensure the and privacy
    GRC
    or
    regulatory solutions)
    similar function,
    and to assign
    ensures
    contractual controls,
    that track
    statutory,
    cybersecurity control
    and -- The GRCreporting
    Metrics function conducts
    includes process security
    this process so it can
    and contractual requirements.
    - Audit Committee, or similar structure, governs configuration management is operating
    activities and report on compliance operations. control assessments, on a cadence that is
    -regulatory
    privacy
    changes Upon
    An and
    obligations
    completing
    IT infrastructure
    to contractual
    compliance are
    an team, cybersecurity
    properly
    assessment, governed.
    or similar
    operations GRC
    to andits
    function
    function,
    ensure bean
    in
    defined
    quantitatively
    optimal analyzed.
    capacity.
    by the applicable statutory, regulatory
    privacy
    -generates
    ensures
    stability, The GRC obligations
    thatfunction
    a formal
    statutory,
    reliability are
    is
    report
    and properly
    formally for each
    regulatory
    predictability. governed.
    assigned with
    security
    and --See A Governance,
    SP-CMM3.
    Metrics reporting Riskincludes
    SP-CMM4 & Compliance
    is N/A, since
    this process (GRC)a soteam,
    it can
    -defined and contractual requirements.
    - The
    assessment
    contractual GRC
    Compliance function
    roles that is formally
    anddocuments
    associated
    cybersecurity
    tasks and andthe
    controls assigned
    responsibilities.
    assessment
    privacy
    are with of
    obligations
    managed or
    be
    -regulatory
    similar function,
    quantitatively-controlled
    quantitatively
    Upon completing
    ensures
    analyzed.
    an assessment,
    that
    process statutory,
    is not
    GRC function
    defined
    -security
    are
    -through Statutory, roles
    and
    addressed and
    regulatory
    privacy associated
    toRisk
    a centralized
    A Governance, ensure and
    controls
    &technology
    Complianceresponsibilities.
    contractual
    to determine
    secure configurations
    solution (e.g.,
    (GRC) team, necessary
    -generates and
    to
    An IT infrastructure contractual
    utilize independent
    team,for cybersecurity
    oreach assessors
    similar and
    at
    function,
    -requirements a formal report security
    orStatutory,
    acceptable
    are
    GRC designed,
    solutions)
    similar regulatory
    for
    risk. to security
    built
    function, and
    assign
    ensuresand contractual
    and
    maintained.
    controls,
    thatprivacytrackare
    statutory, control privacy
    plannedobligations
    ensures intervals
    that orare
    statutory, when properly
    regulatory governed.
    the system, and service or
    requirements
    -identified The and
    Auditconfiguration
    Committee, for security
    documented.
    oronsimilar
    management and privacy
    structure,
    functionare
    reviews
    is -assessment
    project The GRC
    contractual
    that documents
    function
    undergoes is formally
    significant the assessment
    assigned
    changes. with of
    activities
    regulatory
    identified
    -formally An assessor
    andandreport
    and
    contractual
    documented.
    from within
    compliance
    cybersecurity
    the GRC
    operations.
    function
    and security
    defined andcybersecurity
    roles privacy
    and controls
    associated
    andto privacy
    determine obligations
    responsibilities.
    the findings
    privacy from security
    assigned
    obligations with
    are defined assessments
    properly roles
    governed.andand is are
    acceptable addressed risk.to ensure secure configurations
    -selected
    -overseesThe
    The GRC
    associated GRCor function
    a third-party
    long-term
    function conducts
    isremediation
    responsibilities. formally security
    assessor and
    is contracted
    efforts,
    assigned privacy
    when
    with -are Statutory,
    designed, regulatory
    built and and contractual
    maintained.
    control
    to perform assessments,
    an independent on a cadence
    assessment that is
    of -requirements
    Audit Committee, for or similar
    security and structure,
    privacy reviews
    are
    applicable.
    -definedConfigurations
    roles andconformassociated to industry-recognized
    responsibilities. -the Thefindings
    configuration management function is
    defined
    security by
    and the applicable
    privacy controls.statutory, regulatory identifiedassigned from security
    and documented. assessments and
    standards
    - Statutory, for hardening
    regulatory and(e.g., DISA STIGs,
    contractual CIS formally
    oversees long-term with defined roles
    remediation andwhen
    efforts,
    and
    Benchmarks
    requirementscontractual orforrequirements.
    OEM security
    security andguides)
    privacyfor aretest, -associated
    The GRC function conducts security and privacy
    responsibilities.
    -development,
    Upon completing an assessment, GRC function applicable.
    control assessments, on ato cadence that is
    identified staging
    and documented. and production - Configurations conform industry-recognized
    generates
    environments. a formal
    - The GRC function conducts securityreport for each security
    and privacy defined
    standards
    See SP-CMM3. by the applicable
    for hardening
    SP-CMM4(e.g., statutory,
    is N/A, DISA regulatory
    STIGs,
    since a CIS
    -assessment
    Configuration that documents
    control assessments, on a cadence that is for
    management the
    is assessment
    centralized ofall and contractual
    Benchmarks or requirements.
    OEM security
    quantitatively-controlled process is not guides) for test,
    security
    operating and privacy
    systems, controls
    applications,
    defined by the applicable statutory, regulatory to determine
    servers and -development,
    Upon completing
    necessary to plan an assessment,
    staging
    audits and production
    that minimize GRCthe function
    acceptable
    other risk. requirements.
    technologies
    and contractual that are capable of being generates
    environments. a formal report for
    impact of audit activities on business operations. each security
    -configured.
    Audit Committee,
    - Upon completing an or assessment,
    similar structure, reviews
    GRC function assessment
    - Configuration thatmanagement
    documents the assessmentfor
    is centralized ofall
    the findings
    -generates
    The IT security from
    a formal security
    function assessments
    reportperforms and
    an annual
    for each security security and privacy controls
    operating systems, applications, servers and to determine
    oversees
    review
    assessment of long-term
    existing remediation
    configurations
    that documents efforts,
    to ensure
    the assessment when of acceptable
    other risk.
    technologies that are capable of being
    applicable.
    security objectives
    and privacyare still being
    controls accomplished,
    to determine -configured.
    Audit Committee, or similar structure, reviews
    or upon therisk.
    acceptable release of a new application or the
    - Thefindings
    IT securityfromfunction
    securityperforms assessments and
    an annual
    service that requiresoradditional
    - Audit Committee, configuration
    similar structure, reviews oversees long-term remediation
    review of existing configurations to ensure efforts, when
    settings.
    the findings from security assessments and applicable.
    security objectives are still being accomplished,
    -oversees
    Historical versions remediation
    long-term of configurations efforts, arewhen or upon the release of a new application or
    maintained
    applicable. for troubleshooting and forensics service that requires additional configuration
    reasons. settings.
    - Special baseline configurations are created for - Historical versions of configurations are
    "high risk" environments or for systems / maintained for troubleshooting and forensics
    applications / services that store, process or reasons.
    retention
    are
    records designed, requirements
    onto abuilt and
    physically todifferent
    provide system
    maintained. supportorfor management associated oversight to ensure data is
    responsibilities.
    network
    environments.
    Benchmarks boundary or OEM devices,
    security including
    guides) firewalls,
    for test, contractual
    standards forretention
    hardening requirements.
    (e.g., DISA STIGs, CIS
    -after-the-fact
    -system
    Intrusion The
    An ITconfiguration
    component
    infrastructure
    Detection
    investigations
    management
    than
    / team, the
    Prevention or
    of security
    Security
    similarfunction
    Systems
    incidents
    Incident
    function,is transmitted
    -
    - Configurations
    System baseline
    securely. conform
    configurations to industry-recognized
    verbosely log all
    development,
    and Configuration
    to meet management
    staging
    statutory, and
    regulatory is
    production centralized
    and for all Benchmarks
    -standards Metrics reporting or OEM security
    includes guides)
    this process for test,
    formally
    Event
    ensures
    (IDS/IPS)
    operating
    assigned
    Manager
    that
    and systems,inbound with
    (SIEM)
    statutory, defined
    or
    and
    applications, similar
    regulatory outbound roles
    automated
    and
    servers
    and
    proxies.
    and tool. traffic
    development, (both for hardening
    allowed
    staging and
    and (e.g.,
    blocked) DISA
    production STIGs,soCIS
    arriving
    it can
    at
    environments,
    contractual retentionincluding the implementation of be quantitatively analyzed.
    requirements.
    -associated
    contractual
    -other System
    Both inbound responsibilities.
    baseline cybersecurity
    and configurations
    outbound and retain
    privacy
    network audit
    ofobligations
    traffic Benchmarks or OEM security guides) for test,
    cryptographic
    -records System technologies
    Configurations baseline
    for a time
    protections
    conformthat
    period
    are
    configurations to capable
    controls using
    verbosely
    industry-recognized
    consistent
    being
    known
    with records logisall network
    environments.
    --development, An boundary devices,
    IT infrastructure
    Metrics are staging
    developed team,
    and that
    including
    similar firewalls,
    orprovide
    production function,
    are
    monitored
    configured.
    public
    traffic addressed
    standards
    (both for to
    allowed ensure
    anomalous
    and trusted
    and secure
    or
    blocked) configurations
    unauthorized
    cryptographic
    arriving at Intrusion
    - Configuration Detection /
    management Prevention is Systems
    centralized for all
    standards
    retention for
    requirements hardening (e.g.,
    toperforms
    provide DISA STIGs,
    support CISfor (IDS/IPS)ensures
    environments,
    management that statutory,
    including
    oversight regulatory
    tothe and
    implementation
    ensure dataproxies.isand of
    are
    activities
    -Benchmarks
    technologies
    network Thedesigned, or
    IT security
    boundary tobuilt
    conditions.protectand
    function
    devices, maintained.
    the confidentiality
    including an annual
    firewalls, and operating
    contractual and inbound
    systems,
    cybersecurity and
    applications, andoutbound servers
    privacy obligations
    -after-the-fact or OEMfunctions securityof(e.g., guides) forincidents
    test, cryptographic protections controls using known
    review
    -integrity
    Intrusion
    development,
    The
    Logs
    An to ITconfiguration
    of of theinvestigations
    ofprivileged
    existing
    infrastructure
    Detection data.
    staging
    management
    configurations
    / team,
    Prevention
    and
    security
    or similar
    production
    function
    to administrator
    ensure
    Systems function,is transmitted
    -other
    are Both inbound
    technologies
    addressed
    securely.
    toand outbound
    that
    ensure aresecure network
    capable of being
    configurations traffic is
    and
    formally meetassigned statutory, with regulatory
    defined roles and and public
    -monitored standards
    Metrics reporting and trusted
    includes cryptographic
    this process so it can
    -or
    security
    ensures
    (IDS/IPS)
    environments,
    root
    Configurationactions)
    objectives
    that
    andretention are
    management
    statutory,
    inbound
    including
    reviewed
    are still
    regulatory
    and being for
    is
    theoutbound
    evidence
    accomplished,
    centralized
    andproxies.of are
    implementation
    of
    for all configured. designed,to for anomalous
    built and maintained. or unauthorized
    contractual
    associated
    unauthorized
    or upon the responsibilities.
    activities.
    release ofrequirements.
    a new application or is be technologies
    activities
    -- The quantitatively
    IT or conditions.
    security protect
    analyzed.
    function the confidentiality
    performs an annual and
    operating
    contractual
    - Both
    cryptographic inbound systems,
    cybersecurity
    and
    protectionsapplications,
    outbound and
    controls servers
    privacy
    network using and
    obligations
    traffic
    known The configuration management function is
    -other
    service System
    Configurations
    Internet-bound baseline
    thatfor requires configurations
    conform
    requests additional toare verbosely
    industry-recognized
    logged in
    configuration order log all
    to integrity
    - An
    Logs IT of of the
    infrastructure
    privileged data. team,
    functions or similar
    (e.g., function,
    administrator
    are
    monitored
    public technologies
    addressed
    standards to and
    anomalous that
    ensure are
    trusted orcapable
    secure of being
    configurations
    unauthorized
    cryptographic -review
    formally
    -ensures Metrics ofassigned
    Configuration
    existing
    are developed configurations
    with
    management that provide
    defined is
    to ensure
    roles and for all
    traffic
    standards
    identify
    settings.
    configured.
    are
    activities
    (both
    designed, or
    allowed
    forconditions.
    prohibited hardening
    built and
    and
    activities blocked)
    (e.g.,
    maintained. andDISA arriving
    STIGs,
    assist at
    CIS
    incident or
    security
    management that
    root actions)
    objectives statutory,
    areare
    oversight reviewedregulatory
    still
    to being
    ensure forcentralized
    and
    evidence
    accomplished,
    data isand of
    technologies
    network
    Benchmarks boundary to
    or protect
    OEM devices, the
    security confidentiality
    including
    guides) firewalls,
    for and
    test, associated
    operating
    contractual responsibilities.
    systems,
    cybersecurity applications, and servers
    privacy obligations
    handlers
    --integrity Historical
    All
    The instances with versions identifying
    ofdata. of
    non-console potentially
    configurations administrative are unauthorized
    or
    securely upon the activities.
    release
    protected atof a
    rest. new application or
    -Intrusion
    development,
    compromised
    maintained
    access An ITconfiguration
    Logs of privileged
    of
    utilize
    thesystems.
    infrastructure
    Detection
    for staging
    management
    functions
    / team,
    Prevention
    troubleshooting
    cryptographic and or (e.g.,
    similar
    production and
    mechanisms
    function
    administrator
    Systems function,
    forensics
    is
    toof
    -are
    other
    -service
    -standards
    Configurations
    technologies
    addressed
    Internet-bound
    Metrics that toconform
    requires
    reporting
    that
    ensure
    requests are
    additional
    includes
    to capable
    secure
    are
    industry-recognized
    this
    ofinbeing
    configurations
    logged
    configuration
    process order
    soCIS to
    it can
    formally
    -or
    ensures
    (IDS/IPS) root
    Configuration assigned
    actions)
    that
    and are with
    management
    statutory,
    inbound defined
    reviewed
    regulatory
    and for
    is
    outbound roles
    evidence
    centralized
    and and
    proxies. for all configured. for hardening (e.g., DISA STIGs,
    environments,
    -reasons.
    protect A process the exists including
    confidentialityto allocate the and implementation
    and proactively
    integrity of the of are
    identify
    settings.
    be designed,prohibited
    quantitatively built and maintained.
    activities
    analyzed. and assist incident
    associated
    unauthorized
    operating
    contractual
    -manage responsibilities.
    systems, activities.
    cybersecurity applications, and servers
    privacy and
    obligations is Benchmarks -handlers All instances orofOEM security guides)
    non-console administrative for test,
    - Both
    cryptographic
    -data Special inbound
    being
    Configurations
    Internet-bound sufficient
    baseline
    transmitted.and
    protections
    conform
    outbound
    audit
    requests record
    configurations tocontrols
    are
    network
    areusing
    storage
    industry-recognized
    logged in
    traffic
    created known
    capacity
    order forto -development, The ITconfiguration
    Historical
    An with versions
    infrastructure staging
    management
    identifying ofteam, potentially
    configurations
    and or similar
    production
    function are is
    function,
    other
    are
    monitored
    public
    to reduce technologies
    addressed
    standards for
    the to and
    likelihood that
    ensure
    anomalous are
    trusted secure
    of or capable
    such unauthorized
    cryptographic
    capacityof
    configurations being
    being access
    formally
    compromised utilize
    assigned cryptographic
    systems.with defined mechanisms
    roles and to
    "high
    -identify
    standards risk"
    All mobile environments
    devices containing or for systems
    sensitive /data maintained
    ensures for troubleshooting
    thatconfidentiality
    statutory,
    includingregulatory and forensics
    and of theof
    configured.
    are
    activities
    technologies
    exceeded.
    applications
    utilize designed,
    a orforconditions.
    prohibited
    cryptographic to
    /or
    hardening
    builtprotect
    services
    activities
    and the
    that
    (e.g.,and
    maintained.
    mechanism
    DISA
    confidentiality
    store,
    STIGs,
    assist
    process
    to prevent
    CIS
    incident
    orandthe protect
    environments,
    associated
    -reasons.
    contractual A process the responsibilities.
    exists
    cybersecurityto allocate
    the and
    and
    implementation
    and integrity
    proactively
    privacy obligations
    Benchmarks
    handlers All instances with OEM
    identifying
    ofdata. security
    non-console guides)
    potentially
    administrative for test, See
    cryptographic SP-CMM3. SP-CMM4
    protections is N/A,
    controls sinceusing a known
    --unauthorized
    integrity
    transmit The
    Logs
    An ITconfiguration
    A SIEM, of privileged
    of
    orthe
    sensitive
    infrastructuresimilar
    disclosure management
    functions
    automated
    data. team, or (e.g.,
    ofproduction tool,
    similar
    information function
    administrator
    provides
    function,is
    attorest -data
    manage
    -public
    are Specialbeing
    Configurations
    addressed
    transmitted.
    sufficient
    baseline to conform
    audit record
    configurations
    ensure to industry-recognized
    secure storage
    are created
    configurations capacityfor
    development,
    compromised
    access
    formally utilize
    assigned staging
    systems.
    cryptographic
    with and
    defined mechanisms
    roles and quantitatively-controlled
    -to Allreduce standards
    mobile devices and trusted
    containing process is
    cryptographic
    sensitive not data
    -or
    enterprise-wide
    ensures
    (e.g.,
    environments,
    root
    Configuration
    Deviations
    wholeactions)
    that to are
    management
    baseline
    statutory,
    drive reviewed
    monitoring
    encryption).
    including and
    configurations
    regulatory
    the
    for
    is evidence
    centralized
    nearand
    implementation real-time
    are of
    for all standards
    "high
    are risk"
    designed, for
    the hardening
    likelihood
    environments
    built and (e.g.,
    ofor such
    maintained.for DISAcapacity
    systems STIGs, / CIS
    being
    -associated
    protect
    unauthorized
    operating
    A process the exists
    confidentiality
    responsibilities.to allocate
    activities. and and proactively
    integrity of theof utilize necessary
    technologies
    Benchmarks to or
    a cryptographiclog
    to OEM and review
    protect mechanism
    security the
    the confidentialityactions
    guides) to for of
    prevent users
    andthe
    test,
    analysis
    required
    contractual
    -manage
    cryptographic All databases tosystems,
    to correlate
    sufficienthave
    cybersecurity
    containing
    protectionsapplications,
    aaudit logs
    risk recordthat
    assessment
    and
    sensitive
    controls servers
    focuses
    privacy
    storage and
    data
    using on and
    the
    obligations
    utilize
    known
    capacity a exceeded. applications
    -and/or
    integrity The configuration
    services
    of / services
    the with
    data. that
    management
    elevated store, process
    function
    privileges. or
    is
    -data
    other
    Indicators being
    Configurations
    Internet-bound
    technologies transmitted.
    of Compromise conform
    requests
    that are toare industry-recognized
    logged
    capable
    (IoC) the of
    from in order
    being
    systems, to unauthorized
    development,
    -transmit A SIEM,assigned
    or similar disclosure
    staging and
    automated of information
    production at rest
    business
    are
    cryptographic
    public
    to
    -identify
    standards
    addressed
    Allreduce
    mobile process
    standards the
    for
    prohibited devices to andowner
    ensure
    mechanism
    likelihood
    hardening trusted
    containing
    activities
    accepts
    secure
    of to
    (e.g.,such prevent
    cryptographic
    andDISAcapacity
    sensitive risk(s)
    configurations
    the
    STIGs,
    assist being
    data
    CIS
    incident -formally
    (e.g.,
    environments, Configuration sensitive
    whole drive
    data.
    with
    management defined
    encryption).
    including the is tool,
    roles provides
    centralized
    implementation
    and for all
    of
    configured.
    applications
    associated
    are
    unauthorized
    technologies
    exceeded. designed, withand
    tobuilt services,
    the
    disclosure
    protect deviation.
    and including
    maintained.
    the of information
    confidentiality both in physical
    the
    and enterprise-wide
    -
    associated
    See Deviations
    SP-CMM3. to monitoring
    baseline
    responsibilities.
    SP-CMM4 is and
    configurations
    N/A, near
    since real-time
    aare
    utilize
    Benchmarks
    handlers a cryptographic
    with or OEM
    identifying mechanism
    security guides)
    potentially to prevent
    for test, the operating
    -
    cryptographic All databases systems, applications,
    containing
    protections sensitive
    controls serversdata
    using and
    utilize
    known a
    and
    -database All
    The instances
    logical
    Unauthorized
    configuration
    (e.g.,security.ofcolumn-level,
    non-console
    configuration
    management administrative
    changes function
    Transparent are is analysis
    required to
    tocorrelate
    haveconform a risk logs that
    assessment focuses isand on the
    integrity
    -development,
    unauthorized
    -compromised
    access
    A SIEM,
    A SIEM,
    of
    or
    utilize
    or
    the
    similar data.
    disclosure
    staging
    systems.
    cryptographic
    similar
    automated
    and
    automated ofproduction tool,
    information
    mechanisms
    tool, attoData
    provides
    supports rest an
    -quantitatively-controlled
    other
    cryptographic
    public
    Indicators
    Configurations
    technologies
    standardsof mechanism
    and
    Compromise
    that are
    trusted
    to
    process
    to industry-recognized
    capable
    (IoC) prevent
    cryptographic
    from
    not
    ofthe being
    systems,
    responded
    formally
    -Encryption
    enterprise-wide Configuration to
    assigned(TDE), inmanagement
    accordance
    with defined
    etc.).
    monitoring with
    andis roles theand
    centralized
    near Incident
    real-time for all standards business
    necessary
    configured. process
    for owner
    hardening
    to protect event accepts
    (e.g.,logsDISA theSTIGs,
    and risk(s)tools
    audit CIS
    (e.g.,
    environments,
    -associated whole drive encryption).
    including the implementation theof unauthorized disclosure of information inphysical
    the
    -- A
    protect
    enterprise-wide,
    Response
    operating
    analysis All process
    network
    All databases
    the
    to
    exists
    Planconfidentiality
    (IRP)
    responsibilities.to
    communications
    systems,
    correlate containing
    allocate
    standardized
    to determine
    applications,
    logs and
    that
    and
    sensitive
    and proactively
    integrity
    ifnear
    containing
    servers
    focuses the
    data on of
    real-time
    and
    utilize
    technologies
    applications
    associated
    Benchmarks
    from
    - All unauthorized
    instances
    to
    and
    with
    or of
    protect
    OEMservices,
    the the
    deviation.
    security
    access,
    non-console
    confidentiality
    including
    guides)
    modification both
    administrative for and
    test,
    and
    cryptographic
    manage
    -data
    analysis
    unauthorized
    sensitive being
    Configurations sufficient
    process
    data protections
    transmitted. for audit
    configuration
    conform
    utilize the
    a record controls
    escalation
    to
    cryptographic is storage
    malicious using
    of events.
    industry-recognized inknowna database
    capacity
    mechanism integrity
    and
    - logical
    Unauthorized of(e.g.,
    the
    security.column-level,
    data.
    configuration Transparent
    changes are Data
    other
    Indicators
    cryptographic technologiesof Compromise
    mechanism that are capable
    (IoC)
    to from
    prevent ofsystems,
    thebeing development,
    deletion.
    access utilize staging
    cryptographic and productionmechanisms tofor all
    CIS for -Encryption
    public
    to
    -to
    nature. Areduce
    All mobile
    SIEM, standards
    or the devices
    similar and
    likelihood trusted
    containing
    automated of such cryptographic
    capacity
    sensitive
    tool, monitors being
    data responded Configuration
    A SIEM, orto (TDE),
    similar etc.).
    management
    inincludingautomated
    accordance is tool,
    with centralized
    thesupports
    Incident an
    standards
    configured.
    applications
    unauthorized prevent for
    the and hardening
    unauthorized
    services,
    disclosure (e.g.,
    of includingDISA
    disclosure
    information STIGs,
    both of
    in physical
    the environments,
    protect the confidentiality the and implementation
    integrity of theof
    technologies
    exceeded.
    utilize
    unauthorized a cryptographic to protect
    activities, the
    mechanism
    accounts, confidentiality
    to prevent
    connections, and the -Response
    operating
    enterprise-wide, All network Plan communications
    systems, applications,
    standardized
    (IRP) to determine containing
    and servers
    if near
    the and
    real-time
    Benchmarks
    information
    -database
    and All instances
    logical (e.g., or
    while
    security. OEM in
    ofcolumn-level, security
    transit
    non-console guides)
    (e.g., SSH,
    administrative
    Transparent forTLS, test,
    VPN, cryptographic
    data being protections
    transmitted. controls using known
    integrity
    -devices
    unauthorized
    development,
    etc.).
    access
    --enterprise-wide
    A SIEM,
    A SIEM,
    of
    andor
    utilize
    the
    or(TDE),
    similar data.
    disclosure
    software
    staging
    cryptographic
    similar
    automated
    and
    automated ofproduction
    according tool,
    information
    mechanisms
    tool, attoData
    provides
    to organization-
    supports restan sensitive -other
    analysis
    unauthorized
    public Metrics data
    technologies
    process
    aredevices
    standards
    utilize
    for
    developed that
    configuration
    and
    a cryptographic
    the are
    thatcapable
    escalation
    trusted isprovide
    malicious ofof
    cryptographic
    mechanism
    being
    events.in
    Encryption Configuration etc.).
    management
    monitoring andis centralized
    near real-time for all -configured.
    to Allprevent
    mobile the containing
    unauthorized sensitive
    disclosure ofdata
    (e.g.,
    specific
    environments,
    -enterprise-wide,
    protect All whole
    wireless Indicators
    the drive
    access
    confidentialityencryption).
    of
    including is Compromisethe
    protected
    standardized and (IoC),
    implementation
    via
    integrity
    and secure
    near of the
    real-time of -
    management
    nature.
    technologies A SIEM, or similar
    oversight
    to automated
    protect to
    the ensure tool, data
    confidentiality monitors and for
    -analysis
    operating All network to communications
    systems,
    correlate applications,
    logs that containing
    servers
    focuses on and utilize
    information
    - All a cryptographic
    instances whileof in
    non-console mechanism
    transit (e.g., SSH,to
    administrative prevent
    TLS, VPN, the
    -authentication
    including
    cryptographic
    data
    analysis All databases
    being feeds
    process containing
    from
    protections
    and
    transmitted. vulnerability
    encryption.
    forthatthe sensitive
    controls
    escalation data
    scanners.
    using
    ofof events. utilize
    known a unauthorized
    protection
    integrity activities,
    controls
    of thedisclosuredata. are accounts,
    operating connections,
    in an optimal
    sensitive
    other data
    technologies utilize a&cryptographic
    are mechanism unauthorized
    etc.). of information attorest
    Indicators
    cryptographic
    -public
    -to A SIEM,
    Governance,
    Systems
    All
    A mobile
    SIEM, /of
    or
    standards
    or
    Compromise
    similarmechanism
    applications
    devices
    similar Risk
    and automated
    Compliance
    trusted tocapable
    (IoC)
    / services
    containing
    automated
    from
    prevent
    tool,
    cryptographic
    sensitive
    tool, is the
    (GRC)
    that being
    systems,
    tuned
    monitors team,
    include
    data tofor access devices
    capacity.
    - utilize
    Configurationand drive cryptographic
    softwaremanagement according mechanisms
    is to organization-
    centralized for all
    configured.
    applications prevent the and unauthorized
    services, disclosure of (e.g.,
    -specific All whole
    wireless access encryption).
    isCompromise
    protected via secure
    unauthorized
    detect
    or
    technologies
    cryptographic
    utilize
    unauthorized similar aand respond
    function,
    cryptographic todisclosure
    protect
    mechanisms
    activities, to mechanism
    ensures the ofincluding
    anomalous
    accounts, information
    that
    confidentiality
    are bothinphysical
    behavior
    statutory,
    controlled
    to prevent
    connections, the
    to that
    and the
    protect
    -operating
    See Metrics
    SP-CMM3.the confidentiality
    Indicators
    reporting
    systems, SP-CMM4of
    includes
    applications, isandthis
    N/A, integrity
    (IoC),
    process
    since
    servers a of
    so
    andthe
    it can
    information while in transit (e.g., SSH, -data All databases containing sensitive data utilize a
    -database
    and
    could
    regulatory
    integrity
    ensure
    unauthorized
    devices
    All logical
    instances
    the (e.g.,
    indicate
    of
    and
    security.
    and
    the of
    exporting non-console
    column-level,
    account
    contractual
    data.
    disclosure
    software of compromise cybersecurity
    cryptographic
    of
    according information
    to orTLS,
    administrative
    Transparent other
    at
    organization-
    VPN, authentication
    Data
    and
    rest including
    be
    quantitatively-controlled
    other being
    quantitativelyfeeds
    technologies
    and
    transmitted.
    from encryption.
    vulnerability
    analyzed.
    that are process
    capable scanners.
    is not
    of being
    etc.).
    access
    -privacy A SIEM, utilize
    or cryptographic
    similar automated mechanisms
    tool, supports to an cryptographic
    - Systems
    AllGovernance,
    mobile / mechanism
    applications / to
    servicesprevent that the include
    Encryption
    malicious
    -technologies
    (e.g.,
    specific Configuration
    wholeobligations
    Indicators(TDE),
    activities. is in
    drive etc.).
    forCompromise
    management
    compliance data protection
    encryption).
    of iswith
    centralized
    relevantare for all -necessary configured. A SIEM, or todevices
    similar
    address containing
    Riskautomated
    &the Compliance
    exporting sensitive
    tool,of is tuned
    (GRC) data to
    in team,
    -enterprise-wide,
    protect
    -statutory
    properly All
    All
    A wireless
    network
    SIEM, theor
    governed. access
    confidentiality
    communications
    similar is protected
    standardized
    automated andcontainingvia(IoC),
    integrity
    and
    tool, secure
    near
    monitorsof the
    real-time unauthorized
    cryptographic
    utilize
    detect
    or similar a cryptographic
    and
    disclosure
    respond
    function, mechanisms to
    ensures
    of
    mechanism
    anomalous
    information
    are
    that controlled
    to prevent
    behavior
    statutory,
    the
    to the
    that
    operating
    -data
    including
    authentication All databases and
    feedssystems, regulatory
    containing
    from
    and applications, requirements.
    vulnerability
    encryption. sensitive servers
    data
    scanners. and
    utilize a cryptographic
    -
    database All instances (e.g., technologies
    of non-console
    column-level, in compliance
    administrative
    Transparent with
    Data
    analysis
    sensitive
    deactivated
    -other The being
    GRC process
    data transmitted. for
    utilize
    accounts the
    a escalation
    cryptographic
    for attempted of events.
    mechanism
    usage. ensure
    unauthorized
    could the
    indicate exporting
    disclosure
    account of cryptographic
    of
    compromiseinformation or at
    otherrest
    -cryptographic Systems
    A SIEM,
    Systems //function
    technologies
    or applications
    similarmechanism
    applications
    facilitates
    that
    automatedare services
    the
    tocapable
    // services prevent
    tool, that
    thatof
    is thebeing
    store,
    tuned
    include tofor regulatory relevant
    access
    Encryption utilize and
    statutory contractual
    and regulatory
    cryptographic
    (TDE), etc.). cybersecurity
    mechanisms requirements. and
    to
    -to
    -configured.
    implementation
    process
    unauthorized
    detect
    All
    A mobile
    SIEM,
    Aprevent
    SIEM, or
    and
    or
    or devices
    thesimilar
    similar
    transmit
    responddisclosure
    containing
    automated
    unauthorized
    automated
    of datasensitive
    to protection
    of
    anomalous
    sensitive
    datatool,
    disclosure
    tool,
    information
    monitors
    controls
    utilize
    behavior of
    receives
    in
    datato
    the logs technologies
    that
    (e.g.,
    malicious
    privacy
    protect
    - All
    whole
    networkobligations
    the
    is
    drive
    activities. in compliance
    encryption).
    confidentiality for
    communications data with relevant
    protection
    and integrity
    containing are
    of the
    cryptographic
    utilize
    unauthorized
    information
    from
    ensure adata
    cryptographic
    network while mechanisms
    activities,
    and
    stewardship in mechanism
    accounts,
    transit
    host-based are
    (e.g., controlled
    to prevent
    connections,
    SSH,
    intrusion
    is assigned, TLS, toVPN, the statutory -data
    properly AllSIEM,
    A databases and
    or regulatory
    similar
    governed. containing
    automated requirements.
    sensitive tool,data monitors utilize a
    -database
    cryptographic
    could
    ensure All instances (e.g.,
    indicate
    the of non-console
    mechanisms
    column-level,
    account compromise to administrative
    prevent
    Transparent or other Data sensitive being data transmitted.
    utilize a cryptographic mechanism
    unauthorized
    devices
    etc.).
    detection
    documented
    access
    unauthorized
    Encryption
    malicious
    and
    utilize / exporting
    disclosure
    software
    prevention
    and
    (TDE),
    activities.
    of
    communicated,
    cryptographic
    disclosureetc.).
    cryptographic
    of
    of information
    according
    systems toincluding
    (HIPS
    mechanisms
    information at
    astorest
    organization-
    / HIPS). an
    --deactivated
    cryptographic
    -to
    Systems
    The GRC /function
    Allprevent
    mobile
    applications
    mechanism
    accounts
    devices
    the for/ attempted
    facilitates
    containing
    unauthorized
    services
    to prevent
    the that
    sensitive
    disclosure
    the
    usage.store,
    ofdata
    technologies
    (e.g.,
    specific
    -- All
    standards A whole
    wireless
    SIEM, Indicators
    or is
    drive
    access
    similar
    covering in compliance
    encryption).
    of Compromise
    issafeguards.
    data protected
    automated with
    classification relevant
    (IoC),
    via secure
    tool, receives
    and process
    unauthorized
    -information A SIEM, or transmit
    or similar disclosure sensitive
    automated of data
    information
    tool, utilize
    receivesin the tologs
    protect
    alternate
    statutory All
    A network
    SIEM, theto
    or
    and confidentiality
    physical
    communications
    similar
    regulatory automated andcontaining
    requirements. integrity
    tool, monitorsof secure
    the implementation
    utilize a cryptographic
    while ofindata transit protection
    mechanism (e.g., SSH,tocontrols
    prevent
    TLS, VPN, the
    -authentication
    including
    feeds
    handling
    data All databases
    from
    being feeds
    of Wireless
    both containing
    transmitted. from
    and vulnerability
    encryption.
    Intrusion
    physical sensitive
    and Detection
    digital data
    scanners.
    assets. /utilize a database cryptographic
    from
    ensure network
    data (e.g., mechanisms
    column-level,
    and
    stewardship host-based is toTransparent
    prevent
    intrusion
    assigned, Data
    -deactivated
    sensitive
    ---Protection An IT
    Systems infrastructure
    data
    //function utilize
    accounts
    applications ateam,
    cryptographic
    for or
    attempted
    // services similar function,
    mechanism
    usage. unauthorized
    etc.). disclosure of information at rest
    cryptographic
    implements
    to
    -unauthorized
    A
    All SIEM,
    Systems
    The GRCor
    mobile
    Aprevent
    SIEM, or
    similar
    devices
    the and
    similar
    mechanism
    applications
    Systems automated
    (WIDS
    assists
    containing
    maintains
    unauthorized
    automated
    to
    services
    /anWIPS)
    users in that
    prevent
    tool,
    internal
    disclosure
    tool, tois
    that
    making
    sensitive thestore,
    tuned
    data to
    include
    identify
    Public
    of
    receives Key documented
    logs
    unauthorized
    Encryption
    detection
    (e.g.,
    - All whole
    wireless
    / (TDE),disclosure
    prevention
    and
    drive
    access
    etc.). systems
    communicated,
    encryption).
    is
    of information
    protected
    (HIPS
    viaincluding
    secure
    as an
    / HIPS).
    process
    detect
    cryptographic
    rogue or
    and
    wireless transmit
    responddisclosure
    mechanisms
    devices sensitive
    to of
    anomalous
    and to are data
    information
    detect utilize
    behavior
    controlled in
    attack the
    to that alternate
    -- All A network
    SIEM, to
    or physical
    communications
    similar safeguards. containing
    and automated
    information
    utilize
    Infrastructure a cryptographicsharing(PKI) decisions
    mechanism
    infrastructure to ensure
    toobtains
    or data
    prevent isthe standards
    PKI All covering data classification tool,data receives
    andutilize
    secure
    information
    from
    cryptographic
    database
    could
    ensure
    attempts
    appropriately
    network (e.g.,
    indicate
    the via
    while and
    exportingaccount
    wireless
    protected.
    in
    mechanisms
    column-level,transit
    host-based
    of compromise (e.g.,
    to
    cryptographic
    networks.
    SSH,
    intrusion
    prevent
    Transparent TLS,
    orprovider.
    other VPN,
    Data authentication
    -handling
    sensitive
    feeds An databases
    ITfrom
    infrastructure
    data
    of
    containing
    utilize
    Wireless
    both
    encryption.
    ateam,
    sensitive
    or digital
    cryptographic
    Intrusion
    physical and similar
    Detection function,
    mechanism
    assets. /
    a
    unauthorized
    services
    etc.).
    detection
    unauthorized from / disclosure
    a
    prevention reputable
    disclosure of
    systems
    of information
    PKI service
    (HIPS
    information / at
    HIPS).
    as rest
    an cryptographic
    - Systems / mechanism
    applications / to
    servicesprevent that the include
    Encryption
    malicious
    technologies (TDE),
    activities. etc.).
    is in compliance orwith implements
    to prevent theand maintains
    unauthorized /an internal
    disclosure Public
    of Key
    -(e.g.,
    -- A
    alternate
    An
    The
    All
    A
    All
    A
    SIEM,
    ITwhole
    PKI
    wireless
    SIEM,
    network
    SIEM,
    or
    infrastructure
    management
    or
    to
    or
    similar
    drive
    access
    similar
    physical
    communications
    similar
    automated
    team,
    encryption).function
    issafeguards.
    protected
    automated
    automated viarelevant
    tool,
    similar
    tool,
    containing
    tool,
    receives
    facilitates function,
    secure
    receives
    monitors
    the Protection
    -unauthorized
    cryptographic
    Infrastructure
    The GRC function Systems
    disclosure
    mechanisms
    (PKI)
    (WIDS
    assists ofusers
    infrastructure
    WIPS)
    information
    are to identify
    in making
    controlled
    or in the
    obtains to PKI
    statutory
    feeds
    ensures
    -authentication All a File
    databases and
    that regulatory
    Integrity
    statutory,
    containing Monitor requirements.
    regulatory (FIM),
    sensitive andor
    data similar information
    rogue
    information wireless while
    sharing in
    devices transit
    and
    decisions (e.g.,
    to detect
    to SSH,
    ensure TLS,
    attack dataVPN,is
    implementation
    feeds
    -deactivated
    sensitive An ITfrom Wireless
    infrastructure
    data and of cryptographic
    utilize
    accounts encryption.
    Intrusion
    ateam,
    cryptographic
    for or Detection
    attempted similarkey /utilize a database
    function,
    mechanism
    usage. ensure
    services
    etc.). the (e.g.,
    from exporting
    a column-level,
    reputable of cryptographic
    PKI Transparent
    service provider. Data
    -change-detection
    contractual
    cryptographic
    management
    -Protection Systems
    Systems / applications
    cybersecurity
    /Systems technology,
    mechanism
    controls
    applications (WIDS / services
    and
    to/ protectto
    services
    /an on
    privacy
    prevent
    WIPS) that
    critical
    the
    that thestore,
    assets
    obligations
    include
    toreceives
    identify attempts
    appropriately
    Encryption via wireless
    (TDE), protected. networks.
    etc.). function
    implements
    to
    -are
    process
    to Aprevent
    SIEM,
    generate
    addressed the
    orortransmit and
    similar
    alerts to maintains
    unauthorized
    automated
    for
    ensuresensitive
    unauthorized
    secure internal
    disclosure
    datatool, utilize
    configurationsPublic
    of Key technologies
    logs --- All The
    A
    An ITPKI
    wireless
    SIEM, or
    is in compliance
    management
    access
    similar
    infrastructure isteam,
    protected
    automated
    with viarelevant
    facilitates
    tool,
    or similar secure
    receives the
    function,
    unauthorized
    confidentiality,
    cryptographic
    rogue
    Infrastructure wireless disclosure
    integrity
    mechanisms
    devices
    (PKI) and of
    and
    infrastructure information
    are
    to availability
    controlled
    detect or in
    attackofthe
    obtains tokeys.
    PKI statutory All network and communications
    regulatory requirements.containing
    information
    from
    cryptographic network while and in
    mechanisms transit
    host-based (e.g.,
    to SSH,
    intrusion
    prevent TLS, VPN, implementation
    authentication andof cryptographic
    encryption. key
    -modifications.
    are
    database
    ensure
    attempts
    services Andesigned, the (e.g.,
    IT infrastructure
    via
    from
    built
    exporting
    wireless and
    a column-level,
    reputable of maintained.
    team, orTransparent
    cryptographic
    networks. PKI similar provider.
    service Data ensures
    function, feeds
    sensitive
    --management Systems a File
    that
    data Integrity
    utilize aMonitor
    statutory,
    // applications regulatory
    cryptographic
    // protect
    services (FIM), and
    thator similar
    mechanism
    store,
    etc.).
    detection
    unauthorized
    -technologies A
    The SIEM, or
    configuration/the
    prevention
    disclosure
    similar systems
    automated
    management ofand (HIPS
    information
    tool, / HIPS).
    as an
    provides
    function is of Systems
    change-detection
    contractual controls
    applications
    cybersecurity to
    technology, services
    and on the
    privacy thatobligations
    critical include
    assets
    -Encryption
    facilitates
    -alternate A
    The
    All
    A SIEM,
    PKI
    wireless
    SIEM, or (TDE),
    management
    or is
    similar
    access
    similar in etc.).
    production
    compliance
    automated
    is function
    protected
    automated
    management
    with
    tool, relevant
    receives
    facilitates
    via
    tool, secure
    receives the to
    process prevent
    confidentiality, or the
    transmit unauthorized
    sensitive
    integrity and disclosure
    data
    availabilityutilize of
    of keys.
    24x7x365
    formally
    -statutory
    symmetric All network to near
    assigned physicalreal-time
    with
    communications
    cryptographic safeguards.
    alerting
    definedkeys(FIM), capability
    roles
    containing
    using and
    Federal when cryptographic
    to
    are
    information generate
    addressed alerts
    while mechanisms
    to for
    ensure unauthorized
    in transit secureare
    (e.g., controlled
    configurations TLS,to
    SSH,function, VPN,
    feeds
    implementation
    authentication
    feeds afrom
    Fileand Wirelessregulatory
    Integrityand of Monitor
    cryptographic
    encryption.
    Intrusion requirements. key
    Detection or similar
    / cryptographic
    - An IT infrastructure mechanisms team, to
    or prevent
    similar
    -Information
    a-change-detection
    associated
    sensitive An
    logITprocessing
    Systems infrastructure
    data/ failure
    responsibilities.
    utilize
    Processing
    applications ateam,
    occurs.
    cryptographic
    Standards
    / or on
    services similar function,
    mechanism
    (FIPS)-
    that store, ensure
    modifications.
    are
    etc.). the exporting
    designed, built and ofmaintained.
    cryptographic
    management controls technology,
    to/ protect critical
    the assets unauthorized
    facilitates the disclosure
    isproduction of information
    and with management as an
    -Protection
    implements
    -to
    compliant
    process
    to
    Systems
    Aprevent
    SIEM,oror
    Configurations
    generate
    /keyapplications
    Systems
    the and
    similar
    transmit
    alerts conform (WIDS
    maintains
    automated
    unauthorized
    management
    forsensitive
    services
    to
    unauthorized
    /anWIPS)internal
    tool, that
    industry-recognized
    disclosure
    technology.
    data utilize
    include
    toprovides
    identify
    Public
    of an technologies
    Key -alternate A SIEM,
    The
    All or
    configuration
    wireless to
    similar
    access
    physical
    in compliance
    automated
    management
    issafeguards.
    protected tool, relevant
    provides
    function
    via secure is of
    confidentiality,
    cryptographic
    rogue
    Infrastructure
    event wireless
    log report integrity
    mechanisms
    devices
    (PKI) and and
    infrastructure
    generation are
    to availability
    controlled
    detect
    capability or attackof
    obtains
    to to
    aid keys.
    PKI
    in See
    symmetric
    statutory
    24x7x365 SP-CMM3. and
    near SP-CMM4
    cryptographic
    regulatory
    real-time is
    keys N/A, using
    requirements.
    alerting since
    capability a
    Federal when
    -standards
    information
    cryptographic
    -modifications. An
    An IT
    forwhile
    IT infrastructure
    infrastructure
    hardening in transit
    mechanisms team,
    team,
    (e.g., or
    to
    or
    DISA
    (e.g.,
    similar
    prevent
    similarSSH,STIGs,TLS,CIS
    function,
    function, VPN, authentication formally
    -InformationAn assigned
    IT infrastructure andwith defined
    encryption.
    team, roles and
    or similar function,
    ensure
    attempts
    services
    detecting
    Benchmarks the via
    from
    and exporting
    wireless
    or a reputable
    assessing
    OEM of cryptographic
    networks.
    security PKI
    anomalous service
    guides) provider.
    activities.
    for test, quantitatively-controlled
    -
    a
    associated Systems
    log processing / Processing
    applications
    failure
    responsibilities. / process
    Standards
    services
    occurs. isthat
    not
    (FIPS)- store,
    -etc.).
    facilitates
    unauthorized
    facilitates A SIEM, or the
    the production
    isdisclosure
    similar
    production automated ofand
    and management
    information
    tool,
    management as anof
    provides of -necessary
    implements
    compliant Systems /to applications
    and maintains
    facilitate / services
    antechnology.
    cryptographic internal that key includeKey
    Public
    technologies
    -development,
    -alternate
    asymmetric
    24x7x365
    A
    The
    A
    All SIEM,
    wireless or
    PKI management
    SIEM, or
    to near
    similar
    similar in compliance
    staging
    access
    cryptographic
    physicalreal-time
    automated
    is function
    automated
    and
    protected
    safeguards.
    with
    production
    keys
    alerting
    tool,
    via
    using relevant
    receives
    facilitates
    tool, alerts
    secure
    approved
    capability thewhen -process A SIEM,ororkey
    Configurations
    cryptographic
    Infrastructure
    transmit management
    similar sensitive
    automated
    conform
    mechanisms
    (PKI) infrastructuretoare datatool, utilize
    provides
    industry-recognized
    controlled
    or obtains to PKIan
    symmetric
    statutory
    feeds
    implementation
    appropriate
    environments. a File and cryptographic
    regulatory
    Integrity
    personnel of Monitor
    cryptographic
    in keysevent
    the using
    requirements.
    (FIM), key Federal
    or
    of asimilar
    log management
    -standards
    An ITlog
    cryptographic
    event infrastructure
    report
    for controls
    mechanisms
    generation
    hardening to(e.g.,
    team, protect
    or
    to theSTIGs,
    similar
    prevent
    capability
    DISA function,
    to aid
    CIS in
    authentication
    key
    -Information
    a-change-detection An management
    logITprocessing
    infrastructure and
    Processing encryption.
    technology
    failure team,
    occurs. or onand
    similar processes
    function, that ensure
    services the
    from exporting
    aproduction
    reputable of cryptographic
    PKI service provider.
    -management
    processing
    protect
    implements
    -process
    Systems
    Configuration
    Systems
    A SIEM, theor
    // failure
    applications
    and controls
    similar in
    management
    applications
    user’s order
    private
    maintains toStandards
    technology,
    automated
    // protect
    services
    to
    services
    key.
    an take
    isinternal(FIPS)-
    that
    critical
    the
    actions
    centralized
    tool, that store,
    assets
    and
    include
    Public
    provides forKey
    anall unauthorized confidentiality,
    facilitates
    detecting
    Benchmarks
    technologies
    the
    and or
    is
    integrity
    disclosure
    assessing
    OEM
    in security
    compliance
    and
    ofand availability
    management
    information
    anomalous guides)
    with foras of
    activities.
    relevant
    keys.
    an
    test,of
    compliant
    to generate or key
    transmit
    alerts management
    forsensitive
    unauthorized technology.
    data utilize - The
    asymmetric
    alternate PKI management
    to cryptographic
    physical function
    safeguards. keys facilitates
    using approved the
    confidentiality,
    remedy
    operating
    cryptographic
    -event
    Infrastructure The PKI
    log the incident.
    systems,
    infrastructure
    report integrity
    mechanisms
    (PKI) applications,and
    ensures
    infrastructure
    generation areavailability
    servers
    controlled
    the
    capability of
    toand
    oravailability
    obtains keys.
    to in
    aid PKI statutory - A
    development,SIEM, or similar
    staging
    and regulatory automated
    andrequirements.
    productiontool, alerts
    -other An IT infrastructure team, or similar function, implementation oftechnology
    cryptographic key
    cryptographic
    -modifications.
    ensure
    of
    services
    detecting An ITtechnologies
    Ainformation
    SIEM, infrastructure
    the or
    from
    and similar
    exporting
    a
    mechanisms
    in the
    reputable
    assessing team,
    automated
    that of
    eventare to
    or
    cryptographic
    PKI
    anomalous of prevent
    similar
    capabletool,
    the
    service lossof being the key
    function,
    provides
    of
    provider.
    activities.
    -appropriate
    An management
    environments.
    - IT infrastructure
    Systems
    management / personnel
    applications
    controls
    team,
    in
    to / the
    services
    protect
    and
    orevent
    similar processes
    thethat log that
    offunction,
    astore,
    facilitates
    unauthorized
    -configured.
    facilitates
    capability A SIEM, or the
    the
    for production
    disclosure
    similar
    production automated of and
    and management
    information
    tool,
    management as
    provides an of
    of protect
    implements the user’s private
    andmanagement
    maintains key.
    andata
    isinternal Public forKey
    technologies
    cryptographic isauditing
    in compliance
    keys by the
    individual parameters
    with of user
    relevant
    users. -processing
    Configuration
    process failure insensitive
    order to take actions
    centralized and all
    -alternate
    asymmetric
    24x7x365
    symmetric
    query
    -statutory
    The
    A SIEM,
    An
    The IT
    PKI management
    PKIevents
    Asset
    or
    to
    and nearsimilar
    cryptographic
    physicalreal-time
    cryptographic
    for
    Management
    infrastructure data
    regulatory
    function
    automated
    safeguards.
    sets keys
    alerting
    keys(ITAM)
    facilitates
    tool,
    using
    using
    containing
    requirements.
    facilitates
    alerts
    approved
    capability
    Federal
    Personal
    program,
    the secure
    thewhen
    or The PKIor
    confidentiality,
    -operating
    Infrastructure
    remedy the
    transmit
    infrastructure
    systems,
    integrity
    (PKI)
    incident.
    and availability
    ensures
    infrastructure
    applications, the utilize
    oravailability
    servers obtainsof keys.
    and PKI
    implementation
    appropriate
    key personnel oftechnology
    cryptographic
    in theorevent key offunction,
    a log that -services cryptographic
    An IT infrastructure mechanisms team,PKI to prevent
    orservice
    similar function,
    -Information
    aData
    similar
    -distribution logmanagement
    An IT(PD).
    Systems infrastructure
    processing
    function, Processing
    / failure
    applications
    of failure team,
    categorizes
    symmetric occurs.
    Standards
    / protect
    and
    similar
    assets
    services
    and
    processes
    (FIPS)-
    according
    that
    asymmetric store, to of Ainformation
    -other SIEM,
    unauthorized from
    or
    technologies ainreputable
    similar the
    disclosure
    event
    automated
    that are
    ofand
    of the
    capabletool,
    information
    loss of
    provider.
    provides
    of as anofthe
    being
    management
    processing
    protect
    implements
    -process A SIEM, theor user’s
    and controls
    similar in order
    private
    maintains to
    automated to
    key.
    an take the
    internal
    tool, actions Public
    provides and Key
    an facilitates
    cryptographic
    - The PKI the
    management production
    keys by individual
    function management
    users.
    facilitates the
    compliant
    the
    cryptographic
    confidentiality,
    remedy data orthe
    the key asset
    transmit management
    keys
    incident. stores,
    integrity sensitive
    using technology.
    transmits
    industry
    and data and/or
    utilize
    recognized
    availability ofaid keys.key alternate capability
    configured. for auditing
    tocryptographic
    physical safeguards. the parameters of user
    -processes The
    Infrastructure
    event PKI
    log infrastructure
    report (PKI) ensures
    infrastructure
    generation the
    capability or availability
    obtains
    to PKI
    in symmetric
    - The PKI
    implementation infrastructure of cryptographic keys using
    facilitates the
    key Federal
    secure
    --cryptographic
    An
    management IT infrastructure
    and applies
    mechanisms
    technology team,
    the or similar
    appropriate
    and to prevent
    processes. function, query
    - An IT events
    Asset for data
    Management sets containing
    (ITAM) program,Personal or
    of
    servicesAn
    detecting
    facilitates
    IT infrastructure
    Ainformation
    SIEM, or
    from
    and the
    similar
    aproduction
    assessing team,
    automated
    inreputable
    the event PKI
    anomalous
    and
    orservice
    of similar
    tool,
    the loss
    management of ofthe -Information
    function,
    provides
    provider.
    activities.
    An IT infrastructure
    distribution
    management
    Data (PD).
    Processing
    of symmetric
    controls
    team,
    to Standards
    and or asymmetric
    protect
    similar
    the(FIPS)- function,
    -technology
    unauthorized
    All
    facilitates
    capability cryptographic
    cryptographic
    controls
    the
    for disclosure
    production
    auditing
    keys by
    to
    keys protect
    theare of
    individualand the
    information
    bound management
    parameters data
    to
    users. as
    individual
    of user an of similar
    implements
    compliant function,key and categorizes
    maintains
    management assets
    antechnology.
    internal according
    Public Key to
    -according
    The
    A SIEM,
    asymmetric PKI management
    or to similar
    cryptographic
    the organization’sfunction
    automated keys facilitates
    tool,
    using
    data alerts
    approved the cryptographic
    confidentiality,
    the data the assetkeys usingand
    integrity
    stores, industry recognized
    availability
    transmits and/or of keys.key
    alternate
    identities.
    -symmetric
    query eventsto physical
    cryptographic
    for data safeguards.
    sets keys using
    containing Federal
    Personal Infrastructure
    -- An (PKI) infrastructure or obtains PKI
    key Themanagement
    PKI
    implementation
    appropriate
    classification
    -Information
    An IT(PD).
    infrastructure
    infrastructure andofhandling
    personnel technologyinfacilitates
    cryptographic
    team, the orevent
    and
    requirements.
    similar
    the
    key of secure
    processesa log that management
    function, An IT
    processes
    services IT infrastructure
    andtechnology
    infrastructure
    from applies
    aproduction
    reputable
    team,
    theand
    team, or similar
    processes.
    orservice
    similar provider.
    appropriate
    PKI
    function,
    function,
    Data
    distribution
    management
    processing Processing
    of
    failure symmetric
    controls in ordertoStandards
    and
    protect
    to take (FIPS)-
    asymmetric
    the
    actions and facilitates
    - All cryptographic the keys are and bound managementto individual of
    -protect
    An ITAM,
    implements the oruser’s
    and similar private
    maintains function, key. ensures
    antechnology.
    internal that
    Public Key facilitates
    technology
    -asymmetric
    The PKI management the production
    controls to protectand
    function management
    the data
    facilitates theof
    compliant
    cryptographic
    confidentiality,
    remedy the key management
    keys
    incident.integrityusing industry
    and recognized
    availability of keys.key identities. cryptographic keys using approved
    -- The
    media PKI
    Infrastructure infrastructure
    sanitization (PKI) and ensures
    disposal
    infrastructure the
    actions
    or availability
    are
    obtains PKI symmetric
    according
    implementation tocryptographic
    the organization’s keys using
    data Federal
    An IT infrastructure team, or similar function, key managementoftechnology cryptographic and key processes that
    privacy obligations for data protection are -- A Governance,
    Metrics are Risk & Compliance
    developed thatthat provide (GRC) team,
    or
    properly
    properly similargoverned.
    function, ensures that statutory,
    governed. or
    or similar
    similar reporting
    function,
    function, includes
    ensures
    ensures this
    that process
    statutory,
    statutory, so it can
    regulatory and contractual cybersecurity and management
    be quantitatively oversight
    analyzed. to ensure the physical
    -- An TheITGRC function facilitates
    infrastructure team, orthe similar function, regulatory regulatory and and contractual
    contractual cybersecurity
    cybersecurity and and
    privacy
    implementation
    ensures obligations
    that for data
    of data
    statutory, protection
    protection
    regulatory are to media
    controls
    and -privacy
    privacy
    disposal
    A Governance,
    obligations
    obligations
    process
    Risk for
    for&datais operating
    Compliance
    data protection
    protection
    in an
    (GRC) are
    are
    optimal
    team,
    -properly
    ensure A Governance,
    governed.
    data Risk
    stewardship & Compliance
    is assigned, (GRC) team, capacity.
    or
    properly similar function,
    governed. ensures that statutory,
    contractual
    or similar cybersecurity
    function, ensures and thatprivacy
    statutory,obligations properly governed.
    -documented
    are An IT infrastructure
    addressed andto ensure team,
    communicated, or
    secure similar function, -regulatory
    including
    configurations -- Metrics The
    An ITGRC reporting
    and contractual
    function
    infrastructure
    includescybersecurity
    facilitates
    team, orthe
    this process so
    similar function, andit can
    regulatory
    ensures
    standards thatand
    covering contractual
    statutory, cybersecurity
    regulatory
    datamaintained. and and
    classification and secure ensures be
    privacy
    implementation quantitatively
    obligations analyzed.
    for data
    of dataregulatory protection
    protectionand are
    controls to
    are
    privacy designed,
    obligations built and for data protection are -properly that statutory,
    A Governance, Risk & Compliance (GRC) team,
    contractual
    handling
    -properly An IT Asset cybersecurity
    of both physical
    Management and
    and
    (ITAM)privacy
    digital obligations
    assets.
    program, or ensure
    contractual governed.
    data stewardship
    cybersecurity isand
    assigned,
    privacy obligations
    are
    -similar Anaddressedgoverned.
    IT infrastructure to ensure team, secure
    or configurations
    similar function, or
    -
    documented similar
    An IT function,
    infrastructure
    and ensures
    team,
    communicated, that
    or statutory,
    similar function,
    including
    -are function,
    Andesigned,
    IT infrastructure categorizes
    team, assets according
    or similar function, regulatory to are addressed and to ensure
    contractual secure configurations
    cybersecurity
    ensures
    the datathatthe asset builtstores,
    statutory, and maintained.
    regulatory
    transmitsand and/or -ensures
    standards
    are Metrics that
    designed, statutory,
    covering
    are developed
    built and dataregulatory
    classification
    that
    maintained.provide andandand secure
    ensures
    -contractual An IT that
    Asset statutory,
    Management
    cybersecurity regulatory
    (ITAM)
    and privacy and
    program, or
    obligations privacy
    contractual
    handling
    management obligations
    of cybersecurity
    both for
    physical
    oversight data
    to and
    and protection
    ensureprivacy
    digitalthe are use
    obligations
    assets.
    media
    processes
    contractual and applies the and
    cybersecurity appropriate
    privacy obligations - An IT Asset Management (ITAM) program, or
    similar
    are addressed
    technology function, tocategorizes
    controls ensure secure
    to protect assets
    the according
    configurations
    data to properlyare
    - Anaddressed
    restriction
    similar
    governed.
    IT infrastructure
    process
    function, tocategorizes
    ensure team, secure
    is operating or configurations
    similar
    assetsin function,to
    anaccording
    optimal
    are
    the
    are
    -according addressed
    data
    designed,the
    A Governance, to
    asset
    built ensure
    Riskstores,
    and secure
    transmits
    maintained.
    & Compliance configurations
    and/or
    (GRC) team, capacity. -
    are
    ensures An IT infrastructure
    designed,
    that built
    statutory, and team, or
    maintained.
    regulatory similar and function,
    are designed, to the
    builtorganization’s
    and maintained. data the
    -
    ensures data
    Metrics the
    are
    that asset
    developed
    statutory,stores, transmits
    that
    regulatory provide andand/or
    processes
    -classification An IT Asset andManagement
    applies the appropriate
    (ITAM) program, or -contractual An IT Asset Management
    cybersecurity (ITAM) program, so itorcan
    or
    -regulatory
    technology
    similar
    An IT Asset
    function,
    and
    Management
    controls
    ensures
    handling
    to protect
    that statutory,
    requirements.
    (ITAM) the program,
    data
    processes
    orto management
    contractual
    similar
    Metrics reporting
    and
    function,
    applies
    oversight
    cybersecurity
    includes
    categorizes to and
    the and
    thisprivacy
    appropriate
    ensure process
    privacy
    assets the obligations
    removable
    obligations
    according to
    similar
    -similar function,
    and
    An ITAM, or similar categorizes
    contractualfunction, assets
    cybersecurity according and
    scansaccording to media are
    be
    technology addressed
    quantitatively to
    controls ensure
    analyzed. secure
    to protect configurations
    the data
    security process issecure
    operating in an optimal
    the datafunction,
    according
    privacy
    unstructured to asset
    the the
    obligationsdata
    categorizes
    organization’s
    stores,
    for
    sourcesdata assets
    transmits dataand/or
    protection
    for sensitive are
    data or
    are
    the
    are
    -
    according A addressed
    data the
    designed,
    Governance, to the
    to
    asset
    built ensure
    Riskstores,
    and & transmits
    maintained.
    Compliance
    organization’s
    configurations
    data and/or
    (GRC) team,
    -classification
    the A Governance,
    data the asset Risk & Compliance
    stores, (GRC)
    and/orteam, capacity.
    processes
    properly
    data and and
    governed.
    requiring handling
    applies
    special the transmits
    requirements.
    appropriate
    protection measures by
    are
    processes
    -or
    classification An designed,
    IT Asset
    similar function,built
    andManagement
    andapplies and
    ensures
    handling
    maintained.
    the appropriate
    (ITAM)
    that program, or
    statutory,
    requirements.
    or
    processes similar function,
    and
    Administrative applies ensures
    processes the that
    appropriate
    and statutory,
    technologies -technology Metrics
    An IT Asset reporting
    Management
    controls includes
    to protect thisthe
    (ITAM) process
    program, so itorcan
    -technology
    statutory,
    regulatory
    technology
    An IT controls
    infrastructure
    regulatory
    and
    to
    contractual
    controls to
    protect
    team,
    orprotect or
    contractual the
    similar
    cybersecurity
    the
    datafunction,
    obligations.
    data and
    similar
    regulatory
    -be
    similar
    function,
    and
    Anquantitatively
    ITAM, or similar
    function,
    categorizes
    contractualfunction,
    analyzed.
    categorizes scansdata
    assets
    cybersecurity
    assets
    according
    according
    and to
    to
    mark
    according
    ensures
    -according media to
    that
    Administrative in
    theaccordance
    organization’s
    statutory,
    processes with
    regulatory data
    data and protection according
    the
    privacy data theto
    obligationsthe
    asset organization’s
    stores,
    for data transmits data
    protection and/or
    are
    privacy
    requirements obligations
    to the
    so that dataand
    forpersonnel
    organization’s technologies
    protection
    data
    are are to
    alerted -unstructured
    the
    -
    classification A Governance,
    data
    Metrics the
    are
    data
    asset Risk
    developed
    and
    sources
    stores,
    handling
    for sensitive
    & Compliance
    transmits
    that provide
    requirements. (GRC)
    and/ordata or
    team,
    classification
    contractual
    protect
    properly and and handling
    cybersecurity
    control
    governed. digitaland requirements.
    and privacy
    non-digital obligations
    media properly processes
    data
    or requiring
    similar and special
    governed.
    function, applies the appropriate
    protection
    ensures measures by
    thattechnologies
    statutory,
    classification
    distribution
    are addressed andto handling
    limitations,
    ensure requirements.
    handling
    secure caveats
    configurations and processes
    management
    --statutory,
    technology Administrative
    An IT and applies
    oversight
    controls
    infrastructure processes
    to the
    to appropriate
    protect
    team, ensure
    and thethe
    or similar data function,
    during
    --applicable An
    An IT transport
    infrastructure
    ITAM, or outside
    similar team, of
    function, controlled
    or similar
    ensures areas
    function,
    that regulatory
    technology regulatory
    and contractual
    controls toor contractual
    protect cybersecurity
    the obligations.
    data and
    are
    using designed, security
    appropriate built requirements.
    and
    security maintained.
    measures. information
    mark
    according
    ensures
    - media
    that
    Administrativeto sharing
    in
    theaccordance
    statutory, process
    organization’s
    processes regulatory
    andis operating
    with data
    data and
    technologies in
    protection an
    ensures
    media
    --- A that
    sanitization
    Governance,
    Technologies statutory,
    Risk
    are and & regulatory
    disposal
    Compliance
    configured to and
    actions (GRC) are
    automatically team, privacy
    according
    optimal
    requirements obligations
    to
    capacity. the
    so that for data
    organization’s
    personnel protection
    data
    are are
    alerted to
    An IT Asset
    Administrative Management (ITAM) program, or classification
    contractual and handling
    cybersecurity requirements.
    and privacy obligations
    contractual
    documented
    or
    mark
    similar similar
    media
    function, andprocesses
    cybersecurity
    function,
    and verified.
    ensures
    system
    categorizes
    andprivacy
    and
    output that
    technologies
    assetstostatutory,obligations
    indicate
    according theto
    protect
    properly
    classification
    -
    distribution
    are Metrics
    and
    addressed
    control
    governed.and
    reporting
    limitations,
    to ensure
    digital and
    handling
    includeshandling
    securethis
    non-digital media
    requirements.
    process
    caveats
    configurations so
    andit can
    identify
    are
    -the ITAM, custodians
    Anaddressed to
    orlimitations,
    similar throughout
    ensure secure
    function, the
    ensures transport of -during
    configurations -applicable An IT transport
    infrastructure
    Anquantitatively
    ITAM, or similar outside team, of controlled
    function, or similar areas
    ensuresfunction,that
    regulatory
    distribution
    system data theand
    media. contractual
    asset stores, cybersecurity
    handling
    transmits requirements
    and/or and be
    are
    using designed, security
    appropriate built analyzed.
    requirements.
    and
    security maintained.
    measures.
    are
    sanitization designed, built
    equipment and maintained.
    andappropriate
    procedures are ensures
    media that statutory, regulatory and
    privacy
    and
    -processes
    -tested Physical
    An IT
    obligations
    applicable
    Asset and
    controls, security
    applies
    Management
    for the
    data
    markings
    administrative protection
    (ITAM)
    are
    (ifprocesses
    any)
    program,
    of theand ---contractual
    or
    A
    An IT sanitization
    Governance,
    Technologies
    Assetcybersecurity
    Administrative Risk
    are
    Management and
    processes& disposal
    Compliance
    configured (ITAM)
    and
    and
    actions(GRC)
    totechnologies
    automatically
    privacy program, areteam,
    obligationsor
    properly
    information
    technology to verify
    governed.
    to
    controlsthat
    aide the
    Data
    to intended
    Loss
    protect the result
    Preventiondata is(DLP) documented
    or
    mark
    similar
    - similar
    media
    Metrics function,
    are and
    function,
    and verified.
    ensures
    system
    categorizes
    developed output
    that that
    assets statutory,
    to
    provide indicate
    according theof
    to
    technologies
    similar
    achieved. function, restrict access
    categorizes to digital
    assets and non-
    according to are identify
    -management custodians
    Anaddressed
    ITAM, to throughout
    ensure
    orlimitations,
    similar secure
    function, the transport
    configurations
    ensures
    -according
    technologies.
    digital The GRC
    media function
    to the
    to assists
    organization’s
    authorized users in
    data
    individuals. making regulatory
    distribution
    the
    system data the
    media.and contractual
    asset
    oversightstores, to cybersecurity
    handling
    transmits
    ensure requirements
    and/or
    endpoint and
    the
    -classification
    information Andata
    ITAM, theorsharing
    asset
    similar stores,
    function,
    decisions transmits and/or
    facilitates
    to ensure the is are
    data sanitization
    privacy designed, built
    equipment
    obligations and
    for is maintained.
    and
    data procedures
    protection are
    -destruction
    processes Physical controls,
    and and handling
    applies administrative
    the requirements.
    appropriate processes and and
    processes
    security
    -
    applicable
    Physical
    An IT Asset and
    management
    controls, security
    applies
    Management
    markings
    the appropriate
    operating
    administrative(ITAM) anare
    (ifprocesses
    inany)
    program,
    of the
    optimal and
    or
    appropriately of Personal
    protected. Data (PD). tested
    properly
    information to verify
    governed.
    to that
    aide the
    Data intended
    Loss result
    Prevention is
    -technology
    technologies
    --or
    Administrative
    A Governance,
    Physical controls
    controls,
    processes
    Riskto
    restrict & protect
    the and the
    Compliance
    types,
    administrative
    technologies
    usage (GRC)
    data and team,
    processes and
    technology
    capacity.
    technologies
    similar
    achieved. function,controls
    restrict to protect
    access
    categorizes to the data
    digital
    assets and (DLP)
    according non-to
    restrict Administrative
    thefunction, ofprocesses and
    thattechnologies -technologies. The GRC function assists users in making
    distribution
    according
    technologies
    securely
    similar touse
    store
    ofthe
    securely
    portable
    digital
    digital
    ensures
    media.
    organization’s
    dispose
    and
    storage data
    of,
    non-digital
    devices by
    applicable
    destroy
    media or
    -according
    digital
    the
    -
    information
    Metrics
    An datamedia
    ITAM, theto
    or
    the
    reportingto
    asset organization’s
    similar
    sharing
    includes
    authorized
    stores,
    function,
    decisions
    thisdata
    transmits process
    individuals.
    facilitates
    to ensure and/or so it can
    the is
    data
    users
    statutory,
    -erase
    classification on external
    regulatory
    Administrative and systems.
    processes
    handlingand contractual
    and technologies
    requirements. classification
    be
    -
    processes
    - quantitatively
    Physical
    Metrics and
    controls,
    and
    are handling
    analyzed.
    applies
    developed administrative
    thethat requirements.
    appropriate
    provide processes and
    within
    --securely
    cybersecurity information.
    controlled
    Administrative and areas
    processes
    privacy using and organization-
    technologies
    obligations are destruction
    -appropriately Administrative
    A Governance, of Personal
    protected.
    processes
    Riskto Data
    & protect (PD).
    and the
    Compliance technologies
    (GRC) team,
    -properly store
    Administrative
    Technologies digital
    processes
    are and
    configured non-digital
    and toprotect
    sanitizemedia
    technologies media, -or technologies
    technology
    management Physical restrict
    controls
    oversight the totypes,
    ensure usage
    thedata and
    prohibiting
    defined
    restrict
    within
    restrict
    security
    removable
    governed.
    controlled
    the use
    measures
    of media
    areas
    portable inand
    using accordance
    organization-
    storage devices
    system
    with by restrict
    distribution
    according
    installation similar thecontrols,
    Administrative
    touse
    function,
    ofthe
    withoutdigital
    administrative
    ofprocesses
    portable
    ensures
    media.
    organization’s
    privileged
    and
    storage
    that
    processes
    technologies
    devices
    applicable
    data
    status process byand
    is
    both
    media
    data
    -defined The digital
    until
    handling
    GRC and
    the
    functionand non-digital,
    media are
    acceptable
    facilitates with
    destroyed
    usage
    the the strength
    or sanitized
    parameters. technologies
    securely
    users
    statutory, store
    on external securely
    digital
    regulatory dispose
    and
    systems. of,
    non-digital
    andcapacity.
    contractual destroymedia or
    -users
    and A on security
    external
    Governance,
    integrity measures
    systems.
    Risk
    commensurate & and
    Compliance withprotect
    the(GRC) system
    team, -operating
    classification
    erase Administrative
    in
    information. and
    an processes
    handling
    optimal and technologies
    requirements.
    using
    -implementation
    media approved
    Administrative
    until the equipment,
    processes
    of security
    media techniques
    and
    and
    are destroyed privacy or and
    technologies controls within
    sanitized -cybersecurity
    securely controlled
    Administrative
    store and areas
    processes
    digitalprivacy
    and using and organization-
    technologies
    obligations
    non-digital areso it can
    media
    -procedures.
    or
    classification Administrative
    similar function, processes
    ensures
    orconfidentiality,
    sensitivity and
    of that
    the technologies
    applicable
    information -defined Administrative
    Metrics
    Technologiesreporting
    security processes
    are includes
    configured
    measures and
    this
    and technologies
    process
    toprotect
    sanitize media,
    system
    securely
    to
    using
    restrict
    statutory, protect store
    approvedthe
    removable digital
    regulatory equipment,
    mediaand
    and out non-digital
    in integrity,
    techniques
    accordance
    contractual mediaand
    with restrict
    properly
    within
    restrict
    be removable
    governed.
    controlled
    the
    quantitativelyuse of media
    areas
    portable
    analyzed. in
    using accordance
    organization-
    storage devices with by
    -prior
    within
    availability
    procedures. A to disposal,
    contracts
    controlled
    andand release
    management,
    areas
    safety ofusing or
    endpointof organizational
    similar
    organization- function,
    devices. both
    media
    -data
    defined The digital
    Metricsuntilare
    handling
    GRC and
    the non-digital,
    media
    developed
    function
    security and are
    acceptable that
    facilitates
    measures and
    with
    destroyed
    provide
    usage
    the the
    protect
    strength
    or sanitized
    parameters.
    system
    data
    cybersecurity
    control
    works handling
    or release and acceptable
    privacy
    for reuse. usage
    obligations parameters.
    are users
    -
    and A on external
    Governance,
    integrity systems.
    Risk
    commensurate & Compliance with (GRC)
    the and team,
    -defined
    --systems
    properly An IT with
    Physical third-party
    security
    Assetcontrols,
    Administrative
    governed.
    measures
    Management providers
    administrative
    processes and
    (ITAM)
    and
    toprocesses
    protect ensure
    program,
    technologies system their
    and management
    or using
    -media
    implementation
    -classification
    or
    approved
    Administrative
    until
    Administrative
    similar the
    function,
    equipment,
    oversight
    processes
    of security
    media
    processes are
    ensures
    techniques
    to destroyed
    ensure
    and
    and
    and
    that
    access
    technologies
    privacy
    technologies
    applicable controls
    or sanitized
    media
    similar Administrative
    and
    until
    function,the processes
    services
    media are
    categorizes are and
    capable
    destroyedtechnologies
    endpoint of securely
    or sanitized
    devices -
    procedures.
    restrictions
    securely
    to Metrics
    protect are
    store
    theforor sensitivity
    developed
    implementing
    digital and
    confidentiality, that of the
    provide
    changes
    non-digital information
    integrity, isand
    media
    technologies
    -securely The GRC store physically
    function digital andsecure
    facilitates all
    non-digital media
    the (GRC) media that using
    restrict approved
    removable equipment,
    media techniques
    inensure
    accordance withand
    securely
    -storing,
    using
    according
    contains
    store
    processing
    A Governance,
    approved
    to the
    sensitive
    digital
    Risk and
    equipment,
    data &and non-digital
    transmitting
    Compliance
    the
    information. techniques
    asset stores,
    media
    data. and team, statutory,
    transmits
    prior
    management
    -within
    operating
    availability
    procedures. A contracts regulatory
    tocontrolled
    disposal,
    in andan release
    oversight
    management,
    optimal
    areas
    safety
    and to contractual
    out or
    capacity.
    ofusing
    endpoint
    of organizational
    the
    similar
    organization- media
    function,
    devices.
    within
    implementation
    within
    -procedures. controlled
    controlled
    Asimilar
    Dataprocesses
    Protection ofareas
    security
    areasImpact using
    using and organization-
    privacy
    organization-
    Assessment controls
    (DPIA) is --works data
    cybersecurity
    control
    data handling
    or
    retentionrelease and
    and acceptable
    privacy
    for
    process reuse.
    is operatingusage
    obligations inparameters.
    are
    an optimal
    or
    and/or
    defined
    to protect
    function,and
    security
    the
    ensures
    measures applies
    confidentiality,
    that
    and the applicable
    appropriate
    protect
    integrity, system defined
    -
    properly An IT with
    MetricsAsset
    Physical
    Administrative
    third-party
    reporting
    security
    governed.Management
    controls, providers
    includes
    measures
    administrative
    processes (ITAM)
    and
    toprocesses
    thisprotect
    and ensure
    process
    program,
    technologies
    so
    system their
    itor
    can
    and
    defined
    -used
    statutory,
    -availability
    technology A to
    Physical security
    Governance,
    help ensure
    regulatory
    controls,
    controls measures
    Risk &
    the
    toand and
    Compliance
    protection protect
    contractual
    administrative
    protect the (GRC)
    of
    processes
    asset system
    team,
    sensitive
    and and -
    capacity.
    systems
    be
    media
    similar Administrative
    and
    quantitatively
    until
    function, the processes
    services are
    analyzed.
    media
    categorizes are and
    capable
    destroyedtechnologies
    endpoint of securely
    or sanitized
    devices
    media until the media are destroyed or technologies physically secure all media that
    media
    or
    information
    cybersecurity
    technologies
    data. until
    similar and
    the
    function, safety
    media
    processed,
    and
    restrict privacyof
    are
    ensures endpoint
    destroyed
    stored
    access that orstatutory,
    obligations
    to aresanitized
    devices.
    or
    transmitted
    digital and sanitized
    non- on -securely securely
    -storing,
    using
    according
    contains
    The
    A GRC
    Metrics store
    function
    store
    reporting
    processing
    Governance,
    approvedto the
    sensitive
    digital
    digital
    Risk and
    equipment,
    data &and
    facilitates
    and
    includes
    the
    non-digital
    theprocess
    non-digital
    this
    transmitting
    Compliance
    information. techniques
    asset stores,
    media
    media
    data.
    (GRC) andsoteam,
    it can
    transmits
    -using
    using
    regulatory
    external
    properly An ITapproved
    Asset
    approvedand
    systems,
    governed. equipment,
    Management
    equipment,
    contractual
    so that techniques
    (ITAM)
    techniques
    cybersecurity
    security program,
    and and
    andand
    privacy or within
    implementation
    within
    be
    -
    or A controlled
    controlled
    quantitatively
    Data
    similar Protection
    function, ofareas
    security
    areas
    analyzed.
    Impact
    ensures using
    using and organization-
    privacy
    organization-
    Assessment
    that applicable controls
    (DPIA) is
    digital
    -similar
    procedures. media
    An ITAM, to
    or similarauthorized
    function, individuals.
    uses a devices procedures.
    and/or processes and applies the appropriate
    procedures.
    privacy
    -controls
    Configuration The GRC
    Physical
    function,
    obligations
    are
    function
    controls,
    categorizes
    implemented
    Managementfor
    facilitates
    administrative
    endpoint
    datainprotection
    accordance
    the processes
    Database arewithand to
    (CMDB), -defined
    defined
    used
    statutory,
    -
    technology Aprotect security
    Governance,
    to help
    Physical
    theensure
    security
    regulatory
    controls,
    controls
    measures
    confidentiality,
    measures
    Risk &
    the
    and
    and
    Compliance
    protection protect
    andintegrity,
    protect
    contractual
    administrative
    to protect the (GRC)
    of system
    systemteam,
    sensitive
    processes
    asset and and
    -according Physicalgoverned.
    controls,
    to the of data administrative
    the asset processes
    stores, transmits and media availability
    media until
    until the
    and
    the media
    safety
    media are
    of
    are destroyed
    endpoint
    destroyed or
    devices.
    or sanitized
    properly
    applicable
    implementation
    technologies
    or similar statutory,
    tool, restrict
    as the regulatory
    security
    the andusage
    types,
    authoritative and
    privacy contractual
    and
    source of IT or
    controls information
    cybersecurity
    technologies
    data. similar function,
    processed,
    and
    restrict ensures
    privacy stored
    access that orstatutory,
    obligations
    to digital aresanitized
    transmitted
    and non-on
    technologies
    and/or
    -obligations. processes
    Administrative restrict and
    processesaccess
    applies to
    and digital
    thetechnologiesand
    appropriate non- using
    -
    using
    regulatory
    external An ITapproved
    Asset
    approved and
    systems, equipment,
    Management
    equipment,
    contractual
    so that techniques
    (ITAM)
    techniques
    cybersecurity
    security program,
    and and
    and and
    privacy or
    to
    distribution
    assets protect
    that the confidentiality,
    ofconfigured
    digital
    iscontrols media.to performintegrity, integrity properly
    -digital governed.
    media
    An ITAM, or to authorized
    similar function, individuals.
    uses a devices
    digital
    technology
    retain media
    media to
    and authorized
    data to protect individuals.
    in endpoint
    accordance the asset
    with and procedures.
    similar
    procedures. function, categorizes endpoint
    -checking
    availability Administrative
    andand processes
    safety
    alert on of and technologies
    unauthorized devices. -privacy
    controls The GRC
    Physical obligations
    are implemented
    function
    controls, for datainprotection
    facilitates
    administrative accordance
    the processes arewithand
    --prohibit
    data.
    applicable A
    AnData
    IT Protection
    Asset statutory,
    “rogue Impact
    instances”
    Management regulatory Assessment
    where
    (ITAM) and (DPIA)
    contractual
    unapproved
    program, or is Configuration -implementation
    according
    properly
    applicablePhysicalgoverned.
    controls,
    to Management
    the
    statutory, data
    of administrative
    the asset
    regulatory
    security
    Database
    and and
    privacy
    (CMDB),
    processes
    stores, transmits
    contractual
    controls and
    configuration
    used to help changes.
    ensure the protection of sensitive technologies
    or similar
    technologies restrict
    tool,restrict
    as the the
    access types,
    authoritative
    to usage
    digital and
    source
    and of IT
    non-
    -obligations.
    An ITAM, or similar function, uses a and/or
    - processes
    Administrative and
    processes applies and the appropriate
    technologies
    -third
    similar parties
    function,
    Unauthorized
    information
    areconfiguration
    engaged
    categorizes to store,
    endpoint
    changes process
    devices
    are or
    on assets
    obligations.
    to protect
    distribution that the confidentiality,
    ofconfigured
    todigital
    iscontrols tomedia.to performintegrity, integrity
    Configuration
    transmit
    according
    responded totoprocessed,
    data. Management
    theThis
    in data includes
    accordance thestored
    assetwith
    or
    Database
    budget transmitted
    stores,
    the
    (CMDB),
    reviews
    transmits
    Incident and digital
    technology
    retain
    -availability
    checking
    media
    media
    Administrative
    and and and authorized
    data
    processes
    safety
    alert on ofprotect
    in individuals.
    accordance
    and
    endpoint
    unauthorized
    the asset
    technologieswithand
    devices.
    external
    or
    firewall
    and/or similar systems,
    tool,
    connection
    processes as so
    the
    and that security
    authoritative
    authorizations. and privacy
    source of IT -
    data. A
    -applicable
    prohibit Data Protection
    statutory,
    “rogue Impact
    instances”regulatory Assessment
    where and (DPIA)
    contractual
    unapproved or is
    Response
    controls
    assets that Plan
    are is (IRP)
    implemented
    configured toapplies
    determine
    to in
    the appropriate
    accordance
    perform if the any
    with
    integrity -
    An IT Asset
    configuration
    used An to
    ITAM,help or
    Management
    changes.
    ensure
    similar the
    (ITAM)
    protection
    function, uses
    program,
    of
    a sensitive
    -unauthorized
    Administrative
    technology controls processes
    to protect
    configuration and technologies
    the
    is malicious assetinand obligations.
    third
    similar parties
    -Configuration function,
    Unauthorized areconfiguration
    engaged
    categorizes to store,
    endpoint
    changes processdevices
    are or
    applicable statutory, onregulatory anddata contractual
    flows for information totoprocessed,
    checking
    inventory,and alert
    document unauthorized
    and maintain transmit data. Management
    This includesstored or
    Database
    budget transmitted
    (CMDB),
    reviews andon
    data.
    nature. according
    responded the
    in data
    accordance the assetwith stores,
    the transmits
    Incident
    obligations.
    configuration
    data that is changes.
    resident (permanently or external
    or
    firewallsimilar systems,
    tool,
    connection as so
    the that security
    authoritative
    authorizations. and
    sourceprivacy of IT
    --- Security
    An ITAM,engineering,
    Unauthorized
    or similar function,
    configuration or a similar usesfunction,
    changes
    a
    are
    and/or processes
    Response
    controls
    assets that Plan
    are (IRP)and
    implemented
    iscontrols
    configured toapplies
    determine
    toin
    the appropriate
    accordance
    perform if the any
    integritywith
    temporarily)
    Configuration
    ensures that within
    Management
    systems, a service's
    applications geographically
    Database and (CMDB),
    processes -unauthorized
    Administrative
    technology processes
    to protect
    configuration and
    is technologies
    the
    malicious asset inand
    responded
    distributed to in accordance
    applications with
    (physicalstandardsthe
    and Incident
    virtual), applicable
    checking
    inventory, andstatutory,
    alert on regulatory
    unauthorized
    document and maintain data flows for and contractual
    or
    conformsimilarto tool, as the authoritative
    industry-recognized source of IT data.
    Response
    infrastructure,
    assets that Plan
    is (IRP) to determine
    systems
    configured components
    to perform if the anyfor
    and/or
    integrity
    nature.
    obligations.
    configuration
    data
    - An that
    ITAM, is or changes.
    resident
    similar (permanently
    function, or
    usesfunction,
    a
    configuration
    unauthorized hardening (e.g.,
    configuration is DISA STIGs,
    malicious in CIS -- Security
    Unauthorized engineering,configuration or a similarchanges are
    shared with
    checking
    Benchmarks andotheralert
    or OEM third-parties.
    onsecurity
    unauthorized guides) for test, temporarily)
    Configuration
    ensures that within
    Management
    systems, a service's
    applications geographically
    Database and (CMDB),
    processes
    nature.
    configuration changes. responded
    distributed
    or similarto to in accordance
    applications
    tool, with
    (physical
    as the authoritative the
    and Incident
    virtual),
    source of IT
    development,
    -- Security staging
    engineering, and production
    or a similar function, conform
    Response industry-recognized standards anyfor
    Unauthorized
    environments. configuration
    This includes changes
    creating are
    special assets thatPlan
    infrastructure,
    configuration
    (IRP) to determine
    systems
    is configured
    hardening components
    to perform
    (e.g., DISA
    if the
    and/or
    integrity
    STIGs, CIS
    ensures
    responded thattosystems,
    in accordance applicationswith the and processes unauthorized
    Incident shared
    checking withandother configuration
    alert third-parties.
    onsecurity is malicious in
    unauthorized
    hardening
    conform to requirements
    industry-recognized for High-Valuestandards Assets
    for Benchmarks
    nature. or OEM guides) for test,
    Response Plan (IRP) to determine if the any
    (HVAs). configuration changes.
    development, staging and production
    configuration hardening (e.g., DISA STIGs, CIS -- Security engineering, or a similar function,
    -unauthorized
    A Security Operations
    Benchmarks
    configuration
    or OEM security Center is malicious
    (SOC), for
    guides) or insimilar
    test,
    Unauthorized
    environments.
    ensures thattosystems,
    configuration
    This includes
    applications
    changes
    creating and
    are
    special
    processes
    nature.
    function, centrally-manages anti-malware and responded
    hardening in accordance
    requirements for with
    High-Valuethe Incident
    Assets
    development,
    -anti-phishing
    Security engineering, staging and production
    or a similar function, conform
    Response toPlan (IRP) to determine if the anyfor
    industry-recognized standards
    environments. technologies,
    This includes in accordance
    creating special with (HVAs).
    ensures that systems,
    industry-recognized applications
    practices and
    for Prevention, processes configuration unauthorized
    -Benchmarks
    A Security Operations
    hardening (e.g.,
    configuration Center
    DISA STIGs,
    is malicious
    (SOC), for or in
    CIS
    similar
    hardening requirements
    conform to&industry-recognized for High-Value
    standards for Assets or OEM security
    nature. centrally-manages anti-malware and guides) test,
    Detection
    (HVAs). Response (PDR) activities. function,
    development, staging and
    configuration
    -- An Identity & hardening
    Access (e.g., DISA STIGs,
    Management (IAM), CIS
    or -anti-phishing
    Security engineering,technologies, or aproduction
    similar
    increating
    accordancefunction, with
    A Security
    Benchmarks Operations
    or OEM Center (SOC),
    security guides)permissions or similar
    for test, environments.
    ensures that systems, This includes
    applications and special
    processes
    similar
    function, function, centrally-manages
    centrally-manages anti-malware and hardening industry-recognized practices
    requirements for High-Value for Prevention,Assets
    development,
    and implements staging
    “leastand production
    privileges” practices the conform Detectionto&industry-recognized
    Response (PDR) activities. standards for
    -ensures
    cybersecurity An IT Asset Management
    industry-recognized
    and privacy (ITAM)
    HRuses program,
    practices
    obligations areor implementation
    -and/or Metrics are of security
    developed
    reporting includesthatand privacy
    provide
    this process controls
    so it can
    -similar An ITAM, or similar
    function, function,
    categorizes endpoint a are
    devices to processes
    protect the and applies
    confidentiality, the appropriate
    integrity,
    implemented
    properly
    Configuration governed. for hiring,
    Management retaining
    Database and (CMDB), management
    be
    technology quantitatively oversight
    controls analyzed.to ensure
    toofprotect the
    the asset andpersonnel
    according to the data thecontractors
    asset stores, transmits -availability and safety endpoint in andevices.
    terminating
    -or
    and/or
    The
    A GRC tool,
    Human
    similarprocesses
    employees,
    function
    Resourcesas the
    and
    facilitates
    (HR), orthe
    authoritative
    applies similar
    the
    and
    function,
    source
    appropriate of IT screening
    other data.
    -
    A Humanprocess
    An IT Asset
    Resources
    Management
    is operating
    (HR), or similar
    (ITAM)
    optimal
    function,
    program,
    -personnel
    implementation
    ensures
    assets A Humanthat Resources
    that work
    iscontrols of
    industry-recognized
    configured on(HR),
    security behalfor
    and similar
    of
    HRthe
    to perform the
    privacy
    practices function,
    controls
    integrity are capacity.
    ensures
    -similar An ITAM, industry-recognized
    or similar function, HR practices
    uses a devices areor
    technology
    ensures
    organization.
    to protect industry-recognized
    thealert to
    confidentiality, protect HR asset
    practices
    integrity, and
    are -implemented function,
    Metrics reporting for categorizes
    includes
    hiring, endpoint
    this
    retaining process
    and (CMDB), so it can
    implemented
    checking
    data. and for hiring, retaining
    on unauthorized and Configuration
    according Management
    toemployees,
    the data Database
    thecontractors
    asset stores, transmits
    implemented
    -availability
    terminating A HR, or similar
    and for hiring,
    function,
    safety of retaining
    identifies
    endpoint and and
    devices. be
    terminatingquantitatively analyzed. sourceother
    and
    configuration
    -implements
    -- An
    terminating An ITAM,
    IT Asset oremployees,
    changes.
    similar
    employees,
    industry-recognized
    Management
    contractors
    function,
    contractors
    (ITAM) uses
    HR
    and other or
    apractices
    and
    program, other or -and/orpersonnel
    similar
    A Human
    tool, as the
    processes
    Resources
    that workandon authoritative
    applies
    (HR),
    behalfor the appropriate
    similar
    of the function,
    of IT
    personnel
    Configuration Unauthorized that work
    Management on
    configuration behalf of the
    changes are assets that is configured to perform integrity
    personnel
    related
    similar
    organization.
    responded that work
    to cybersecurity
    function,
    to inas categorizes
    accordance and Database
    on behalf of the
    privacy
    endpoint (CMDB),
    thetraining
    devicesand ensures technology
    organization. controls to protect
    industry-recognized HRthe asset and
    practices are
    -or
    organization.
    awareness
    according Asimilar
    Humantool, toResources
    to help
    the the
    dataensure(HR),
    the orwith
    authoritative
    secure
    asset similar Incident
    function,
    source
    practices
    stores, of
    are
    transmits IT checking
    data.
    implemented
    - A HR, or
    and alert on unauthorized
    similar for hiring,
    function, retaining
    identifies and and
    -Response
    ensures A HR,thatorindustry-recognized
    similar
    Plan function,
    (IRP) toidentifies
    to determine HR if the
    practicesandany configuration changes.
    assets
    -implemented
    and/or
    implements
    unauthorized A HR, or is configured
    similar
    processes function,
    in personnel
    and applies
    industry-recognized
    configuration
    perform
    identifies
    management
    is the andinare
    integrity
    appropriate
    HR
    malicious practices
    -terminating
    An ITAM, oremployees,
    implements
    - Unauthorized
    similar function,
    industry-recognized
    configurationcontractors uses
    HRapractices
    changes andareother
    implemented
    checking
    implements
    operations
    technology and to for
    alert
    help
    controls hiring,
    on
    industry-recognized
    manage
    to retaining
    unauthorized
    protect risk to
    theHRand
    both practices
    asset and Configuration
    personnel
    related to that Management
    work
    cybersecurity on behalf
    and Database
    of
    privacy the (CMDB),
    training and
    related
    nature.
    terminating
    configuration to cybersecurity
    employees,
    changes. and privacy
    contractors training
    and other and responded
    or similar tool, to inasaccordance
    the with the
    authoritative Incident
    source of
    related
    technology
    data.
    awareness
    -personnel Security to engineering,
    cybersecurity
    assets
    to help and
    ensure orand
    data. a privacy
    secure
    similar training
    practices
    function, areand organization.
    awareness
    Response to help
    Plan (IRP) ensure
    to secure practices
    determine if the any areIT
    -awareness Unauthorized that work
    tosystems,
    help on
    configuration
    ensure behalf
    secure of practices
    the
    changes are are assets A HR,that is configured toidentifies
    perform integrity
    -implemented
    ensures
    organization.
    responded
    A
    AnHR, orthat
    ITAM, similar
    or
    to
    similar
    in
    function,
    in accordance
    personnelfunction, managesuses
    management
    applications
    with theand processes -implemented
    apersonnel
    Incident unauthorized
    checking
    or similar
    and
    function,
    in personnel
    configuration
    alert on
    management
    is malicious
    unauthorized
    andin
    implemented
    security
    Configuration
    operations
    conform risk to by in personnel
    assigning
    Management
    help manage a management
    risk designation
    Database
    risk to both (CMDB), to all implements
    operations toindustry-recognized
    help manage risk toHRboth practices
    -Response
    operations HR, orto
    Asimilar industry-recognized
    similar
    Plan
    to asfunction,
    (IRP)
    help manage determine standards
    identifies
    toauthoritative to ifboth
    riskDISA and
    the anyoffor
    IT related
    nature.
    configuration changes.
    to engineering,
    cybersecurity
    positions
    or
    -technology
    configuration
    implements
    unauthorized A Human and
    tool, establishing
    assets
    Resources the
    hardeningand
    industry-recognized
    configuration data.
    (HR), screening
    (e.g.,
    or
    is similar
    HR
    malicious
    criteria
    source
    STIGs,
    practices
    in CIS
    function, for technology
    -- Security
    Unauthorized
    assets orand
    and data.
    configuration
    privacy
    a similar
    changes
    training and
    function,
    are are
    technology
    individuals
    assets
    -Benchmarks A HR,thator assets
    filling
    isor
    similarconfigured
    OEM and
    those
    function, data.
    positions.
    tomanages
    security perform
    guides) integrity
    personnel
    for test, awareness
    - A HR, orthat to
    similar help ensure
    function, secure
    managesand practices
    personnel
    ensures
    related
    -nature. A HR, orindustry-recognized
    to cybersecurity
    similar function, and HR
    manages practices
    privacy training
    personnel areand ensures responded
    implemented to systems,
    in applications
    accordance
    personnel with
    management the processes
    Incident
    checking
    security
    development, and
    risk byalert on
    assigning
    staging and a ensures
    unauthorized
    risk that
    designation
    production every to all security
    See
    conform risk
    SP-CMM3.
    to by assigning
    SP-CMM4
    industry-recognized aisrisk
    N/A, designation
    since
    standards a to all
    implemented
    awareness
    -security
    user
    configuration Security
    accessing
    for
    tobyhelp
    engineering,
    risk a
    hiring,
    ensure
    assigning
    system
    changes.
    retaining
    asecure
    orthat
    a similar
    risk and
    practices
    function,
    designation
    processes, are
    to
    stores, all Response
    operations
    positions Plan
    and to
    quantitatively-controlled (IRP)manage
    help to determine
    establishing risk
    screening
    process to ifboth
    is the anyfor
    criteria
    not for
    positions
    environments.
    terminating
    implemented
    ensures andemployees,
    that establishing
    inThis includes
    personnel
    systems, screening
    creating
    contractors
    management
    applications and criteria
    special
    and other
    processesfor configuration
    unauthorized hardening (e.g.,
    configuration is DISA STIGs,
    malicious in CIS
    positions
    or
    -personnel
    individuals transmits
    Unauthorized and establishing
    sensitive
    filling configuration
    those screening
    information changes is criteria
    cleared
    are for
    and technology
    individuals
    necessary to assets
    filling
    ensure and
    those data.
    positions.
    system configurations
    hardening
    operations
    conform
    individuals to requirements
    that
    to work
    help
    industry-recognized
    filling those onpositions.
    manage forrisk
    behalf High-Value
    positions. of
    to the
    both
    standards Assets
    for Benchmarks
    -nature.
    A HR, security
    or similar
    or OEM security guides) for test,
    function, manages personnel
    --regularly
    responded
    (HVAs).
    organization. A HR,
    A Human or trained
    Resources
    to
    similar in in proper
    accordance
    function,(HR), data
    orwith
    ensures handling
    similar
    the thatfunction,
    Incident
    every isolate
    development, functions
    staging and ensures
    from that
    non-security
    production every
    -technology
    configuration
    practices.
    ensures
    Response
    user
    --Benchmarks A
    A Human
    HR, or assets
    similar hardening
    Resources
    industry-recognized
    accessing
    Security Plan a(IRP) and
    function,
    system
    Operations to data.
    (HR),(e.g.,
    or
    determine
    that
    Center HRDISA
    similar
    ensures STIGs,
    that
    practices
    if
    processes,
    (SOC), the or any CIS
    function,
    every
    are
    stores,
    similar
    -
    user Security
    security
    functions. engineering,
    risk
    accessing
    environments. by a assigning
    system
    This
    or aa
    that
    includes
    similar
    riskprocesses,
    creating
    function,
    designation to all
    stores,
    special
    A HR,
    HR, orindustry-recognized
    or similar
    similar
    or OEMfunction,
    function,
    security identifies
    manages
    guides) and
    personnel
    for test, ensures that systems, applications and processes
    -ensures
    user
    implemented
    unauthorized
    or A accessing
    Governance,
    transmits a
    for system
    Risk
    hiring,
    configuration
    sensitive & that
    Compliance
    retaining
    information HR practices
    processes,
    and
    isanti-malware
    malicious (GRC) are
    stores,
    team,
    in and
    is practices
    cleared positions
    or transmits and establishing
    sensitive screening
    information is criteria
    cleared for
    and
    function,
    implements
    security
    development,
    implemented
    or
    terminating
    nature. transmits
    similar
    centrally-manages
    risk industry-recognized
    by assigning
    staging
    for
    sensitive
    function,
    employees,hiring,
    worksand awith
    risk
    retaining
    information
    contractors the
    HR
    designation
    production and
    isHRcleared
    and functiontoand
    other all hardening
    and conform
    individuals
    regularly to requirements
    industry-recognized
    filling
    trained those
    in proper
    for High-Value
    positions.
    data standards
    handling
    Assets
    for
    regularly
    anti-phishing
    related
    positions
    environments. totrained
    and in proper
    technologies,
    cybersecurity
    establishing
    This includesand data handling
    increating
    accordance
    privacy
    screening training
    criteria
    special with and (HVAs).
    for
    terminating
    regularly
    to
    personnel
    -awareness
    practices.
    industry-recognized ensuretrained
    Security that
    thatemployees,
    engineering, in proper
    applicable
    work contractors
    practices data ofhandling
    statutory,
    onorbehalf
    asecure
    similar
    for the and other
    regulatory
    function,
    Prevention, -configuration
    A
    A HR,
    practices.
    -Benchmarks or similar
    Security
    hardening
    Operationsfunction, (e.g.,
    Center
    DISA that
    ensures STIGs,
    (SOC), for orevery
    CIS
    similar
    individuals
    hardening
    personnel
    practices. to
    that help
    filling
    requirements
    work ensure
    those on positions.
    for
    behalf of practices
    High-Value
    the Assetsare user accessing or a OEM
    system security
    that guides)
    processes, test,
    stores,
    -and
    organization.
    ensures
    Detection
    implemented
    -organization.
    (HVAs). A
    A
    contractual
    HR, or
    that
    Governance, in obligations
    systems,
    & Response
    similar Risk
    personnel
    function, (PDR) for
    &applications
    Compliance cybersecurity
    and
    activities.
    management
    ensures (GRC)
    that
    processes
    team,
    every
    and -function, A Governance,
    development,
    Risk & Compliance
    centrally-manages
    staging andwith anti-malware
    production
    (GRC) team,and
    -privacy
    --conform
    or Administrative
    A
    An HR,
    similar are
    or to
    Identity properly
    similar processes
    governed.
    function,
    industry-recognized
    function,
    & Access works evaluate
    identifies
    with
    Management personnel
    standards
    the HR and for
    function
    (IAM), or or transmits
    similar
    anti-phishing sensitive
    function,
    technologies,information
    works in the isHR
    accordance cleared
    function
    withand
    operations
    user
    -implements
    security A accessing
    Security
    HR, or to
    similar
    risk by help
    Operations manage
    ascreening
    system
    function, that
    Center risk to both
    processes,
    (SOC),
    identifies
    individuals and
    prior stores,
    orHR,similar
    to environments.
    regularly trained This
    in includes
    proper creating
    data handling special
    -configuration
    to
    similar The GRC
    ensure function,
    that
    function, hardening
    applicable in
    industry-recognized conjunction
    (e.g.,
    centrally-manages DISA
    statutory, HR withpractices
    STIGs,
    regulatory CIS to ensure that applicable statutory, regulatory
    technology
    or
    function,
    implements
    authorizing
    defines
    related
    Benchmarks transmits
    to
    assets
    sensitive
    centrally-manages
    access.
    cybersecurity
    cybersecurity
    or OEM
    andinformation
    industry-recognized data.
    roles
    and
    security andprivacy
    guides) ispermissions
    anti-malware
    HR cleared
    practices
    responsibilities
    training
    for test,andand
    and
    industry-recognized
    hardening
    practices.
    and contractualrequirements practices
    obligations forfor for Prevention,
    High-Value
    cybersecurity Assetsand
    -and
    -regularly
    anti-phishing
    related A
    A
    contractual
    implements
    HR, or
    to
    Governance,similar
    trained obligations
    “least
    function,
    in proper
    technologies,
    cybersecurity
    Risk & and
    for
    privileges”
    manages
    data
    in
    Compliance
    cybersecurity
    practices
    handling
    accordance
    privacy personnel
    training
    (GRC) with
    team,
    and
    the
    and
    Detection
    (HVAs).
    -
    &
    Administrative
    Response
    processes
    (PDR) activities.
    evaluate personnel
    to
    awareness
    development,
    privacy
    management
    security maintainare
    risk toa safe
    help
    staging
    properly
    of and
    user,ensure secure
    and
    governed.
    group secure working
    production
    and practices are
    system to all privacy -- An are properly
    Identity & Accessgoverned.
    Management (IAM), or
    practices.
    industry-recognized
    awareness
    or
    environment
    implemented
    environments.
    -accounts, similar
    The GRC toby
    function,help
    for
    in
    function,
    including
    assigning
    all practices
    ensure
    works
    personnel
    personnel
    This includes
    in
    awith
    risk
    secure designation
    for
    management
    conjunction
    privileged
    Prevention,
    thepractices
    creating HRspecial
    with
    accounts. function
    HR, are - A Security
    security
    The
    similar GRC risk Operations
    by screening
    function,
    function,
    Center
    in conjunction
    centrally-manages
    (SOC),
    individuals with orHR,
    prior similar
    permissionsto
    positions
    -Detection
    implemented A and
    Governance,& establishing
    ResponseRisk & screening
    Compliance
    (PDR) activities. criteria
    (GRC) for
    team, function, centrally-manages anti-malware and
    to
    -hardening
    operations
    defines ensure
    The to in
    that
    HRcybersecurity
    function, help
    requirementspersonnel
    applicable
    in conjunction
    managerolesfor management
    statutory,
    risk
    and to with
    both
    High-Value regulatory
    the GRC authorizing
    Assets
    responsibilities defines access.
    cybersecurity “leastroles and responsibilities
    -individuals
    or
    operations
    and
    function,
    technology
    (HVAs). Ansimilar
    Identity
    contractual filling
    function,
    to
    defines&help
    assets
    those
    Access works
    manage
    obligations
    terms
    and
    positions.
    of
    data. with
    Management
    risk
    for the
    to
    employment, HR
    both
    cybersecurityfunction
    (IAM), orand and -
    to A
    implements
    anti-phishing
    Governance,
    maintain a technologies,
    safe Risk
    and &
    privileges”
    Compliance
    secure
    practices
    in accordance
    working (GRC) team,
    the
    with
    --to
    to A
    A Human
    maintain
    HR, or Resources
    a
    similarsafe and
    function,(HR),
    secure or similar
    working
    ensures thatfunction,
    every management of user, group and system
    similar
    technology
    -privacy
    including
    ensures
    environment
    user Aensure
    HR, are
    or
    Security
    accessing
    that
    function,
    assets
    similar applicable
    properly
    acceptable
    Operationscentrally-manages
    and
    function,
    industry-recognized
    for all data.
    governed.
    and statutory,
    unacceptable
    Center
    personnel
    a obligations
    system that manages
    HR (SOC),
    processes,
    regulatory
    permissions
    orrules
    personnel
    practices similar
    are
    stores,
    of industry-recognized
    or
    See similar
    environment
    SP-CMM3.
    accounts, function,
    including
    practices
    all works
    forSP-CMM4 personnel
    privileged with
    is N/A,
    for
    the Prevention,
    HR function
    since
    accounts. a
    -and
    behavior
    -security
    function,
    implemented A
    The
    The
    contractual
    implements
    HR, HRor
    GRC similar
    function,
    for
    risk the
    by “least
    function,
    use in
    assigning
    centrally-manages
    function, for hiring,
    in of for
    privileges”
    manages
    conjunction
    technologies,
    a risk
    retaining
    conjunction
    cybersecurity
    practices
    withpersonnel
    designation
    anti-malware
    and
    with HR,
    including
    the to
    and
    GRC
    and
    theall Detection
    to
    - ensure
    The HR &
    that Response
    function,
    quantitatively-controlledapplicable
    in (PDR)
    conjunction
    process
    activities.
    statutory, with
    is regulatory
    not the GRC
    or
    privacy
    management transmits
    are sensitive
    properly
    of user, information
    governed.
    group is cleared and
    security
    defines
    consequences
    positions
    anti-phishing
    terminating
    function,
    regularly
    risk
    and by
    cybersecurity
    defines
    trained forassigning
    establishing
    technologies,
    employees,terms
    in
    roles
    unacceptable
    proper of inand
    ascreening
    risk
    and system
    designation
    responsibilities
    behavior.
    accordance
    contractors
    employment,
    data handling criteria
    and tofor
    with
    other all and - An contractual
    Identity
    function,
    necessary defines& Access
    to require
    Management
    obligations
    terms all of employment,
    employees
    (IAM), orand
    for cybersecurity
    and
    -accounts,
    positions
    to
    -industry-recognized
    individuals The
    The GRC
    maintain
    GRC function,
    including
    and a
    functionestablishing
    safe
    filling and
    those in conjunction
    privileged
    secure
    facilitates screening
    positions.
    practices working
    the
    for with
    accounts.
    Prevention, HR,
    criteria for similar
    privacy
    including function,
    are properly
    acceptable centrally-manages
    governed.
    and unacceptable permissions
    rules of
    personnel
    including
    practices.
    defines that work on
    acceptable
    cybersecurity and behalf
    roles and of
    unacceptable the rules of contractors
    responsibilities and implements to apply“least security
    privileges”and privacy
    practices the
    individuals
    -environment
    implementation
    Detection
    organization. A HR, or filling
    similar
    & for
    Response those
    all
    of security
    function, positions.
    personnel
    (PDR) and
    ensures privacy
    activities.that controls
    every - The
    behaviorGRC forfunction,
    the use inofconjunction
    work.and systemHR,
    technologies, with including
    -behavior
    -to A
    A maintain
    TheHR, HRor
    forathe
    Governance,similar
    function,safe use
    Riskand of
    function,
    in
    technologies,
    & secure
    Compliance
    conjunction working
    ensures withthat
    including
    (GRC) team,
    every
    the GRC
    principles
    management
    defines
    in theirof
    cybersecurity
    dailygroup
    user, roles and responsibilities
    with
    -user
    consequences
    or A HR,asset/process
    accessing
    Administrative
    similaror function,
    similar for owners
    a processes
    system
    function, that
    unacceptable
    works and custodians.
    processes,
    exist and
    identifies
    with behavior.
    the HR and stores, See
    technologies
    function consequences
    SP-CMM3.for unacceptable
    SP-CMM4 is N/A,behavior.
    since a
    environment
    user
    function,
    -implements An accessing
    Identitydefines&for all
    aAccess
    system
    termspersonnel
    that
    of processes,
    employment,
    Management (IAM), stores,
    or accounts,
    to
    - maintain
    The GRC including
    a safe and
    function privileged
    secure
    facilitates accounts.
    working
    the
    -or
    are
    -to
    transmits
    configured
    Rules
    ensure
    The HRof sensitive
    behavior
    that
    function,
    to isolate
    industry-recognized
    applicable information
    contain
    inproper
    security
    explicit
    statutory,
    conjunction
    is
    with
    cleared
    functions
    HR practices
    restrictions
    regulatory
    the GRC
    and
    from quantitatively-controlled process is not
    or
    including
    similar
    regularly
    non-security
    related
    on transmits
    the function,
    to
    usetrainedsensitive
    acceptable
    cybersecurity
    of social in
    functions. information
    and
    media unacceptable
    centrally-manages
    and data
    and ispermissions
    handling
    privacy
    networkingcleared
    rules
    training and
    of environment
    and
    sites, implementation
    necessary to for of
    define allsecurity
    personnel
    acceptable and privacy
    and controls
    and
    function,
    regularly
    behavior contractual
    defines
    trained
    for the obligations
    terms
    in
    use proper
    of for cybersecurity
    of employment,
    data
    technologies, handling including and - The HR function, in conjunction with the
    and
    practices.
    awareness
    posting
    privacy
    including
    implements to
    information
    are properly
    acceptable
    “least
    help ensure on privileges”
    governed.
    and
    practices
    secure practices
    commercial
    unacceptable websites
    rules areand unacceptable rules of behavior for the useGRC
    the
    of
    with asset/process owners and custodians. of
    practices.
    consequences
    -management A Governance, for
    of Riskunacceptable
    user, &group
    Complianceand behavior.
    system(GRC) team, -function,
    An Identity
    technologies,defines termsManagement
    &including
    Access of employment,
    consequences (IAM),
    for or
    -implemented
    sharing
    -behavior The
    A GRCaccount
    for
    Governance,
    in
    function, personnel
    information.
    the Risk in management
    conjunction
    usefacilitates
    of Compliance
    technologies, with HR,
    including
    -accounts,
    or
    operations
    defines
    consequences
    The
    The GRC
    similar
    GRC function
    including
    function,
    to help
    function,
    cybersecurityfor in&roles
    privileged
    works
    manage with
    risk
    conjunction
    unacceptable and
    the
    accounts.
    the
    to (GRC)
    HR
    both
    with team, including
    function
    HR,
    responsibilities
    behavior.
    unacceptable acceptable
    similar function, behavior. and unacceptable
    centrally-manages rules of
    permissions
    or
    implementation
    -technology
    to
    establishes similar
    ensure function,
    Administrativethat
    assets
    usage of works
    security
    processes
    applicable
    and data.
    restrictions with
    and
    requirethe
    statutory,
    and HR
    privacy
    all function
    controls
    employees behavior
    and for
    implements
    regulatory See SP-CMM3. SP-CMM4 is N/A, since a the use
    “least of technologies,
    privileges” including
    practices the
    -to
    to
    with
    and
    maintain
    Rules
    ensure that
    contractors
    contractual
    a safe
    of behavior
    asset/process to
    and
    applicablecontain
    owners
    apply
    obligations
    secure
    security
    for
    working
    explicit
    statutory,
    and and restrictions
    regulatory
    custodians. privacy
    cybersecurity and consequences
    management offor
    quantitatively-controlled unacceptable
    user, group and
    process behavior.
    system
    is not
    -environment
    implementation
    on A the
    HR, use
    or similar for function,
    guidance
    all personnel manages
    for personnel
    communications
    and
    -security
    principles
    privacy
    -technologies
    An contractual
    The
    Identity
    HR are inof
    risk &social
    their
    properly
    by
    function,
    Access
    based
    media
    obligations
    daily
    assigning
    in governed.
    on the a
    conjunction
    and
    Management
    work. risk
    networking
    for designation
    cybersecurity
    potential with
    (IAM),
    tothe
    cause
    sites,
    orand
    to
    GRC all necessary - The GRC including
    accounts, function
    to requirefacilitates
    privileged
    internal and the
    accounts.
    third-party
    posting
    privacy
    similar
    -damage The GRCinformation
    are properly
    function,
    Administrativefunction, on
    in commercial
    governed.
    centrally-manages
    processes formally
    conjunction websites
    permissions
    educate
    with HR, and implementation
    - Administrative
    users to sign of security
    processes
    appropriate and privacy
    require
    access controls
    all employees
    agreements
    positions
    function, toand establishing
    systems,
    defines terms if used screening
    maliciously.
    of employment, criteria for
    -sharing
    and
    users
    defines
    individuals
    --including The
    The GRC
    GRC
    account
    implements
    about function,
    their
    cybersecurity information.
    “least
    filling those
    function, in
    duties
    in conjunction
    privileges”
    to
    roles protect with
    practices HR,
    sensitive
    and responsibilities
    positions.
    conjunction with HR, the with
    and asset/process
    contractors to
    prior to being granted access. owners
    apply and
    security custodians.
    and privacy
    defines
    management The GRC acceptable
    function,
    cybersecurity
    of user, inand
    roles
    group unacceptable
    conjunction
    and
    and with rulesHR, of -principles
    responsibilities
    system An Identity & Access
    data.
    to
    -govern A maintain
    HR, or
    usage a
    similarsafe and
    function,
    policies secure
    for working
    ensures
    critical that
    technologies. every in their dailyManagement
    work. (IAM), or
    behavior
    establishes
    to
    accounts, maintain for a the
    usage
    safe
    including useand ofsecure
    technologies,
    restrictions
    privileged and
    working
    accounts. including See SP-CMM3.
    similar function, SP-CMM4 is N/A, since
    centrally-manages a
    permissions
    environment
    user
    -implementation Theaccessing
    GRC function, for all
    a guidance
    system personnel
    that
    in conjunction processes,
    with HR, - Administrative
    stores, quantitatively-controlled process is not processes formally educate
    consequences
    environment Administrative for
    for allunacceptable
    personnel
    processes for behavior.
    communications
    requirewith
    --or
    manage The HR
    transmits
    The GRC function,
    businesssensitive
    function infacilitates
    risks conjunction
    information
    associated isallcleared
    with
    the with
    employees
    the GRC and users and implements
    about totheir
    “least
    duties privileges”
    to protect practices
    sensitive the
    -technologies
    and
    function,
    regularly
    permitting Thecontractors
    HR function,
    defines
    trained
    based
    mobile to in
    terms
    in
    on
    proper
    device
    the
    conjunction
    apply of potential
    security
    employment,
    data
    access andtoprivacy
    handling
    to
    cause
    the GRC necessary management
    data.
    sanction personnel
    of user, group and failing
    systemto
    implementation
    damage
    function,
    principles todefines
    insystems,
    their of security
    terms
    dailyifand
    used and privacy controls comply
    maliciously.
    ofunacceptable
    work. employment, with established security policies,
    including
    practices.
    organizational acceptableresources. rules of accounts, including privileged accounts.
    -with
    including
    behavior The asset/process
    GRC function,
    acceptable
    Administrative
    for the
    owners
    in
    processes and
    usefacilitates
    of
    and
    conjunction custodians.
    unacceptable
    formally
    technologies, with
    educateHR,
    rules
    including
    standards and procedures.
    of - Administrative processes require all employees
    -govern A
    The
    An Governance,
    GRC
    Identity
    usagefunction Risk
    &policies
    Access &for
    Compliance
    Management
    critical (GRC)
    thetechnologies.
    (IAM), team,
    or
    behavior
    users
    consequences
    or
    implementation about
    similar for the
    their
    function, for use
    of dutiesof technologies,
    to
    unacceptable
    works
    security protect
    with
    andthe behavior.
    HR
    privacy including
    sensitive
    controls and
    function contractorsSP-CMM4 to apply security and privacy
    similar
    -data. The function,
    GRC function, centrally-manages
    in conjunction permissions
    with HR, See SP-CMM3. is N/A, since a
    consequences
    -with
    to The GRC
    ensure function
    that
    asset/process for unacceptable
    applicablefacilitates
    owners the
    statutory,
    and behavior.
    regulatory
    custodians. principles in their daily work.
    and implements “least privileges” practices the quantitatively-controlled process is not
    -manage
    implementation
    and The GRCbusiness
    An contractualfunction ofrisks associated
    facilitates
    security
    obligations and
    for
    with controls - Administrative processes formally educate
    theprivacy
    -management
    permitting
    implementation
    Identity &ofAccess
    mobile user,
    of device Management
    group
    security accessandcybersecurity
    and system
    to
    privacy
    (IAM), orand necessary to govern the termination of
    controls users about their duties to protect sensitive
    with
    privacy
    similar
    accounts, asset/process
    are properly
    function,
    including owners
    governed.
    centrally-manages
    privileged and custodians.
    accounts. permissions individual employment.
    organizational
    -with An asset/process
    Identity & resources.
    Access owners and
    Management custodians.
    (IAM), or data.
    -and The GRC
    Theimplements
    Administrative
    GRC function,
    function “leastin conjunction
    processes privileges”
    facilitates with
    the practices
    require all(IAM),HR, the See SP-CMM3. SP-CMM4 is N/A, since a
    employees
    -similar
    defines
    management An Identity
    function, &ofAccess
    cybersecurity user, Management
    centrally-manages
    roles
    group and
    and permissions
    responsibilities
    system or quantitatively-controlled process is not
    and
    implementation
    similar contractors
    function, to
    of apply
    security security
    centrally-manages and and
    privacy privacy
    controls
    permissions
    and
    to
    accounts,
    principles implements
    maintain a safe
    including
    in their “least
    and
    daily privileges”
    secure
    privileged
    work. practices the necessary to avoid incompatible development-
    working
    accounts.
    with
    and
    management asset/process
    implements owners
    “least
    of user, and
    andcustodians.
    privileges”
    group practices
    system the specific roles through limiting and reviewing
    environment
    -- Administrative
    An Identity &for all personnel
    processes
    Access require
    formally
    Management all employees
    educate
    (IAM), or
    management
    accounts,
    -users
    and Thecontractors
    HR function, of
    including user,
    in group
    privileged
    conjunction and system
    accounts.
    with the GRC developer privileges to change hardware,
    similar
    accounts, about
    function, theirto
    including
    apply
    duties tosecurity
    centrally-manages
    privileged protect and
    accounts.
    privacy
    sensitive
    permissions
    -function,
    principles
    data. Administrative
    defines
    in their processes
    terms
    daily of
    work. require
    employment, all employees software and firmware components within a
    -and
    and
    including
    implements
    Administrative
    contractors
    acceptable
    “least
    processes
    to applyand
    privileges”
    require
    security
    unacceptable
    practices
    andall employees
    privacy the
    rules of production/operational environment.
    --and Administrative
    Administrative
    management contractors of processes
    processes
    user,
    to apply group formally
    andand
    security system
    and
    educate
    technologiesprivacy
    principles
    behavior
    users
    adjust about in their
    for
    logical their
    the
    anduse daily
    dutiesof work.
    physical technologies,
    to access
    protect including
    sensitive
    authorizations
    accounts,
    principles
    -data. Administrativeincluding
    in their privileged
    daily
    processes work. accounts.
    formally educate
    consequences
    to
    -users for
    systems and facilities unacceptable
    upon behavior.
    personnel
    -- Administrative
    Administrative
    about their processes
    processes
    duties require
    formally all employees
    educate
    and Thecontractors
    users
    GRC
    reassignment,
    about
    function transfer
    their to apply
    duties orto
    facilitates
    to
    protect
    securitythe and
    termination,
    protect
    sensitive
    in a
    privacy
    sensitive
    data.
    implementation
    timely manner. of security and privacy controls
    principles
    data.
    -- Administrative in theirprocesses
    daily work.
    with asset/process
    Administrative owners require
    processes and
    and
    formally
    internal and
    custodians.
    technologies
    educate
    --third-party
    Administrative processes and technologies
    users the users
    An Identity
    govern about & Access
    termination
    their
    to sign
    duties
    appropriate
    Management
    process
    to protect
    accessor
    (IAM),
    of individual
    sensitive
    -the A Governance,
    confidentiality, Riskintegrity,
    & Compliance availability(GRC)and team, capacity.
    cybersecurity and
    the
    and/or
    or confidentiality,
    similarprocesses
    function, andintegrity,
    applies
    ensures availability
    theapplicable
    that appropriateand cybersecurity
    -properly An IT Asset
    Metrics and privacy
    privacy
    Management
    reporting includes
    obligations
    obligations
    (ITAM)
    thisthe
    are
    areso itorcan
    program,
    process
    safety
    safety of
    of the
    the organization’s
    organization’s applications,
    applications, properly governed
    governed to
    to facilitate
    facilitate the
    technology
    statutory,
    systems, controls
    regulatory
    services andtoand protect
    data. the asset and
    contractual similar
    be function, of
    quantitatively categorizes
    analyzed. endpoint devices
    systems, services -implementation Metrics are developedsecure that practices
    provide that protect
    data.
    -cybersecurity An IT Asset andand privacy
    Management
    data.obligations are
    (ITAM) program, or
    -implementation
    according
    -the
    management
    Metrics
    A are
    Governance, to the
    confidentiality,
    of
    developed
    data
    Risksecure
    oversight &the that practices
    asset
    Compliance
    integrity,
    to
    provide
    stores,
    availability
    ensure the
    that
    (GRC) protect
    transmits
    andteam,
    --properly An IT Asset
    Security Management
    engineering,
    governed or a
    to facilitate(ITAM)
    similarthe program,
    function, or the
    management
    and/or
    or confidentiality,
    similarprocesses oversight
    function, andintegrity,
    to
    applies
    ensures availability
    ensure
    thatthe the
    appropriate
    applicable and
    similar
    similar function,
    function, categorizes
    categorizes endpoint
    endpoint devices
    devices safety
    termination
    safety of the
    of the oforganization’s
    employment
    organization’s applications,
    process
    applications, is operating
    operating
    ensures
    implementation that systems,
    of secureapplications
    practices and
    that processes
    protect authenticator
    technology
    statutory, management
    controls
    regulatory to
    and protect process
    contractual the asset is and
    according
    -conform A Governance,
    Governance,to the data
    Risk & the asset
    Compliance stores,(GRC) transmits
    team, systems,
    in an services
    optimal and
    capacity. data.
    -according
    the A toto the data
    Risk & the
    industry-recognized
    confidentiality, integrity, asset
    Compliance stores,(GRC)
    standards
    availability transmits
    andteam,
    for systems,
    in
    data.
    cybersecurity an services
    optimal and
    capacity.
    and data.
    privacy obligations are
    and/or
    or similarprocesses
    function, and applies
    ensures the
    that appropriate
    applicable -- Metrics An IT
    IT Asset Management
    reporting includes (ITAM)
    this program,
    process so or
    and/or
    or
    configuration
    safety similarprocesses
    of function,
    the and
    hardening
    organization’s applies
    ensures (e.g., the
    thatDISA appropriate
    applicable
    applications, STIGs,and CIS properly An
    MetricsAsset
    Security Management
    reporting
    engineering,
    governed to or a (ITAM)
    includes
    facilitate thisthe
    similar program,
    process
    function, so it
    itorcan
    can
    technology
    statutory,
    technology
    statutory, controls
    regulatory
    controls
    regulatory to
    and
    to
    and protect
    protect the
    contractual
    the
    contractual asset
    asset and similar
    be
    similar
    be function,
    quantitatively
    function,
    quantitatively categorizes
    analyzed.
    categorizes
    analyzed. endpoint
    endpoint devices
    devices
    Benchmarks
    systems,
    data. or
    services OEMand security guides)
    data.obligations are for test, ensures
    implementation that systems,
    of secureapplications
    practices and
    that processes
    protect
    cybersecurity
    data.
    cybersecurity
    development,
    --properly An IT Asset
    and
    and privacy
    privacy
    staging
    Management and obligations
    production
    (ITAM) are or according
    program,
    --conform
    according
    the
    A
    A Governance,
    Governance, to the
    confidentiality,
    data
    the Risk
    Risk &the
    &
    totoindustry-recognized
    data the asset
    Compliance
    asset
    Compliance
    integrity,
    stores,
    stores, (GRC)
    (GRC)
    standards
    availability
    transmits
    and
    team,
    transmits
    team,
    for
    -similar
    properly Security
    Security engineering,
    governed
    engineering,
    governed to
    to or
    or a
    a similar
    facilitate
    similar
    facilitate the
    the function,
    function, and/or
    or
    and/or
    or similar
    similarprocesses
    function,
    processes
    function, and
    and applies
    ensures
    applies
    ensures that
    thatthe
    the appropriate
    applicable
    appropriate
    applicable
    environments.
    ensures function,
    that This
    systems, includes
    categorizes creating
    endpoint
    applications and special
    devices
    processes -
    configuration
    safety
    technology Metricsof are
    the developed
    hardening
    organization’s
    controls to that
    (e.g.,
    protect provide
    DISA
    applications,
    the STIGs,
    asset CIS
    and
    implementation
    ensures
    implementation
    hardening that of
    systems,
    of
    requirements secure
    secure forpractices
    applications
    practices
    High-Value that
    and
    that protect
    protect statutory,
    processes
    Assets technology
    statutory,
    management
    Benchmarks regulatory
    controls
    regulatory
    oroversight
    OEM and
    to
    and tocontractual
    protect
    security contractual
    ensure thethe
    guides) asset user
    for and
    test,
    according
    conform
    the toto the data the
    industry-recognized
    confidentiality, integrity, asset stores,
    standards
    availability transmits
    and for systems,
    data.
    cybersecurity services and and data.
    privacy obligations are
    conform
    the
    (HVAs).
    and/or to industry-recognized
    confidentiality,
    processes andintegrity,
    applies the standards
    availability
    appropriateand for data.
    cybersecurity
    identification
    development,
    - An IT Asset and privacy
    management
    staging
    Management and obligations
    process
    production
    (ITAM) is are
    operating
    program, or
    configuration
    safety of hardening (e.g., DISA STIGs, CIS - Security engineering, or a similar function,
    -configuration
    safety
    technology A of the
    AnGovernance,
    Identity &organization’s
    hardening
    thecontrols
    organization’s
    Riskto
    Access &Managementapplications,
    (e.g.,
    Compliance
    protect DISA
    applications,
    the STIGs,
    (GRC)
    (IAM),
    asset CIS
    team,
    and or properly
    -environments.
    properly
    in
    similar Security
    an optimalgoverned
    engineering,
    governed
    function,
    to
    to
    capacity.
    This facilitate
    or a similar
    facilitate
    includes
    categorizes
    the
    the function,
    creating
    endpoint special
    devices
    Benchmarks
    systems,
    Benchmarks or
    services OEM
    or OEM and security
    data.
    security guides)
    guides) for test,
    for test, ensures
    implementation
    ensures that systems,
    of secureapplications
    practices and
    that processes
    protect
    systems,
    or
    similar
    data. similar services
    function,
    function, and data.the
    ensures
    facilitates that applicable
    implementation implementation
    -hardening
    according Metricsthat systems,
    reporting of
    requirements
    to the datasecureapplications
    includes
    the for practices
    asset this and
    process
    High-Value
    stores, that processes
    protect
    so it can
    Assets
    transmits
    -development,
    -development, An
    An IT
    IT Asset
    Asset
    staging
    Management
    staging
    Management
    and
    and production
    (ITAM)
    production
    (ITAM) program,
    program, or
    or
    conform
    the
    conform
    the
    to
    to industry-recognized
    confidentiality, integrity,
    industry-recognized
    confidentiality, integrity,
    standards
    availability
    standards
    availability and
    and
    for
    for
    -statutory,
    of
    environments.
    similar Security regulatory
    identification
    engineering,
    function,
    and
    This and
    access
    or
    includes
    categorizes
    contractual
    a management
    similar
    creating
    endpoint function,
    special
    devices
    be
    (HVAs).
    and/or
    configuration
    safety
    quantitatively
    processes
    of
    analyzed.
    and
    hardening applies
    (e.g., the
    DISA appropriate
    STIGs, CIS
    environments.
    similar
    cybersecurity
    controls.
    ensures function,
    that This
    and
    systems, includes
    categorizes
    privacy creating
    endpoint
    obligations
    applications and special
    devices
    are processes -configuration
    safety
    technology A of the
    AnGovernance,
    Identity &organization’s
    hardening
    thecontrols
    organization’s
    Riskto
    Access (e.g.,
    &Management applications,
    Compliance
    protect DISA
    applications,
    the assetSTIGs,
    (GRC)
    (IAM), CIS
    team,
    and or
    hardening
    according
    hardening requirements
    to the data
    requirements the for
    for High-Value
    asset stores,
    High-Value Assets
    transmits
    Assets Benchmarks
    systems,
    -
    Benchmarks Metrics services
    are or
    or OEM
    OEMand
    developed security
    data. that
    security guides)
    provide
    guides) for
    for test,
    test,
    -according
    properly
    conform
    (HVAs). An IAM, to
    or the
    governed
    similardatato the
    function,
    to industry-recognized asset
    facilitate stores,
    the
    centrally-manages
    standards transmits
    for systems,
    or
    similar
    data.
    development, similar services
    function,
    function, and data.
    ensures
    facilitates
    staging and that
    the applicable
    implementation
    production
    and/or
    (HVAs).
    and/or
    implementation
    permissions processes
    processesand ofand
    andsecure
    implements applies
    applies the
    the
    practices
    “least appropriate
    appropriate
    that protect
    privileges” -development,
    management
    -statutory,
    of An
    An IT
    IT Asset
    Asset Management
    oversight
    staging
    Management
    regulatory
    identification and
    and
    andincludes
    access (ITAM)
    tocontractual
    ensure
    production
    (ITAM)
    management program,
    the Privileged
    program, or
    or
    configuration
    -technology
    technology An Identity & hardening
    Access
    controls to (e.g.,
    Management
    protect DISA
    the STIGs,
    (IAM),
    asset andCIS
    or -
    environments.
    similar Security engineering,
    function, This
    categorizes or a similar
    creating
    endpoint function,
    special
    devices
    -Benchmarks
    the
    practices An Identity &
    confidentiality,
    the Access
    controls
    management
    or OEM to Management
    protect
    integrity,
    security of the
    availability
    user,
    guides) (IAM),
    asset
    group
    for and
    and or
    and
    test, Account
    environments.
    similar
    cybersecurity
    controls.
    ensures Management
    function,
    that This
    and
    systems, privacy (PAM)
    includes
    categorizes process
    creating
    endpoint
    obligations
    applications and is
    special
    devices
    are processes
    similar
    data.
    -data.
    similar function,
    A Governance,
    function, facilitates
    Risk &and
    facilitates the
    Compliance
    the implementation
    (GRC)
    implementation team, according hardening
    operating
    hardening
    according inrequirements
    to the
    an data
    theoptimal
    requirements
    to data the
    the for
    asset
    capacity.
    for
    asset High-Value
    stores,
    High-Value
    stores, Assets
    transmits
    Assets
    transmits
    safety
    system
    development, of the organization’s
    accounts, including
    staging applications,
    privileged
    production accounts. properly
    -(HVAs).
    conform An IAM,governed
    toor similar to facilitate
    function,
    industry-recognized the
    centrally-manages
    standards for
    -of
    -or
    of
    systems,
    identification
    Security
    similar
    Security
    Active engineering,
    function,
    identification
    engineering,
    services
    Directory
    and
    and
    and
    (AD),
    access
    ensuresor
    access
    or
    data.
    or a
    aa
    management
    similar
    that
    similar
    similar function,
    applicable
    management function,
    technology, is and/or
    -
    (HVAs).
    and/or
    implementation
    permissions Metrics processes
    reporting
    processes and ofand
    and
    secure
    implementsapplies
    includes
    applies the
    this
    the
    practices
    “least appropriate
    process
    appropriate
    that so it can
    protect
    privileges”
    environments.
    controls.
    ensures that This
    systems, includes creating
    applications and special
    processes configuration
    -
    technology An Identity & hardening
    Access
    controls to (e.g.,
    Management
    protect DISA
    the STIGs,
    (IAM),
    asset CIS
    and or
    statutory,
    controls.
    ensures
    -used An IT
    toAsset regulatory
    that systems,
    Management
    centrally-manage and contractual
    applications
    (ITAM)
    identities and
    program,
    and processes
    or be
    -
    technology
    the
    practices Anquantitatively
    Identity
    confidentiality,
    the &
    controls analyzed.
    Access
    management to Management
    protect
    integrity, of the
    availability
    user, (IAM),
    asset
    group and
    and or
    and
    -hardening
    conform An
    An IAM, or
    to requirements
    similar function,
    orindustry-recognized
    for High-Value
    centrally-manages
    standards Assets similar Benchmarks function, or OEM security
    facilitates the guides)
    implementationfor test,
    cybersecurity
    -conform
    similar
    permissions.
    (HVAs).
    permissions
    IAM, to
    function, andcategorizes
    similar
    Only
    and
    privacy
    by function,
    industry-recognized
    exception
    implements
    obligations
    centrally-manages
    standards
    endpoint
    due
    “least a for
    toare
    devices
    privileges”
    for -data.
    similar
    data.
    safety
    system
    development,
    of
    A Governance,
    function,
    of Risk
    the organization’s
    accounts,
    identification
    &and
    facilitates
    including
    staging
    and access
    Compliance
    the
    applications,
    privileged
    production
    management
    (GRC)
    implementation team,
    accounts.
    configuration
    properly
    permissions
    configuration
    according governed
    andhardening
    hardening
    tobusiness
    the to
    implements (e.g.,
    facilitate
    (e.g.,
    datalimitation
    the asset DISA
    the
    “least
    DISA STIGs,
    privileges”
    STIGs,
    stores, CIS
    CIS
    transmits -
    or
    of
    -
    systems, Security
    similar engineering,
    function,
    identification
    Security engineering,
    services and
    andensuresor
    access
    or
    data. a
    a similar
    that
    management
    similar function,
    applicable
    function,
    -technical
    practices
    Benchmarks An Identity or
    the & Access
    management
    or OEM Management
    security of are solutions
    user, (IAM),
    group or
    and environments.
    controls. Active Directory This(AD), or a similar
    includes creating technology,
    special is
    implementation
    practices
    Benchmarks
    and/or
    authorized
    similar the
    processes
    to
    function, of
    management
    or OEMand
    operate secure
    security
    facilitatesapplies
    a of guides)
    practices
    user,
    guides)
    the
    decentralized
    the
    for
    that
    group
    for
    appropriate test,
    protect
    access
    implementation and
    test, ensures
    statutory,
    controls.
    ensures
    -
    used
    hardening An IT
    to that
    that
    Asset systems,
    regulatory
    systems,and
    Management
    centrally-manage
    requirements
    applications
    contractual
    applications
    (ITAM)
    identities
    for High-Value
    and
    and
    program,
    and processes
    processes
    Assets or
    system
    development, accounts, including
    staging and privileged
    production accounts. -conform An
    An IAM, or similar function, centrally-manages
    the
    system
    development,
    technology
    control
    -of
    confidentiality,
    accounts,
    program
    identification
    Active Directory for
    and integrity,
    including
    staging
    controls (AD),to and
    protect
    systems,
    accessor a
    availability
    privileged
    production
    the asset
    applications
    management
    similar
    and
    and
    technology, or is conform
    accounts. cybersecurity
    -(HVAs).
    similar
    permissions.
    permissions
    IAM, to
    toorindustry-recognized
    function, andcategorizes
    similar
    Only
    and
    privacy
    by function,
    industry-recognized
    exception
    implements
    obligations standards
    centrally-manages
    standards
    endpoint
    due
    “least a for
    toare
    devices
    privileges”
    for
    environments.
    -safety
    environments.
    data.
    services. A Governance,
    Active of the
    Directory This
    Risk includes
    &
    organization’s
    (AD), a creating
    Compliance
    or applications,
    similar
    This includes creating special special
    (GRC)
    technology, team, is configuration
    properly
    permissions
    configuration
    according
    technical governed
    orto andhardening
    the to
    implements
    hardening
    data
    business the (e.g.,
    facilitate
    (e.g.,
    limitationasset DISA
    the
    “least
    DISA
    stores,
    are STIGs,
    privileges”
    STIGs, CIS
    CIS
    transmits
    solutions
    controls.
    used to - An Identity & Access Management (IAM), or
    hardening
    or
    systems,
    used
    hardening
    --permissions. to centrally-manage
    similar
    Security
    An IAM, or
    requirements
    function,
    services
    centrally-manage
    requirements
    engineering,
    similar andensures
    data.
    or
    function,
    identities
    for
    for
    a High-Value
    that
    identities
    High-Value
    similar
    and
    applicable
    function,
    centrally-manages
    Assets practices
    and Assets Benchmarks
    implementation
    practices
    Benchmarks
    and/or
    authorized
    similar
    the
    the
    processes
    function,to
    management
    or
    or OEM
    of
    OEMand
    operate security
    secure
    management security
    applies
    a
    facilitates
    of user,
    guides)
    practices
    of guides)
    the user,
    the
    decentralized
    group
    for
    that
    group
    for
    appropriate
    implementation access
    and
    test,
    protect
    and
    test,
    (HVAs).
    statutory,
    -(HVAs).
    permissions. An IT Asset Only
    regulatory by
    by exception
    Management and
    Onlyimplements contractual
    exception (ITAM) due to
    to aaprocesses
    dueprogram, or development, system
    the
    system
    development, accounts,
    confidentiality,
    accounts, including
    staging and
    integrity,
    including
    staging and privileged
    production
    availability
    privileged
    production accounts.
    and
    accounts.
    ensures
    permissions that systems,
    and applications
    “least and
    privileges” technology
    control
    of program
    identification controlsfor
    and to protect
    systems,
    access the asset
    applications
    management and
    or is
    -technical
    cybersecurity
    similar
    technical
    -conform An
    An Identity
    Identity
    or
    function,
    or
    to
    business
    & Access
    and
    business
    & Access
    limitation
    privacy
    categorizesManagement
    limitation
    industry-recognizedManagement
    are
    obligations
    endpoint
    are solutions
    (IAM),
    are
    devices
    solutions
    (IAM),
    standards or
    or
    for
    -
    environments.
    safety
    -
    environments.
    data.
    services.
    Active
    Active ofDirectory
    the
    Directory This(AD),
    organization’s
    This(AD), or
    includes
    or
    includes
    a
    a similar
    creating
    applications,
    similar
    creating
    technology,
    special
    technology,
    special is
    practices
    authorized
    similar
    properly theto
    function,
    governedmanagement
    operate
    facilitatesa
    to facilitate of
    the user,
    decentralized groupaccess
    implementation
    the and controls.
    used
    hardening to centrally-manage
    requirements identities
    for High-Value and Assets
    according
    authorized
    similar
    configuration
    system toto
    function,
    accounts, the data
    operate
    hardening the
    facilitates
    includinga asset
    decentralized
    the
    (e.g., stores,
    implementation
    DISA
    privileged STIGs, transmits
    access CIS
    accounts. systems,
    used
    hardening
    -
    -(HVAs). to
    Security services
    centrally-manage
    requirements
    engineering,
    An IAM, or similar and data.
    or identities
    for
    a High-Value
    similar
    function, centrally-manages and
    function, Assets
    control
    of
    implementation program
    identification for
    and
    of systems,
    access
    secure applications
    management
    practices that or
    or is permissions. Only by
    by exception due to
    to aaprocesses
    and/or
    control
    of
    Benchmarks
    -services. Active processes
    program
    identification
    Directoryor OEM and
    for
    and
    (AD), applies
    systems,
    access
    security
    or a applications
    management
    guides)
    similar for protect
    the appropriate test,
    technology, -permissions.
    (HVAs).
    ensures
    permissions
    technical
    An IT Asset
    that
    or
    Management
    Onlyimplements
    systems,
    and
    business
    exception (ITAM)
    applications
    limitation
    dueprogram,
    “least
    are and
    privileges”
    solutions
    or
    controls.
    the
    technology
    services.
    controls.
    development, confidentiality,
    controls integrity,
    to protect
    staging andidentities availability
    the
    production asset and
    and -
    similar
    technical
    -
    conform An
    An Identity
    function,
    Identityor
    to & Access
    business
    & Access Management
    categorizes
    limitation
    Management
    industry-recognized endpoint
    are
    standards(IAM),
    devices
    solutions
    (IAM), or
    or
    for
    used toofcentrally-manage and practices
    authorized the management of user, group and
    -safety
    data.
    -environments.
    permissions.
    An
    An IAM,
    IAM, or
    or similar
    the
    Technologies similar
    Thisby
    Only
    function,
    organization’s
    are configured
    function,
    includes
    exception
    centrally-manages
    applications,
    todueutilize
    centrally-manages
    creating a formal similar
    special
    to a according
    authorized
    similar
    configuration
    system toto
    function,
    function,tothe
    accounts,
    operate
    data
    operate aa decentralized
    facilitates
    the
    facilitates
    hardening
    including
    the
    asset
    decentralized
    (e.g.,the implementation
    stores,
    implementation
    DISA
    privileged STIGs,
    access
    transmits
    accessCIS
    accounts.
    -systems,
    permissions
    -permissions
    user A Governance,
    Security and Risk
    and
    services
    engineering,
    registration and&
    implements
    and
    implements Compliance
    data.
    or “least
    a similar
    de-registration
    “least (GRC)
    privileges”
    function,
    process
    privileges”team, that of -control
    and/or
    control
    of Metrics program
    are developed
    identification
    processes
    program
    identification for
    and
    and
    for
    and systems,
    access
    applies
    systems,
    access applications
    thatmanagement
    provide
    the appropriate
    applications
    management or
    or is
    hardening
    technical orrequirements
    business for
    limitation High-Value
    are solutionsAssets Benchmarks
    -services.
    management Active Directory oroversight
    OEM(AD), security
    or
    to aensureguides)
    similar the for test,
    technology,
    or
    practices
    -ensures
    governs
    practices
    (HVAs). similar
    An IT Assetfunction,
    the
    that
    the
    the management
    Management
    systems,
    assignment
    managementensures of that
    of user,
    (ITAM)
    applications
    access applicable
    group
    program,
    and
    rights.
    of user, group and or
    processes
    and controls.
    technology
    services.
    controls.
    development, controls
    staging to protect
    and the
    production asset and
    authorized to operate a decentralized access used
    governance to centrally-manage
    or of the use identities
    of privileged and
    utility
    -statutory,
    system
    similar
    conform
    - Administrative
    system
    control toregulatory
    accounts,
    function,
    accounts,
    An Identity
    program & Access and
    including
    categorizes
    industry-recognized
    processes
    including
    for systems,
    contractual
    privileged
    andendpoint
    standards
    technologies
    privileged
    Management applications
    accounts.
    devices for
    accounts.
    (IAM), or
    or --permissions.
    data.
    environments. An IAM,
    An IAM, or
    Technologies similar
    are
    similar
    Thisby
    Only
    function,
    configured
    function,
    includes
    exception
    centrally-manages
    todue
    creatingutilize
    centrally-manages
    to aa formal
    special
    cybersecurity
    --according
    configuration
    revoke Active
    Active Directory
    user to and
    the
    access
    Directory privacy
    (AD),
    data
    hardening the
    rights
    (AD), or
    or obligations
    a
    a similar
    asset
    (e.g., DISA
    following
    similar are
    technology,
    stores,
    STIGs,
    changestransmits
    technology, CISin is
    is programs
    permissions
    -
    user
    permissions Security process
    and
    engineering,
    registration and is
    and operating
    implements or a in
    “least
    similar
    de-registration
    implements “least an optimal
    privileges”
    function,
    process
    privileges” that
    services. A Governance, Risk
    similar function, facilitates the implementation technical & Compliance (GRC) team, hardening orrequirements
    business for High-Value
    limitation are solutions Assets
    properly
    used
    and/or
    Benchmarks
    personnel
    used to
    to governed
    centrally-manage
    processes or
    roles OEM
    and
    centrally-manage andto facilitate
    applies
    security
    duties, if the
    no the
    identities
    guides)
    identities and
    appropriate
    longer
    andfor test, capacity.
    practices
    ensures
    governs
    practices the
    that
    the
    the management
    systems,
    assignment
    management applications
    of of
    access
    of user,
    user, group
    and
    rights.
    group and
    processes
    and
    or
    of
    -implementation similar
    Technologiesfunction,
    identification and
    are ensures
    access
    configured that applicable
    management
    to utilize (HVAs).
    permissions.
    technology
    development,
    necessary
    permissions.
    statutory,
    controls. Only
    orcontrols ofby
    staging
    permitted.
    Only
    regulatory bysecure
    exception
    to
    andand
    exception practices
    protect due
    the
    production
    contractual that
    dueassetto
    to aaaand
    formal authorized
    protect -system
    conform
    system
    -be
    Metrics
    An to
    Administrative
    to operate
    reporting
    accounts,
    accounts,
    Identity including
    industry-recognized
    processes
    & Accessincluding
    a decentralized
    includes
    Management andthistechnologies
    process
    privileged
    standards
    privileged
    access
    sofor
    accounts.
    accounts.
    (IAM),
    it can
    user registration and de-registration process that control program
    quantitatively for systems,
    analyzed. applications oror is
    -the
    technical
    data.
    environments.
    technical
    cybersecurity
    governs
    confidentiality,
    An IAM,the or
    Administrative
    or business
    This
    or business integrity,
    and privacy
    similar
    assignment
    limitation
    includes
    processes and
    limitation availability
    are
    creating solutions
    technologies
    arerights.
    ofaobligations
    function, solutions
    are
    centrally-manages
    access
    and
    special -
    configuration
    revoke
    -similar
    services.
    Active Directory
    user
    Activefunction, access (AD),
    hardening
    Directoryfacilitates rights or
    (AD), or athe a
    (e.g., similar
    following DISA
    similar technology,
    STIGs,
    changes
    technology,
    implementation CIS in is
    safety
    authorized
    -hardening
    revoke
    authorized of
    Security the
    user to
    to organization’s
    operate
    engineering,
    requirements
    access
    operate rightsa
    aor in applications,
    decentralized
    for similar
    aHigh-Value
    timely
    decentralized access
    function, Assets
    manner,
    access -Benchmarks
    used
    personnel
    used A Governance,
    to
    to centrally-manage
    rolesor Riskduties,
    OEM
    and
    centrally-manage & Compliance
    security identities
    if guides)
    no
    identities longer (GRC)
    and
    andfor team,
    test,
    -properly
    permissions
    systems,
    control
    governed
    Administrative
    services
    program and
    for
    to facilitate
    and processes
    implements
    data.
    systems, and the
    “least privileges” -of
    technologies or
    identification
    Technologies
    similar function,
    and
    are access management
    configured
    ensures thattodueutilize
    applicable aaa formal
    ensures
    (HVAs).
    upon
    control
    implementation
    practices
    revoke
    that
    termination
    program
    user
    systems,
    theaccess of ofsecure
    for
    management employment
    systems,
    rights of applications
    applicationsuser,or and
    applications
    practices
    following contract.
    that
    group
    changes
    or
    processes
    orin
    protect
    and permissions.
    development,
    necessary
    permissions.
    controls.
    user or Only
    registration Only by
    staging
    permitted.
    by
    and
    exception
    and production
    exception
    de-registration due to
    to
    process that
    -conform
    services.
    -services.
    the
    system
    personnel
    An IT Asset
    accounts, Management
    to industry-recognized
    Anconfidentiality,
    Identity &
    roles Access
    and integrity,
    including
    duties,
    (ITAM)
    Management
    if
    program,
    standards
    availability
    privileged
    no longer(IAM), and
    accounts.oror statutory,
    for technical
    environments.
    --governs
    technical An IAM, or
    Administrative
    or
    the
    regulatory
    or business
    This and
    includes
    processes
    business
    similar
    assignment
    contractual
    limitation
    limitation
    function,of and are
    creating solutions
    technologies
    arerights. special
    solutions
    centrally-manages
    access
    similar
    -safety
    configuration function,
    Technologies categorizes
    are configured
    hardening endpoint
    to utilize devices
    a formal cybersecurity
    authorized to and
    operateprivacy obligations
    aa decentralized are
    access
    similar
    -necessary function,
    Administrative
    Activeof the
    Directory
    or or facilitates
    processes
    organization’s
    (AD),
    permitted. or(e.g.,
    the
    aand DISA
    applications,
    similar STIGs,
    implementation
    technologies
    technology, CIS is hardening revoke
    authorized
    permissions
    -control
    properly
    userrequirements
    Administrative toaccess
    and
    governed
    operate rights
    implements
    processes
    tosystems,
    for
    in aHigh-Value
    timely
    decentralized
    facilitate and “least Assets
    manner,
    access
    privileges”
    technologies
    the
    according
    user
    Benchmarks
    of
    securely to
    registration
    identification
    manage the data
    and
    OEM
    and the
    security
    access
    passwords asset
    de-registration stores,
    guides)
    management
    for users transmits
    process
    for
    and test, that (HVAs).
    upon
    control program
    termination
    program for
    forof systems,
    employment applications
    or
    applications contract.or
    or
    -systems,
    used
    and/or
    governs
    servicesprocesses
    to centrally-manage
    Administrative
    processes
    the assignment
    and data.identities
    and appliesand the
    of production
    access
    and
    technologies
    appropriate
    rights.
    practices
    revoke
    implementation
    services. usertheaccess
    managementrights following
    of secure of user, changes
    practices group
    that and in
    protect
    -development,
    controls.
    devices.
    permissions.
    revoke An IT Asset
    user
    staging
    Management
    Only
    access by and
    exception
    rights in(ITAM)
    a due
    timely program,
    to a
    manner, or -
    services.
    system
    personnel An Identity
    accounts,
    roles& Access
    and Management
    including
    duties, privileged
    if no longer (IAM),
    accounts.or
    technology
    -similar
    environments.
    -technical An IAM, orcontrols
    Administrative
    Administrative This
    similar tolimitation
    processes protect
    includes
    function,
    processes and
    and the
    creating asset
    technologies
    special
    centrally-manages
    technologies and the
    -similar
    -See confidentiality,
    Technologies
    function,
    Administrative are integrity,
    configured
    facilitates
    processes the availability
    to utilize
    implementation aand
    formalis
    upon function,
    or
    termination categorizes
    business ofrights
    employment endpoint
    areor devices
    solutions
    contract. Active
    necessary
    safety ofDirectory
    SP-CMM3.the (AD),
    SP-CMM4
    or permitted.
    organization’s or isaand N/A, technologies
    similar since
    applications, technology,
    a
    data.
    revoke
    hardening
    permissions
    enforce
    according
    authorized user
    passwordaccess
    requirements
    and
    totothe implements
    complexity
    data
    operate the following
    for High-Value
    “least
    assettostores,
    a decentralized changes
    ensureaccess Assets
    privileges” in
    strong securely
    transmits user
    of
    used registration
    identification
    to centrally-manage and
    and
    manageprocesses de-registration
    access
    passwords management
    fortechnologies
    identities users process
    and and that
    -(HVAs).
    personnel Security engineering,
    roles and or
    duties, a similar
    if no function,
    longer quantitatively-controlled
    -governsAdministrative
    systems, services
    the and
    assignment data. ofprocess
    and
    access isrights.
    not
    practices
    passwords.
    and/or
    control processes the management
    program for and of user,
    applies applications
    systems, group
    the appropriate and
    or controls.
    devices.
    permissions.
    necessary
    revoke user Only by
    toaccess
    compel exception
    users
    rights to
    inand due to
    a follow
    timely a
    accepted
    manner,
    ensures that systems, -- An IT Asset Management (ITAM) program, or
    -necessary
    -system
    technology
    services. An Identity orcontrols
    accounts,
    Technologies &permitted.
    Access
    are toapplications
    includingManagement
    configured
    protectprivileged
    tothe and(IAM),
    determine
    asset processes
    andor
    accounts. if Administrative
    An IAM, orthe
    Administrative
    technical
    practices
    upon or
    in
    termination
    processes
    similar function,
    processes
    business
    use of oflimitation and
    authentication
    employment
    technologies
    centrally-manages
    technologies
    areorsolutions
    contract.
    conform
    -data.
    similar
    -password Active to
    Administrative
    function,industry-recognized
    Directory processes
    facilitates
    (AD), orare and
    the
    aand standards
    technologies
    implementation
    similar technology, for
    strong is permissions similar
    revoke function,
    user access categorizes
    rights endpoint
    following devices
    changes in
    authenticators
    Administrative processes sufficiently
    technologies enforce
    authorized
    mechanisms toand
    password implements
    operate
    (e.g., complexity “least
    a decentralized
    passwords, to ensure privileges”
    passphrases, strong
    access
    configuration hardening according to the data the asset stores, transmits
    revoke
    of
    -used
    enough
    ensure touser
    identification
    Security access
    toengineering,
    propersatisfy and
    centrally-manage
    user rights or(e.g.,
    access in
    organization-defined DISA
    a timely
    management
    aidentities
    similar
    identification STIGs,
    manner,
    and
    function,
    management CIS
    password personnel
    practices
    passwords.
    control
    physical
    roles
    the
    program
    oror logical
    and
    management
    for duties,
    systems,
    security
    if no
    of user,longer
    applications
    tokens, group
    smart cards, and
    or
    Benchmarks
    upon
    controls.
    permissions.
    length termination
    and or
    OnlyOEM
    complexity of
    by security
    employment
    exception guides)
    requirements. due or tofor test,
    contract.
    aprocesses and/or
    necessary
    system
    - Technologiesprocesses
    accounts, and
    permitted.
    areincludingapplies
    configured the
    privileged appropriate
    to determine accounts. if
    ensures
    for that
    non-consumer systems, users applications and
    and administrators. services.
    certificates, etc.).
    development, staging and production technology
    Administrative controls to protect
    processes the asset and
    -technical
    - An
    conform IAM,to orindustry-recognized
    or
    Administrative similar
    business function,
    processeslimitation
    and centrally-manages
    are solutions
    technologies
    standards for -password
    Active
    -data.
    See Directory
    authenticators
    Administrative
    SP-CMM3. (AD),
    processes
    SP-CMM4 orareisaand
    and technologies
    similar
    sufficiently
    N/A, technology,
    technologies
    since a strong is
    environments.
    permissions
    authorized
    ensure
    identifythat
    configuration toand This
    unencrypted,
    contractor hardening includes
    implements
    operate and aother creating
    “least
    decentralized
    static
    (e.g., special
    privileges”
    access
    authenticators
    DISA STIGs,
    third-party CIS
    users revoke
    used
    enough
    ensure touser access
    centrally-manage
    to satisfy
    proper user rights in a timely
    identities
    organization-defined
    identification manner,
    and
    management password
    quantitatively-controlled
    - Security engineering, or process
    a similar isfunction,
    not
    hardening
    practices
    control
    are not program
    Benchmarks
    through requirements
    the
    embedded
    unique management
    or OEM forinsystems,
    username for ofHigh-Value
    applications,
    security user,
    guides) group
    applications
    scripts
    characteristics. Assets
    and
    or
    or
    for test, upon
    length
    for termination
    permissions.
    and
    non-consumer Only
    complexity of
    by employment
    exception
    users requirements.
    and due or
    administrators. contract.
    to a
    necessary to systems,
    enforce logical access and permissions
    (HVAs).
    system
    services.
    stored on
    development, accounts,
    function including
    staging keys. privileged accounts. ensures
    and production technical
    -conform
    that
    or business
    Administrative
    through the processes
    principle
    applications
    limitation
    of "least are solutions
    andprivilege."
    technologies
    processes
    --environments.
    An Identity
    Active Directory
    Administrative & This
    Access
    (AD),
    processes Management
    or a similar
    and (IAM),
    technology,
    technologies or is authorized
    ensure to
    that industry-recognized
    to operate
    unencrypted, a decentralized
    static standards
    authenticatorsaccess for
    includes creating special identify contractor and other third-party users
    similar
    used
    restrict
    ensure function,
    tovendor-supplied
    and facilitates
    centrally-manage
    control privileged the
    defaults implementation
    identities
    accessareandrights
    changed foras control configuration
    are not program
    embedded hardening
    forinsystems, (e.g.,
    applications, DISA
    applicationsSTIGs,
    scripts or CIS
    or
    hardening requirements for High-Value Assets through unique username characteristics.
    of
    users
    part identification
    permissions.ofand Only
    theservices. and
    installationbyaccess
    exception management
    process. due to a Benchmarks
    services.
    stored on function or OEM security
    keys. guides) for test,
    (HVAs).
    controls.
    technical or business limitation are solutions development, staging and production
    -- An Administrative
    Technologies
    Identity & are processes
    Accessconfigured andtotechnologies
    Management obscure
    (IAM), theor - Administrative processes and technologies
    -authorized
    An
    inventory
    feedback IAM, or to
    all similar
    operate
    privileged
    of authentication function,
    a accounts centrally-manages
    decentralized and
    information access
    validate
    during ensure vendor-supplied defaults environments.
    restrict and This
    control includes
    privileged creating
    access specialforas
    rights
    are changed
    similar function, facilitates the implementation
    permissions
    control
    that
    the each program
    authenticationand
    person implements
    for
    with systems,
    elevated
    process to “least
    applicationsprivileges”
    privileges
    protect the or
    is hardening
    users
    part ofand
    the requirements
    services.
    installation for High-Value Assets
    process.
    of identification and access management
    practices
    services.
    authorized
    information theby management
    fromthe possible
    appropriate of user,
    level group
    exploitation/useof andby (HVAs).
    - Administrative
    Technologies are processes
    configured andtotechnologies
    obscure the
    controls.
    system accounts,
    --organizational
    Administrative including
    processes
    management. privileged
    and technologiesaccounts. -feedback
    An Identity & Access Management and(IAM), or
    unauthorized
    An IAM, or similar function, centrally-manages inventory
    individuals. allauthentication
    of privileged accounts information validate
    during
    -compel
    Active Directory
    users
    - Administrative to (AD),
    follow
    processes or a similar
    accepted
    exist toto technology,
    practices
    periodically in theis similar function, facilitates the implementation
    Technologies
    permissions and are configured
    implements “least allowprivileges” that each person with
    the authentication elevated
    process privileges
    to protect the is
    used
    use
    reviewoftoauthentication
    individuals centrally-manage
    the privileges
    to management assigned
    utilize alternative identities
    mechanisms tomethods andto of
    (e.g.,
    users of identification
    authorized
    information byfromtheand accessexploitation/use
    appropriate
    possible management
    level of by
    practices the of user, group and
    permissions.
    passwords,
    validate
    authentication,
    system accounts, Only
    thepassphrases,
    need by exception
    for
    under such
    including physical due
    privileges;
    specific or to
    circumstances
    privileged anda
    logical
    accounts. or controls. organizational
    unauthorized individuals.management.
    technical
    -security
    reassign
    situations or
    tokens,
    or that
    Active Directory business
    remove smart
    are limitation
    cards,
    privileges,
    approved
    (AD), andifare
    or a similar solutions
    certificates,
    necessary,
    have
    technology, to is -- An
    etc.). IAM, or similar
    Administrative
    Technologies function,
    processes
    are configured existcentrally-manages
    toto allowperiodically
    authorized
    -used
    Administrative
    correctly to
    reflect operate
    processes a
    organizationaldecentralized
    and technologies
    mission access permissions and implements “least privileges”
    undergone a thorough
    to centrally-manage riskidentities
    assessment. andand review the privileges
    individuals assigned tomethods
    to utilize alternative users to of
    Benchmarks
    representatives
    according
    configuration to or the OEM
    that
    datateam
    hardening security
    can execute
    the(e.g.,asset guides)
    stores,
    DISA for
    coordinated
    STIGs, test,
    transmits
    CIS (ISIRT),
    -analysis, Security orcontainment,
    similar function,
    engineering, or a exists
    similartofunction,
    form an on-
    demand,
    development, integrated staging and of formally-assigned
    production -demand, Metricsthat are systems,
    developed eradication
    that provide and recovery.
    incident
    and/or
    Benchmarks
    cybersecurity, response
    processes or OEM
    IT, operations.
    and
    privacy applies
    security the
    guides)
    andcreating appropriate
    businessspecialfor test,
    function -managementensures integrated
    An Integratedoversight Securitytoteam of
    applications
    Incident formally-assigned
    and
    Response processes
    Team
    -environments.
    technology
    development, The ISIRT, controls This
    or similar
    staging includes
    tofunction,
    protect
    and develops
    the
    production asset and cybersecurity,
    conform tosimilar IT, function,
    privacy and
    industry-recognized ensurebusinessthe Integrated
    standards function
    foron-
    representatives that can execute coordinated Assets Security (ISIRT), orIncident Response exists
    Team to form
    (ISIRT) an
    hardening
    maintains
    data.
    environments.
    incident arequirements
    responsedocumented
    Thisoperations.
    includes for High-Value
    Integrated
    creatingIncident special representatives
    configuration
    demand, integrated that
    hardening can (e.g.,
    team execute DISA STIGs,process
    coordinated
    of formally-assigned CIS
    -(HVAs).
    Response
    --hardening A Security
    Security Operations
    Program
    engineering,
    requirements (IIRP) Center
    or that
    a (SOC),
    provides
    similar
    for High-Value or
    function, similar
    Assets is
    incident
    Benchmarks operating responsein an
    orIT,OEM optimal
    operations.
    security capacity.
    guides) for test,
    function, The ISIRT, or
    facilitatessimilar function,
    incident develops
    management and See
    cybersecurity,
    --development, SP-CMM3.
    Metrics reporting SP-CMM4
    privacy
    includes is
    and N/A, since
    business
    thisdevelops
    process so a
    functionit can
    -operational An Identity &
    and Access Management
    tactical-level guidance (IAM),
    thator The ISIRT, or similar function,
    ensures
    (HVAs).
    maintains
    operations
    that athat systems,
    documented
    cover
    applications
    Integrated
    preparation,
    and processes
    Incident
    detection and quantitatively-controlled
    representatives
    be quantitatively
    staging
    that can
    analyzed.
    andexecute
    production
    process is not and
    coordinated
    similar
    governs
    conform
    -Response function,
    An Identitycybersecurity
    toProgram facilitates
    industry-recognized
    & Access andthat
    Management the
    privacy implementation
    response
    standards(IAM),for or maintains
    environments. atodocumented
    Thisoperations.
    includes Integrated
    creating Incident
    special
    (IIRP) provides necessary
    incident response utilize the concept of least
    analysis,
    of
    operations.
    configuration
    -operational
    similar Security containment,
    Aidentification
    function, and
    hardening
    Operationsfacilitates eradication
    access (e.g.,
    Center management
    the DISA
    (SOC), and orrecovery.
    STIGs,
    implementation CIS
    similar -hardening
    Response A Security Operations
    Program
    requirements (IIRP) Center (SOC), or Assets
    thatHigh-Value
    for provides similar
    and tactical-level guidance that privilege,
    - The ISIRT, allowing
    or similar only authorized
    function, accessand
    develops to
    -controls.
    -Benchmarks
    function,
    of identification An
    The Integrated
    ISIRT, or or
    facilitates Security
    similar
    OEM Incident
    function,
    security
    andincident
    access guides)Response
    incorporates
    management
    management for Team
    test, function,
    operational
    (HVAs). facilitates
    and incident
    tactical-level management
    guidance that
    governs
    (ISIRT), orcybersecurity
    similar function, and privacy
    exists response
    todetection
    form an on- processes
    maintains
    -governs necessary
    a documented
    Metricscybersecurity
    are developed to accomplish
    Integrated
    that provide assigned
    Incident
    -operations
    lessons
    development,
    controls.
    operations.
    An IAM, or
    learned similar
    that from
    staging
    cover function,
    analyzing
    and production
    preparation, centrally-manages
    and resolving and operations
    -Response
    tasks
    management An Identity that
    in accordance
    cover preparation,
    &oversight
    Program Access with
    (IIRP)and privacy
    Management
    to organizational
    that
    ensureprovidesthe
    detection
    response
    (IAM), orand
    business
    incident
    demand,
    permissions
    cybersecurity
    environments.
    analysis,
    - An integrated
    and
    containment,and team
    implements
    Thisprivacy
    includes of formally-assigned
    “least
    incidents
    eradication creating privileges”
    tospecial
    and reduce
    recovery. operations. analysis, containment, eradication and recovery.
    cybersecurity,
    practices TheIAM,ISIRT, oror
    the
    similar
    similar
    IT,
    function,
    privacy
    management function,and
    centrally-manages
    incorporates
    business
    ofHigh-Value
    user, group function
    and
    similar
    functions.
    operational
    reporting
    -ofThe An
    function,
    Integrated
    facilitates
    andSecurity
    process tactical-level
    is operating theguidance
    Incident
    implementation
    in an optimal
    Response thatTeam
    the
    -hardening
    permissions An likelihood
    Integrated andor
    requirementsimpact
    Security
    implements offor future
    Incident “least incidents.
    Response Assets
    privileges” Team - ISIRT,
    identification or similar
    and function,
    access incorporates
    management
    -lessons
    -representatives
    system A Security
    The ISIRT,
    learned
    accounts, from
    Operations
    that
    ormanagement
    analyzing
    can
    including
    similar Center
    execute
    function,
    and
    (SOC),
    privileged resolving
    or
    coordinated
    works similar
    accounts.
    with
    governs
    capacity.
    (ISIRT), orcybersecurity
    similarfrom function, and privacy
    exists response
    to resolving
    form an on-
    (HVAs).
    (ISIRT),
    practices
    cybersecurity
    function, or similar
    the and
    facilitates function,
    privacy
    incident exists
    of user,
    incidents to
    management form
    group
    to reducean
    and on- lessons controls.
    operations.
    -demand,
    learned
    Metrics integrated
    reporting
    analyzing
    includes this
    and
    process so it can
    incident
    -appropriate
    -the
    demand,
    system Active
    An Identityresponse
    Directory
    accounts, &
    integrated Accessoperations.
    (AD),
    stakeholders team
    including or a
    to
    Management
    of similar
    conduct technology,
    incident
    (IAM),
    formally-assigned
    privileged accounts. or is cybersecurity Anquantitatively
    IAM, oror and
    similar team
    privacy
    function, of formally-assigned
    incidents to
    centrally-manages reduce
    operations
    -used Thelikelihood
    ISIRT,
    to that
    or or impact
    cover
    similar
    centrally-manage ofidentities
    preparation,
    function, future incidents.
    developsdetection
    and and and -cybersecurity,
    be The ISIRT, similar
    IT, function,
    analyzed.
    privacy and incorporates
    business function
    response
    similar
    cybersecurity,
    -analysis, Active
    The ISIRT, training
    function,
    Directory
    or andfunction,
    IT,facilitates
    privacy
    (AD),
    similar exercises.
    orand athe implementation
    business
    similar
    works function is the
    technology,
    with permissions likelihood and orfrom
    impact
    implements of future “least incidents.
    privileges”
    maintains
    permissions.
    -appropriate
    of
    representatives
    used Business containment,
    identification
    to aProcess
    documented
    Only
    centrally-manage and
    that by
    Owners eradication
    exception
    access
    can Integrated
    (BPOs), due
    management
    execute
    identities
    and
    in arecovery. -lessons
    Incident
    toconjunction
    coordinated
    and representatives
    -
    practices
    A
    The
    learned
    Security
    ISIRT, the
    Operations
    or that can
    similar
    management
    analyzing
    Center
    execute
    function, of
    and
    (SOC),
    works
    user,
    resolving
    group
    or
    coordinated
    with similar
    and
    -Response An Integrated stakeholders
    Program Security
    (IIRP) to
    Incident conduct
    that provides Response incident Team cybersecurity
    function,
    See SP-CMM3. and
    facilitatesSP-CMM4privacy
    incident incidents
    is management
    N/A, since to reduce
    a
    technical
    with
    controls.
    incident
    permissions.
    response
    or
    the response
    SOC business
    training and ISIRT
    Only limitation
    functions,
    operations.
    by
    and exception
    exercises.
    are
    due solutions
    develop
    to a and incident appropriate
    system
    the
    response
    accounts,
    likelihood stakeholders
    or
    operations.
    including
    impact of tofuture
    conduct
    privileged incident
    accounts.
    incidents.
    (ISIRT),
    operational orasimilar and function,
    tactical-level exists to
    guidance form thatan on- operations quantitatively-controlled
    The ISIRT, that cover
    ordeveloped
    similar preparation,
    andfunction, process isdetection
    develops not and and
    -authorized
    maintain
    -technical
    demand, An
    The IAM,
    ISIRT,
    Business or
    or to
    or
    Process
    integrated
    operate
    documented
    similar
    similar
    business Owners
    team
    a decentralized
    function, Incident
    function,
    limitation of(BPOs), areResponse
    centrally-manages
    develops access
    solutions
    in
    formally-assigned andPlan -response
    conjunction --maintains
    analysis,
    Metrics
    Active
    The are
    training
    Directory
    ISIRT, or similar
    containment, (AD), orthat
    exercises.
    function, provide
    a similar
    eradication works technology,
    and with
    recovery. is
    governs
    control
    (IRP) cybersecurity
    program
    thatSOC are for
    specific and
    systems,
    to the privacy
    business response
    applications process or / management necessary
    -used Business ato implement
    documented
    oversight
    Process Owners and
    toto govern
    Integrated
    ensure
    (BPOs), the processes
    Incident
    inand Root
    conjunctionCause
    permissions
    maintains
    authorized
    with
    cybersecurity, the a to and
    and implements
    documented
    operateISIRT
    IT, privacy a functions, “least
    Integrated
    decentralized
    and business privileges”
    Incident
    develop access and
    function Response appropriate
    -and to centrally-manage
    An documentation
    Integrated stakeholders identities
    conduct incident
    operations.
    services.
    business
    practices
    Response
    control
    maintain unit.
    athe
    Program
    program These
    management
    documented business
    for(IIRP)
    systems, that process-specific
    of applications
    Incident user,
    provides group and
    Response orPlan permissions. Analysis
    with
    response the (RCA)Program
    SOC &Security
    and
    Only by(IIRP)
    lessons
    ISIRT Incident
    to facilitate
    that provides
    learned
    functions,
    exception
    Response
    an
    due
    organization-
    process
    develop
    toanda is
    Team
    and
    representatives
    --IRPs The ISIRT,
    Technologies
    A Security
    support or the that
    similar
    are
    Operations can
    configured execute
    function,
    Center
    organization’s to coordinated
    incorporates
    enforce
    (SOC),
    larger or logical
    similar
    approach (ISIRT),
    wide
    operational
    operating
    maintain oratraining
    responsesimilar
    in and
    an
    and
    function,
    capability exercises.
    tactical-level
    optimal
    documented forexists
    capacity.
    Incident security to
    guidance form
    Response thatanPlan
    on-
    system
    operational
    services.
    (IRP)
    incident thataccounts,
    are
    responseand including
    tactical-level
    specific to
    operations. the privileged
    guidance
    business accounts.
    that / technical
    process -
    demand, Business or business
    Process
    integrated limitation
    Owners
    team (BPOs),
    of arein solutions
    formally-assignedconjunction
    lessons learned from analyzing and resolving privacy-related incidents.
    access
    function,
    to
    - Active
    governs
    business
    -cybersecurity
    incident
    The
    permissions
    facilitates
    response
    Directory
    cybersecurity
    Technologies
    ISIRT,unit.or and are
    These
    similar
    through
    incident
    (AD), operations.
    or aprivacy
    and
    configured
    business
    function,
    the
    similar principle
    management technology,
    response
    todevelops
    enforce
    process-specific aoflimit is -governs
    and
    (IRP)
    authorized
    with
    cybersecurity,
    thatcybersecurity
    Metrics
    the reporting
    are
    SOC specific
    to and
    operate ISIRT
    IT, analyzed.
    privacy
    and
    includes
    to theprivacy
    afunctions, this
    business
    decentralized
    and business
    response
    process
    develop soand
    process
    access
    function
    it can
    /
    "least
    operations
    -used
    operations.
    for A toprivilege."
    Governance, that
    centrally-manage
    consecutive cover
    Riskprivacy
    invalid & login incidents
    preparation,
    Compliance
    identities
    attempts to
    and reduce
    detection
    (GRC) team, and
    by a user maintain operations.
    be
    business
    control quantitatively
    unit.
    program These business
    for systems, process-specific
    applications orPlan
    IRPs
    maintains
    the support
    likelihood the
    a documented
    or organization’s
    impact ofIntegrated
    future larger approach
    Incident
    incidents. representatives a documented that can Incident
    execute Response
    coordinated
    --permissions.
    analysis,
    or
    during
    to
    Response
    Administrative
    similar
    The
    A ancontainment,
    ISIRT,
    Security
    incident function,
    or Only processes
    similarbyensures
    organization-defined
    Operations
    response
    Program exception
    function,
    Center
    operations.
    (IIRP) that
    and
    eradication technologies
    that(SOC),
    due
    time
    provides
    and
    applicable
    to
    incorporates
    period
    or and -services.
    arecovery.
    similar IRPs
    (IRP)
    incident
    The ISIRT,
    A Security
    support
    that are
    or
    response
    similar
    Operations
    the
    specific
    function,
    to Center
    organization’s
    operations. the
    incorporates
    (SOC),
    larger
    business or similar
    approach
    process /
    -restrict
    statutory,
    technical
    lessons
    automatically The
    An ISIRT,
    and
    Integratedor or similar
    tightly
    regulatory
    learned business
    from
    locks the function,
    control
    Security and
    analyzing utility
    Incident
    contractual
    limitation
    account works
    programs
    Response
    are
    and
    when with
    solutions
    resolving
    the Team lessons
    that -function,
    to incidentlearned
    Technologies facilitates
    response from
    are analyzing
    incident
    operations.
    configured and
    management
    todevelops resolving
    enforce a limit
    function,
    -appropriate
    operational
    are A Governance,
    capable facilitates
    and Risk
    stakeholders
    of overridingincident
    &
    tactical-levelCompliance
    to
    system management
    guidance
    conduct and (GRC) that
    incident team,
    application business
    -
    cybersecurity The ISIRT,unit. or These
    similar
    and business
    function,
    privacy process-specific
    incidents to by and
    reduce
    (ISIRT),
    cybersecurity
    authorized
    maximum
    operations
    or similar or function,
    similar
    to
    number
    that and function,
    operate
    coverprivacy
    of exists
    obligations
    a decentralized
    incidents
    unsuccessful
    preparation,
    ensures to
    that applicable form
    to are
    access
    reduce
    attempts
    detection an on-
    isand operations -IRPs
    for A Governance,
    consecutive
    support thatthe cover
    Risk
    invalid &preparation,
    Compliance
    login
    organization’s attempts
    larger detection
    (GRC) ateam,
    approachuserand
    governs
    response
    controls.
    demand,
    properly cybersecurity
    training
    integrated
    governed and
    to teamand
    exercises.
    facilitate privacy
    of response
    formally-assigned
    the maintains
    the
    analysis,
    or likelihood
    similar a documented
    or
    containment,
    function, impact
    ensures ofIntegrated
    future
    eradication
    that and Incident
    incidents.
    applicable recovery.
    control
    the
    exceeded.
    analysis,
    statutory, program
    likelihood
    containment,
    regulatory for
    or impact systems,
    anderadication applications
    ofcontractual
    future incidents.
    and or
    recovery. to during an organization-defined
    incident response operations. time period and
    -operations.
    cybersecurity,
    implementation
    -services. Business
    Technologies
    The ISIRT,
    Technologies Process
    or are
    IT,
    similar
    are Owners
    configured
    ofprivacy
    secure
    function,
    configured and (BPOs),
    to
    practices
    toworks in
    restrict
    business
    limit conjunction
    that function
    with
    the protect -Response
    statutory,
    automaticallyThe
    An ISIRT,Program
    Integrated or locks
    similar
    regulatorySecurity(IIRP)
    theand that
    function,
    Incident provides
    contractual
    account works
    Response
    when with
    the Team
    -cybersecurity
    -with
    executing An
    The Integrated
    ISIRT,
    the SOC or and
    and Security
    similar
    administrative privacy
    ISIRT Incident
    function, obligations
    functions,
    tasks Response
    incorporates
    or develop
    tasks are Team
    and
    requiring -
    operational
    appropriate A Governance, and Risk &
    tactical-level
    stakeholders Compliance
    to guidance
    conduct (GRC) that
    incident team,
    representatives
    the
    -number
    appropriate confidentiality,
    Administrative
    of concurrentthat
    processes
    stakeholders can
    integrity, execute
    to
    sessions exist
    conductto
    forcoordinated
    availability
    collect,
    each and
    incident
    system (ISIRT),
    cybersecurity
    maximum or similar
    numberand function,
    privacy
    of exists
    obligations
    unsuccessful to formare an on-
    (ISIRT),
    properly
    lessons
    maintain
    elevated
    incident
    safety
    or
    of
    similar
    governed
    learned
    atraining
    the documented
    access
    response tofunction,
    from todedicated
    facilitate
    analyzing
    aidentity
    operations.
    organization’s
    exists
    Incident the
    and to form anPlan
    resolving
    Response
    machine.
    applications,
    on- governs or
    response
    demand,
    properly
    similarcybersecurity
    function,and
    training
    integrated
    governed
    ensures
    to teamandof
    exercises.
    facilitate response is
    that applicable
    privacy attempts
    formally-assigned
    the
    validate
    response
    account.
    demand,
    implementation
    cybersecurity and verify
    integrated and and team
    ofprivacy
    secure exercises.
    ofevidence
    formally-assigned
    practices
    incidents of
    that
    to a user.
    protect
    reduce exceeded.
    statutory,
    operations. regulatory and contractual
    (IRP)
    -systems,
    -the that
    Administrative
    The ISIRT,
    Business
    Technologies areorspecific
    services
    Administrative Process processes
    similar
    are and
    processes
    Owners to
    data.
    configured the
    function, business
    and
    exist
    (BPOs), technologies
    todevelops
    to process
    require aand
    in conjunction
    initiate the/ cybersecurity, -- Business
    implementation
    Technologies ProcessIT,
    are Owners
    ofprivacy
    secureand
    configured (BPOs),
    business
    practices inthat
    toincorporates
    limit conjunction
    function
    the protect
    cybersecurity,
    business
    utilize confidentiality,
    likelihood
    the unit.
    concept IT,
    or
    These privacy
    integrity,
    impact
    of of
    business
    least and business
    availability
    future incidents.
    process-specific
    privilege, function
    and
    allowing cybersecurity
    -
    with The ISIRT,
    the SOC or and
    similar
    and privacy
    ISIRT function, obligations
    functions, develop are and
    maintains
    -registration
    with
    session
    representatives
    safety An IT
    the Asset
    SOC
    oflock a
    theor documented
    Management
    process
    and
    after thatISIRT
    an
    organization’sto
    can Integrated
    receive (ITAM)
    functions,
    organization-defined
    execute Incident
    program,
    supervisor
    develop
    coordinated
    applications, or or
    and properly
    time representatives
    the
    number confidentiality,
    of that
    concurrent
    governed can
    integrity, execute
    sessions the
    to analyzing
    facilitate coordinated
    availability
    for each and
    system
    -IRPs
    only
    Response The ISIRT,
    support
    authorizedProgramthesimilar
    access function,
    organization’s
    (IIRP) to processes
    that works
    larger
    provides with
    approach
    necessary to lessons
    maintain learned
    a from
    documented Incident and resolving
    Response Plan
    similar
    sponsor
    maintain
    period
    incident
    systems,
    appropriate
    function,
    ofauthorization
    ainactivity,
    documented
    response
    services categorizesfor
    ordata.
    upon
    operations.
    and
    stakeholders new
    Incident
    to
    endpoint
    accounts.
    receiving
    conduct Response adevices Plan incident
    request
    incident
    safety
    account.
    implementation
    cybersecurity
    ofresponse
    the organization’s
    and
    operations.
    ofprivacy
    secure applications,
    practices
    incidents that
    to protect
    reduce
    to
    accomplish
    operational
    according
    -from
    (IRP) incident
    Administrative response
    assigned
    toorand
    the operations.
    tasks
    tactical-level
    data function,
    processes the in
    asset accordance
    existguidance
    stores,
    to program,
    require with
    that
    transmits / -systems, (IRP) The that
    ISIRT, are specific
    or similar
    services and to the
    function, business
    todevelops
    data. availability process
    aand /
    --organizational
    response The
    An
    A ITthat
    aISIRT,
    user
    Asset
    Governance,
    are and
    training specificand&to
    retain
    similar
    Management
    Risk
    business
    the the
    exercises. business
    session
    (ITAM)
    Compliance
    functions.
    lock
    develops process
    (GRC)
    until
    and the
    or
    team,
    -the
    business
    Technologies
    confidentiality,
    likelihood
    unit.
    are
    or
    These
    configured
    integrity,
    impact ofIntegrated
    business future initiate
    incidents.
    process-specific and
    governs
    and/or
    evidence cybersecurity
    processes
    ofaProcess
    individual and and
    that privacy
    information
    identification response is maintains
    - An IT Asset a documented
    Management (ITAM) Incident
    program, or
    business
    user
    maintains
    similar
    -operations.
    or
    available Business
    similar
    unit.
    reestablishes
    function,
    tofunction,
    the
    These
    documented
    SOC
    business
    access
    categorizes
    Owners
    ensures
    for
    using
    Integrated
    Incident
    endpoint
    (BPOs),
    that into
    process-specific
    established
    applicable
    Response
    be
    Incident
    devices
    conjunction session
    safety
    -Response
    IRPs
    similar
    oflock
    Thesupport
    ISIRT,theor after
    Program
    function, similar
    the
    an organization-defined
    organization’s function,
    organization’s
    (IIRP)
    categorizes that
    applications,
    works
    larger
    provides
    endpoint with time
    approach
    devices
    presented
    IRPs
    identification
    Response
    according
    with support
    the SOC to
    Program
    to the
    the
    anddata
    the
    and registration
    organization’s
    authentication
    (IIRP)
    ISIRT the that authority.
    larger
    assetprovides
    functions, methods.
    stores,
    develop approach
    transmits
    and systems, period
    appropriate ofservices
    inactivity, and
    stakeholders ordata.
    upon to receiving
    conduct a request
    incident
    statutory,
    -to
    Operations
    -operational The ISIRT,
    Administrative
    incident
    Technologies regulatory
    or
    (IRO). similar
    response processes
    are and
    function,contractual
    operations.
    configured exist toincorporates
    to require
    implement that to operational
    according
    from incident
    a user toresponse
    and
    and dataoperations.
    tactical-level
    theretain the
    the asset guidance
    session stores,
    lock that or
    transmits
    until the
    and/or
    maintain
    cybersecurity processes and
    aengineering,
    documented
    and tactical-level
    and
    privacy that Incident guidance
    information
    obligations Response that
    is
    are team, Plan -response - An IT Asset
    A Governance, Management
    trainingRisk and&that (ITAM)
    exercises.
    Compliance program,
    (GRC) team,
    lessons
    -the
    pattern-hiding
    governs
    available Security
    A learned
    presented
    Governance,
    cybersecurity
    to from
    identity
    Risk
    displays &analyzing
    or a
    evidence
    Compliance
    to
    and similar
    conceal
    privacy and
    be resolving
    function,
    validated
    (GRC)
    information
    response and governs
    and/or
    See
    user SP-CMM3.cybersecurity
    processes
    reestablishes and
    SP-CMM4 access and isprivacy
    information
    usingN/A, response
    since
    established ais
    (IRP)
    properly
    cybersecurity thatthat arethe
    governed SOCtofor
    specific to Incident
    the
    facilitate
    andorganizational-defined
    privacy business
    incidents the Response
    toprocess
    reduce / -similar or Business
    similarfunction,
    Process
    function, categorizes
    Owners
    ensures endpoint
    (BPOs),
    that devices
    in conjunction
    applicable
    ensures
    verified
    or
    previously
    operations.
    Operations similarthrough systems,
    function,
    visible
    (IRO). on theapplications
    ensures displaythat and
    applicable
    during methods operations.
    processes
    the available
    identification
    according to
    quantitatively-controlledto theand
    the SOC for Incident
    authentication
    data the process
    asset Response
    is nottransmits
    methods.
    stores,
    business
    implementation
    the likelihoodunit. These
    or of business
    secure
    impact process-specific
    practices that protect with
    statutory, the SOC and
    regulatory ISIRT and functions,
    contractual develop and
    conform
    of
    -statutory,
    session
    IRPs
    the
    validation
    The to
    lock.
    ISIRT,
    Security
    support
    industry-recognized
    or
    confidentiality,
    and
    regulatory
    thesimilar
    engineering, orofcontractual
    verification.
    and
    function,
    organization’s
    integrity, a future
    similar incidents.
    standards
    incorporates
    largerfunction,
    availability approach
    and
    for -Operations
    necessary
    -maintain
    and/or The
    cybersecurity
    ISIRT,
    Technologies to
    processes
    a
    orperform
    similar
    (IRO).areand
    documented
    and
    function,
    privacy
    digital
    configured
    that toincorporates
    forensics
    information
    Incident
    obligations
    implement
    Response and
    areis Plan
    -configuration
    -toThe
    cybersecurity
    lessons
    ensures ISIRT,
    Administrative
    Technologies
    learned
    that orsystems,
    similar
    hardening
    and processes
    are
    from function,
    privacy
    configured (e.g.,
    analyzing exist
    obligations
    applications toworks
    DISAto
    and with
    STIGs,
    require
    are
    automatically
    resolving
    and that lessons
    CIS
    processes -available
    Security
    maintain
    pattern-hiding learned
    engineering,
    the
    to fromfor
    integrity
    displays analyzing
    or
    ofto aconceal
    the similar
    chainand ofresolving
    function,
    custody,/in
    information
    safety
    appropriate
    Benchmarks incident
    ofusers,
    the response
    organization’s
    stakeholders
    or OEM operations.
    security to applications,
    conduct
    guides) incident
    for test, (IRP)
    properly
    cybersecurity
    ensures thatthatarethe
    governed and
    SOC
    specific
    systems, tothe
    privacyto Incident
    the
    facilitate business
    incidents
    applications the Response
    toprocess
    and reduce
    processes
    the
    properly
    log
    cybersecurity
    -conform A validation
    out governed
    to
    Governance, and
    both
    and Riskverification
    to
    privacy
    industry-recognized
    & facilitate
    locally on
    incidents
    Compliance of
    thethe identity
    network
    to
    standards
    (GRC)reduce and
    for
    team, accordance
    previously
    Operations
    business unit. with
    visible
    (IRO).
    Theseapplicable
    on business laws,
    display regulations
    during
    process-specific the and
    systems,
    response
    development,
    evidence
    implementation
    for remote services
    training
    be conducted
    sessions, ofand
    and
    staging secure
    atdata.
    exercises.
    andin
    the production
    person
    practices
    end of before
    the that a
    protect
    session or -implementation
    the Metrics
    conform areindustry-recognized
    likelihood
    to
    industry-recognized
    session lock. developed
    or of secure
    impact secure that
    of provide
    practices
    future
    practices. that protect
    incidents.
    standards for
    the
    configuration
    or likelihood
    similar function,or impact
    hardening ensures of
    (e.g.,future
    that DISA incidents.
    STIGs, CISor IRPs
    applicable -management
    Security
    support engineering,
    the or
    organization’s
    oversight aensure
    similar
    to(e.g., largerfunction,
    the approach
    --environments.
    designated
    -the
    after
    Benchmarks
    An
    The
    ITanAsset
    Business
    confidentiality, Management
    Process This
    registration
    organization-defined
    ISIRT, or or similar
    OEM Owners
    includes (ITAM)
    (BPOs),
    authority.
    integrity,
    function,
    security creating program,
    in of
    availability
    period
    works
    guides) conjunction
    special
    with
    for and
    inactivity.
    test, -the
    - Theconfidentiality,
    ISIRT,
    configuration
    Technologies
    ensures that orsystems,
    similar
    hardening
    are integrity,
    function,
    configured
    applications
    availability
    toworks
    DISA with
    STIGs,
    automatically
    and
    andCIS
    processes
    statutory, regulatory and contractual to incident response operations.
    similar
    with
    hardening
    -appropriate
    safety
    development, the function,
    SOC
    Administrative
    of the and
    requirementscategorizes
    ISIRT
    processes
    organization’s
    stakeholders
    staging functions,
    and for
    to
    endpoint
    exist todevelop
    High-Value
    applications,
    conduct
    production requiredevices
    incident that a Information
    and
    Assets safety
    log outofusers,
    appropriate
    Benchmarks
    conform
    the
    to
    Assurance
    organization’s
    stakeholders
    or OEMlocally
    both (IA)to
    security
    industry-recognized onassessments
    applications,
    conduct
    guides)
    the network
    standards for process
    incident
    test,
    and
    for
    -cybersecurity
    according
    maintain
    (HVAs).
    notice
    systems, A Governance,
    of a to and
    the
    documented
    proofing
    services Riskprivacy
    data
    be
    and & the obligations
    Compliance
    asset
    Incident
    delivered
    data. stores,
    Response
    through
    are
    (GRC) an team,
    transmits
    Plan
    out-
    -
    is A Governance,
    operating
    systems,
    response
    development,
    for remote in
    services
    training an Risk
    staging
    sessions, and &data.
    optimal
    and at
    Compliance
    capacity.
    exercises.
    and
    the production
    end of the
    (GRC) team,
    session or
    response
    environments.
    properly
    or
    and/or similar training
    governed
    function,
    processes This and
    to
    and exercises.
    includes
    facilitate
    facilitates
    that creating
    the (IAM),
    the
    information special
    is oror/ -or configuration
    similar
    Metrics
    An reporting
    ITanAsset hardening
    function,
    Management ensures
    includes (e.g.,that
    this
    (ITAM) DISA STIGs,
    applicable
    process
    program, CIS
    so itorcan
    (IRP)
    --of-band
    hardening An
    An ITthat
    Identity
    Asset are
    channel
    BusinesstoProcess &specific
    Access
    to
    Management
    requirements Owners to
    verify the
    Management
    the
    for business
    user's
    (ITAM)
    (BPOs),
    High-Value process
    address
    program,
    inthat
    conjunction
    Assets - Business
    environments.
    after
    Benchmarks Process This
    organization-defined
    or OEM Owners
    includes
    security (BPOs),
    creating
    period
    guides) forin conjunction
    special
    of inactivity.
    test,
    implementation
    available
    business
    similar unit.
    function, theTheseof
    SOC secure
    cybersecurity
    for
    business
    centrally-manages practices
    Incident and
    Response
    process-specific protect statutory,
    privacy
    permissions be
    with
    hardening SOCregulatory
    quantitatively
    similar thefunction, and and
    analyzed.
    categorizes
    requirements ISIRT contractual
    functions,
    for endpoint
    High-Value develop devices and
    Assets
    (physical
    with
    (HVAs). the or digital).
    SOC and categorizes
    ISIRT functions, endpoint develop devices and development, staging and production
    the
    assessment
    Operations
    IRPs
    and confidentiality,
    support
    implements and
    (IRO).
    the integrity,
    authorization
    organization’s
    “least privileges” availability
    controls
    larger toand
    ensure
    approach
    practices the cybersecurity
    - A Governance,
    according
    maintain
    (HVAs). a to and
    the
    documentedRiskprivacy
    data & the obligations
    Compliance
    asset
    Incident stores,
    Response are
    (GRC) team,
    transmits
    Plan
    according
    maintain
    -secure An Identity to the
    aengineering,
    documented
    & data the
    Access asset
    Incident
    Management stores,
    Response transmits
    (IAM), Plan environments.
    or This includes creating special
    -safety
    to
    management
    and/or Securityof
    incident the
    engineer
    processes
    organization’s
    response
    of practices
    user,
    and to or a
    operations.
    group
    that are applications,
    designed
    similar
    and
    information function,
    system and
    is
    properly
    or
    (IRP)
    - similar
    and/or
    An that
    Identitygoverned
    function,
    processes
    are & specific
    Access to
    and facilitate
    facilitates
    that
    to the
    Management the (IAM),
    the
    information
    business is
    process or /
    (IRP)
    similar
    systems,
    implemented
    ensures that thataresystems,
    function,
    services specific
    and
    throughout data. the
    centrally-manages thebusiness
    applications lifecycle and process
    permissions
    ofprocesses / hardening implementation
    available torequirements
    theTheseof
    SOC secure for
    cybersecurity
    for Incident High-Value
    practices and that
    Response Assets
    protect
    privacy
    -accounts,
    available A Governance,toincluding
    the Risk
    SOC & Compliance
    privileged
    for Incident accounts (GRC)
    Response team, business
    similar unit.
    function, business
    centrally-manages process-specific
    permissions
    -business
    and
    systems,
    conform
    or
    -IRPs An IT
    similar
    An IAM,
    unit.
    implements
    Asset
    to These
    applications “least
    Management business
    industry-recognized
    function,
    or(IRO).
    similar ensures
    privileges”
    and
    function, that
    process-specific
    (ITAM)
    services practices
    program,
    both internal
    standards
    applicable
    provisions and
    the
    or the
    for (HVAs).confidentiality,
    assessment
    Operations
    IRPs
    and support(IRO).
    implements and
    the integrity,
    authorization
    organization’s
    “least privileges” availability
    controls
    larger toand ensure
    approach
    practices the
    Operations
    management
    similar support
    function, the
    of organization’s
    user, group
    categorizes and larger
    endpointsystem approach
    devices - An
    safety Identity
    of the & Access
    organization’s Management applications, (IAM), or
    and
    configuration
    statutory,
    deprovisions
    -accounts, external
    Security to
    regulatory the
    hardening
    incident
    engineering, organization.
    andor (e.g., DISA
    contractual
    responders
    a similar STIGs,
    with
    function, CIS secure
    -
    to Securityengineer
    incident
    management engineering,
    response
    of practices
    user, or a
    operations.
    group are anddesigned
    similar function,
    system and
    to
    according incident orto response
    including
    the data operations.
    privileged
    the asset accounts
    stores, transmits similar
    systems, function,
    services centrally-manages
    and permissions
    -Benchmarks
    cybersecurity
    temporary
    -ensures
    A GRC, that
    A
    AnGovernance,
    IAM,
    security
    or and
    oremergency
    OEM
    systems,
    similarRisk
    engineering
    security
    privacy obligations
    accounts.
    applications
    &thatCompliance
    function,
    function,
    guides)
    provisions and for
    are
    (GRC)
    test,
    team, -accounts,
    processes
    and
    implemented
    ensures
    and
    Metrics
    A that
    are
    Governance,
    implements
    throughout
    systems,
    developed
    including Risk
    “least &data. theprovide
    applications
    that
    Compliance
    privileged
    privileges”
    lifecycle
    accounts and
    (GRC)
    practices
    of
    processes
    team,
    the
    and/or
    conducts
    development,
    properly
    -or processes
    administrative,
    governed
    Administrative and
    staging to
    processes and
    facilitate information
    physical
    production
    and the and
    technologies is
    technical exist - An
    systems,
    conform IT
    management
    or
    - similar
    An IAM,Asset or Management
    applications
    to industry-recognized
    oversight
    function,
    similar and
    ensures
    function, (ITAM)
    to services
    ensure
    that program,
    both internal
    standards
    the
    applicable
    provisions and or
    for
    conform
    deprovisions
    available similar to
    to industry-recognized
    function,
    incident
    the SOC ensures
    forresponders
    Incidentthat standards
    applicable
    with
    Response for management
    similar function, of user,
    categorizesgroup and
    endpointsystem devices
    Information
    environments.
    implementation
    to
    configuration automate Assurance
    the This
    of includes
    secure
    incident
    hardening Programpractices
    handling
    (e.g., (IAP)
    creating
    DISAprocess. of
    special
    that protect
    STIGs, CIS and external
    configuration
    management
    statutory,
    deprovisions to
    regulatorythe
    hardening
    of
    incident organization.
    regulatoryand (e.g.,
    and DISA
    contractual
    responders law STIGs,
    withenforcement CIS
    statutory,
    temporary
    Operations
    applicable
    hardening regulatory
    emergency
    (IRO).
    cybersecurity
    requirements and contractual
    accounts.
    and
    for privacy
    High-Value controls
    Assets as according accounts,
    -contacts
    A GRC, or
    Benchmarks including
    to the
    security
    or OEMdata privileged
    the
    engineering
    security asset accounts
    stores,
    function,
    guides) fortransmits
    test,
    the
    Benchmarks confidentiality, or OEM integrity,
    security availability
    guides) for and
    test, cybersecurity
    temporary process and
    emergency isprivacy
    operating in
    obligations
    accounts. an optimal
    are
    cybersecurity
    -safety
    part
    (HVAs). Administrative
    Security
    of “business and
    engineering, asprivacy
    processes or
    usual” aobligations
    and
    similartechnologies
    pre-production are
    function, exist - An
    and/or IAM,
    conducts
    development, or
    processes similar
    administrative,
    stagingand function,
    that
    and provisions
    information
    physical
    production and isand exist
    technical
    development, of the organization’s
    staging and applications,
    production capacity.
    properly
    - governed
    Administrative to
    processes facilitateand the
    technologies
    properly
    to
    ensures
    testing.
    -systems, maintain
    An Identitygoverned
    that and
    & make
    systems,
    Access to facilitate
    available
    applications
    Management thea current
    and (IAM), and
    processes
    or deprovisions
    available
    Information
    environments. to incident
    the SOC
    Assurance
    This forresponders
    includesIncident
    Program creating withspecial
    Response
    (IAP) of so
    environments. services Thisand data.
    includes creating special -implementation
    toMetrics
    automate reporting
    the of includes
    secure
    incident this
    practices
    handling process that
    process. it can
    protect
    implementation
    viable
    conform
    -similar A Incident
    Project to Management
    function, of secure
    Response
    industry-recognized
    centrally-manages practices
    Plan
    Office (IRP)
    (PMO), that
    to
    standards all
    or protect
    permissions for
    project temporary
    Operations
    applicable
    hardening emergency
    (IRO).
    cybersecurity
    requirements accounts.
    and
    for privacy
    High-Value controls
    Assets as
    -hardening An IT Asset Management
    requirements for (ITAM)
    High-Value program, Assets or be
    the quantitatively
    confidentiality, analyzed.
    integrity, availability and
    the
    stakeholders.
    configuration
    management
    and confidentiality,
    implements hardening
    function, integrity,
    “least (e.g.,
    facilitates
    privileges” availability
    DISA STIGs,
    project
    practices andCISthe - Administrative
    Security
    part
    (HVAs).of engineering,
    “business processes
    as or
    usual” a and
    similar technologies
    pre-production function, exist
    similar
    (HVAs).
    safety
    -involvement function,
    of the or
    Administrative categorizesexist
    organization’s
    processes endpoint
    applications,
    to devices
    regularly safety
    to of theand
    maintain organization’s
    make applications
    available applications,
    a current and
    Benchmarks
    management
    according to & for
    the OEM
    data security
    Information
    ofAccess
    user, group
    the asset guides)
    Assurance
    and system
    stores, for test,
    Program
    transmits ensures
    testing.
    - An that
    Identity
    systems, servicessystems,
    & Accessand data.Management and processes
    (IAM), or
    -development,
    systems,
    update An Identity services
    incident and
    response
    staging Management
    data.
    and strategies
    production (IAM),
    to keep or viable
    conform Incident
    to Response
    industry-recognized Plan (IRP) to
    standards all for
    (IAP)
    accounts,
    and/or
    similar as part
    processes
    function, of
    including the organization’s
    and privileged
    that
    centrally-manages information established
    accounts is
    permissions -
    - A
    AnProject
    similar
    IT function,
    Asset Managementcentrally-manages
    Management Office
    (ITAM) (PMO), or
    permissions
    program, project
    or
    -current
    project An IT
    -environments.
    IAM, Asset
    with
    management
    An implements orthe Management
    business
    This
    similar needs,
    includes
    processes.
    function, (ITAM)
    technology
    creating
    provisionsprogram,
    special
    and or stakeholders.
    changes configuration
    management
    and implements hardening
    function, (e.g.,endpoint
    facilitates
    “least privileges” DISA STIGs,
    project
    practices CISthe
    available
    and
    similar to
    function,
    regulatory SOC
    “least for
    categorizes
    requirements. Incident
    privileges” endpointResponse
    practices
    devices the similar function, categorizes devices
    hardening
    -deprovisions
    Security
    Operations requirements
    engineering,
    incident
    (IRO). orfor High-Value
    a similar
    responders function,
    with Assets -involvement Administrative
    Benchmarks
    management
    according to or ofOEM
    for
    the
    processes
    datasecurity
    Information
    user, group
    the
    exist
    asset
    to
    guides)
    Assurance
    and regularly
    system
    stores, forProgram
    test,
    management
    according
    (HVAs).
    ensures that to of user,
    the data
    systems,
    group
    the asset
    applications
    andstores,
    system
    and transmits
    processes update incident
    development,
    (IAP) as part of response
    staging
    the and
    organization’sstrategies
    production to transmits
    keep
    established
    -temporary
    Security
    accounts, emergency
    engineering,
    including accounts.
    or
    privileged a similar
    accounts function, accounts,
    and/or including
    processes and privileged
    that accounts
    information is
    -and/or
    ensures
    processes
    An Identity
    conform to
    that & and
    Access
    industry-recognized
    systems,
    that
    Managementinformation
    applications standards
    and
    is for
    (IAM), or
    processes
    current
    project
    - An IAM,
    available
    with
    environments.
    management
    toorthe business
    This
    SOCincludes
    similar needs,creating
    processes.
    function,
    for Incident
    technology
    provisions
    Response specialchanges
    and
    -similar
    An IAM,
    available toor
    function, similar
    the SOC function,
    for Incident
    centrally-manages provisions
    Response and
    permissions and regulatory
    hardening requirements.
    requirements for High-Value Assets
    configuration
    conform
    deprovisions to (IRO). hardening
    industry-recognized
    incident (e.g.,
    responders DISA STIGs,
    standards
    with CIS
    for - Security
    deprovisions engineering,
    Operations (IRO). incident or a
    responders similar function,
    with
    Operations
    and implements
    Benchmarks “least
    orhardening
    OEM privileges”
    security guides) practices
    for test, the ensures (HVAs).
    configuration
    temporary
    -management emergency
    Security engineering, (e.g.,
    accounts.
    or aproduction DISA
    similar STIGs,
    function, CIS - Securitythat
    temporary systems, applications
    emergency
    engineering, accounts.
    or a similar function, and processes
    development,
    Benchmarks or of user,
    staging
    OEM group
    and
    security and
    guides)system forprocesses - An Identity
    conform
    test,and ensures that systems, applications and to & Access
    industry-recognized Management standards(IAM), or
    for
    processes
    -accounts,
    Physicalthat
    ensures controls,
    systems,
    including administrative
    applications
    privileged accountsprocesses
    and similar function, centrally-manages permissions
    environments.
    development,
    technologies Thistoincludes
    staging
    exist and production
    perform creating
    digital special
    forensics configuration hardening (e.g., DISA
    conform to industry-recognized STIGs, CIS
    standards for
    conform
    - An IAM,to orindustry-recognized
    similar function, standards
    provisions and for and implements “least privileges” practices the
    -part
    -A A GRC, or security
    of “business as engineering
    usual” function,
    pre-production (GRC) team, conducts administrative,
    Governance, Risk & Compliance capacity.
    implemented throughoutphysical the lifecycle and technical
    of
    conducts
    testing.
    or similar function, facilitates the administrative, physical and technical Information
    -systems, Assurance
    Metrics applications
    reporting includes Program
    and services (IAP)
    this processboth ofinternal
    so it can
    Information
    -implementation Assurance
    A Project Management Program
    of cybersecurity Office (PMO), (IAP) ofor project applicable
    and privacy be cybersecurity and privacy controls as
    andquantitatively external to the analyzed.
    organization.
    applicable
    management
    assessment cybersecurity
    andfunction,
    authorization and privacy
    facilitates controls controls
    project to ensure as -part of “business
    A Governance, as engineering
    Risk usual” pre-production
    & Compliance (GRC) team,
    GRC, or security function,
    part
    involvement
    secure engineer practices are designed and of “business for as usual”
    Information pre-production
    Assurance Program testing.
    or similar function, facilitates the
    conducts administrative, physical and technical
    testing.
    (IAP) as part ofthroughout
    the organization’s established -implementation A Project Management Office (PMO),
    implemented the lifecycle of Information of cybersecurity
    Assurance Program ofor project
    and privacy
    (IAP)
    -project
    systems, applications and services both internal assessment A Project Management
    management Office
    processes. (PMO), or project management function,
    and authorization facilitates project
    controls to ensure
    applicable cybersecurity and privacy controls as
    management
    -and Security
    external function,
    engineering,
    to facilitates
    or
    the organization. a similarproject function, involvement
    secure for Information Assurance Program
    part of engineer “business practices
    as usual”are designed and
    pre-production
    involvement
    -ensures A GRC, that for
    or security Information
    systems, applications
    engineering Assurance
    function, Program implemented
    and processes (IAP) as part ofthroughout
    the organization’s theprovide established
    lifecycle of
    testing.
    -project Metricsmanagement
    are developed that
    (IAP)
    conform
    conducts administrative, physical and technical as part
    to of the organization’s
    industry-recognized established
    standards for systems, processes.
    -management A Projectapplications
    Management
    oversightor and services
    Office
    toaensure (PMO),both
    the internal
    or project
    project
    configuration
    Information management hardening
    Assurance processes.
    (e.g., DISA
    Program (IAP) STIGs,
    of CIS -and Security
    external engineering,
    to the organization. similarproject
    function,
    management function, facilitates
    -Benchmarks
    applicable Security engineering,
    or OEM security
    cybersecurity oranda similar
    guides)
    privacy for test, as maintenance
    function,
    controls ensures
    -involvement GRC, that
    A optimal
    operations
    systems,
    or capacity.
    security
    for
    process is and
    applications
    engineering
    Information
    operating
    function,
    Assurance processes
    Program
    in
    -ensures
    development, A Governance,
    that Risk
    systems,
    staging & Compliance
    applications
    and production (GRC)
    and team,
    processes an
    conform to industry-recognized standards for
    part
    or of “business
    similar function, as usual” pre-production conducts
    (IAP) as partadministrative,
    of the organization’s physical and technical
    established
    conform
    environments.
    testing. to This develops,
    industry-recognized
    includes creating disseminates,
    standards special for -configuration
    Information
    project
    Metrics reporting
    management hardening
    Assurance
    includes (e.g.,
    Program
    processes.
    thisDISA process
    (IAP)STIGs,
    of
    soCIS
    it can
    reviews
    configuration
    hardening & updates hardening
    requirements guidance (e.g.,
    for toDISA
    facilitate
    High-Value STIGs, the
    CIS
    Assets be
    Benchmarks
    - quantitatively
    Metrics are or OEM analyzed.
    developed security
    that guides)
    provide for test,
    -secure A Project
    andManagement
    timely Office (PMO),
    implementation of forortest,project applicable
    -- Security A Governance, cybersecurity
    engineering,
    Risk &and or and privacy
    a similar
    Compliance controls
    function,
    (GRC) team, as
    Benchmarks
    (HVAs).
    management orfunction,
    OEM security
    facilitatesguides) project development,
    management
    part of “business staging
    oversight
    as usual” production
    to ensure the
    pre-production access
    maintenance controls across the enterprise, ensures that systems, applications and processes
    development,
    -involvement An IT Asset Managementstaging
    for Information and production
    (ITAM)
    Assurance program, Programor or environments.
    control
    testing.
    conform
    similarfor function,
    mobile
    toupdates
    develops,
    Thisdevices
    includes
    industry-recognized
    disseminates,
    creating
    process standards special
    is operating for in
    including
    environments.
    similar
    -(IAP) preventative
    function,
    A Governance, This
    categorizes
    Risk and
    includes
    & Compliancereactionary
    creating
    endpoint special
    devices
    (GRC) team, an reviews
    hardening optimal& requirements
    capacity. guidance for to facilitate
    High-Value the
    Assets
    as part of the organization’s established -
    configuration A Project Management
    hardening Office
    (e.g.,provide(PMO),
    DISAof or
    STIGs, CIS project
    maintenance
    hardening
    according
    or similar to operations.
    requirements
    the
    function, data thefor
    ensures assetHigh-Value
    that stores,
    applicable Assets --(HVAs).
    transmits secure Metrics
    Metrics and are
    are developed
    timely
    developed
    reporting that
    implementation
    thatthis provide
    project
    -statutory, management
    Administrative processes processes. and technologies exist management
    Benchmarks
    management
    maintenance or OEMincludes
    function,
    oversight
    controls facilitates
    security
    to
    across guides)
    ensure
    the
    process
    project
    the for
    data
    enterprise,
    so it can
    test,
    flow
    (HVAs).
    and/or
    -toSecurity processes
    regulatory
    engineering, andand applies
    or the appropriate
    contractual
    a similar function, management
    --involvement
    be An IT Asset
    quantitatively
    Metrics are oversight
    Management
    for analyzed.
    developed
    Information to
    that ensure
    (ITAM)
    provide
    Assurance the mobile
    program, Program or
    conduct controlled and timely maintenance development,
    enforcement
    including staging
    process
    preventative and
    isand production
    operating
    reactionary in(GRC)
    an optimal
    -technology
    cybersecurity
    ensures An IT Asset
    that Management
    controls
    and
    systems, to
    privacy protect (ITAM) the
    obligations
    applications program,
    assetare and or device
    similar
    -
    management A tampering
    function,
    Governance, protection
    categorizes
    Risk
    oversight & Compliance
    to ensure process
    endpoint the is operating
    devices
    networkteam,
    -activities
    similar
    -properly
    data. A
    A Governance,
    throughout
    function,
    Governance,
    governed Risk
    Risk to&
    categorizes
    &the Compliance
    lifecycle
    Compliance
    facilitate endpoint
    the ofand
    (GRC)
    the processes
    devices
    (GRC) team,
    system,
    team,
    (IAP)
    environments.
    capacity.
    maintenance
    in
    according
    or an
    as part ofoperations.
    optimal
    similar to
    the organization’s
    This
    capacity.
    the
    function, data
    includes
    the
    ensures asset
    creating
    that
    established
    stores,
    special
    applicable transmits
    conform to industry-recognized standards for security
    project
    hardening management
    management
    requirements process
    processes.
    for is operating
    High-Value soin
    Assets an
    -or
    application
    according
    or
    -implementation
    configuration A
    similar function,
    similar
    Administrative
    Governance,
    function,
    toortheservice.
    data ensures
    processes
    of
    Risk
    hardening secure
    & the
    ensures thatstores,
    asset
    that
    exist
    practices
    Compliance
    (e.g., DISA
    applicable
    applicable
    to ensure
    that
    (GRC)transmits
    STIGs, protect
    team,
    CIS
    -statutory,
    -and/or
    optimal
    -
    (HVAs).
    Metrics
    Metrics
    Security
    reporting
    Administrative
    reporting
    processes
    regulatory
    capacity.
    engineering, andincludes
    processes
    includes
    applies
    andor a
    this
    and
    this
    the
    contractual
    similar
    process
    technologies
    process
    appropriate
    function, so itexist
    it can
    can
    statutory,
    -statutory,
    and/or
    Business
    the Maintenance regulatory
    processes
    Process
    confidentiality, operations
    regulatory and
    Owners and
    and
    integrity, contractual
    applies areavailability
    (BPOs) centralized
    the
    contractual appropriate
    develop in
    and
    and be
    to
    be
    technology
    -
    cybersecurity quantitatively
    conduct
    quantitatively
    Metrics are controlled
    controls analyzed.
    analyzed.
    developed
    and to
    privacy and
    protect
    that timely the
    provide
    obligations maintenance
    asset are and
    or
    Benchmarks
    cybersecurity similar function,
    orand
    OEM ensures
    security
    privacy that
    guides)
    obligations applicable
    for
    are test, ensures
    - An reporting
    that
    IT Asset systems,
    Management includes this process
    applications
    (ITAM) and
    program, soteam,
    itorcan
    processes
    terms
    technology
    cybersecurity
    maintain
    safety
    statutory,
    development,
    of
    of changecontrols
    System
    the and
    regulatory
    management,
    toand
    privacy
    Security
    organization’s
    staging protect
    and Plans
    mobile
    contractual
    but
    the
    obligations
    production(SSPs)asset
    devices. similar -activities
    decentralized
    or and
    are -properly
    data.
    management
    be
    conform
    similar
    A Governance,
    throughout
    A quantitatively
    Governance,
    governed
    to
    function,
    Risk
    Risk
    oversightto& the
    &
    analyzed.
    industry-recognized
    categorizes
    Compliance
    tolifecycle
    Compliance
    ensure
    facilitate the of
    the (GRC)
    standards
    endpoint
    the
    (GRC)
    data system,
    team,
    devicesflow
    for
    properly
    in
    -data.
    properly
    documentation, terms
    An governed
    of
    IT Asset execution.
    governed to
    to
    toprivacy
    Management facilitate
    facilitate
    identify and
    (ITAM) the
    the
    maintain
    program, keyor or -application
    or
    enforcement
    implementation similar
    Metrics
    similar
    Administrativefunction,
    are ordeveloped
    service.
    function,
    process
    of ensures
    ensures
    processes is
    secure that that
    provide
    that
    exist
    operating
    practices applicable
    applicable
    to inensure
    antransmits
    that optimal
    protect
    cybersecurity
    environments. and
    This includes obligations
    creating are
    special -configuration
    according A Governance, to Risk
    hardening
    the data &theCompliance
    (e.g.,
    asset DISA
    stores, (GRC)
    STIGs, team,
    CIS
    -implementation
    -implementation
    architectural
    similar
    properly
    hardening
    A Change
    Administrative
    A Governance,
    function,Control
    governed
    of
    Risk secure
    Board
    processes
    of
    informationsecure
    governs
    requirements to on
    &facilitatenetworking
    (CCB),
    require
    practices
    Compliance
    Mobile
    for eachthe
    or
    High-Value systempractices
    similar
    thatAssets
    critical
    Device(GRC) protect
    system,
    team, capacity. statutory,
    -
    management
    statutory,
    Business
    the
    or
    Benchmarks
    Maintenance
    similar
    regulatory
    Process
    confidentiality,
    function,
    or
    operations
    oversight
    regulatory
    OEM Owners and
    and to
    integrity,
    ensures
    security
    contractual
    are
    ensure
    (BPOs) centralized
    contractual the for
    develop
    availability
    that
    guides)applicableremote in
    and
    and
    test,
    that
    function, protect the
    centrally confidentiality,
    manages the integrity,
    process of and/orofprocesses
    cybersecurity
    terms change and and
    privacy
    management, applies the
    obligations
    but appropriate
    are
    decentralized
    developers
    the
    application
    or
    Management
    implementation similar and
    confidentiality,
    function, integrators
    or (MDM)
    service. integrity,
    ensures
    of secure to ensure to
    that create
    availability
    networking and
    applicable
    mobile and
    devices
    practices purging
    cybersecurity
    maintain
    -safety Metrics ofofthe mobile
    System and
    reporting devices
    privacy
    Security
    includes
    organization’s process
    obligations
    Plansthisthe
    mobile isdevices.
    (SSPs)
    process operating
    are
    or so
    similar
    it canin
    (HVAs).
    availability
    maintenance
    -safety
    execute
    statutory,
    that A Governance,
    of
    store,a and safety
    operations
    Information
    the Risk
    organization’s
    regulatory
    transmit &
    andof the
    to
    Assurance
    and/or organization’s
    reduce
    Compliance
    mobile
    contractual
    process the
    (GRC)
    Program chance
    devices.
    sensitive team,
    (IAP)of statutory, development,
    technology
    properly
    in
    an
    properly
    documentation,
    be
    - terms
    An optimal
    regulatory
    governed
    of
    quantitatively
    IT Asset
    staging
    controls
    execution.
    capacity.
    governed to to
    to
    and
    to
    analyzed.
    Management
    and contractual
    protectproduction
    facilitate
    facilitate
    identify and
    (ITAM) the
    the
    asset
    maintain
    program,
    and
    key or
    -applications, An ITprotect
    Asset the confidentiality,
    Management
    systems, services (ITAM) andintegrity,
    program,
    data. or cybersecurity environments.
    data. and
    This privacy
    includes obligations
    creating are
    special
    business
    or
    plan
    -organizational
    cybersecurity
    availability
    similar Ansimilar
    toAsset
    IT interruptions
    function,
    identify
    function,and andand
    Management
    data
    safety ensures
    privacy
    are
    categorizes
    from
    remediate
    of the
    maintenance
    that
    (ITAM)
    obligations
    appropriately applicable
    flaws
    organization’s
    endpoint during
    program,
    are
    protected
    devices or implementation --implementation
    architectural
    similar
    properly
    hardening
    -
    A
    A Change
    Metrics
    Governance,
    function,Control
    reporting
    governed
    Administrative
    of
    of
    information
    Risk secure
    Board
    includes
    secure
    governs
    requirements to
    processes onnetworking
    (CCB),
    &facilitate this
    practices
    Compliance
    Mobile
    for eachthe
    or
    process
    High-Value
    require that
    critical
    Device(GRC)
    system
    practices
    similar so it can
    protect
    system,
    team,
    Assets
    -operations.
    statutory,
    development.
    similar
    properly
    from A Technology
    governed
    physical Infrastructure
    regulatory
    function, andgoverns and
    to facilitate
    digital Mobile
    threats. team,
    contractual
    the Device or similar that
    function,
    be
    the
    application
    or
    Management protect
    quantitatively the
    centrally
    confidentiality,
    similar or confidentiality,
    service.
    function,
    (MDM) manages
    analyzed.
    integrity,
    ensures
    to ensure the integrity,
    process
    availability
    that applicable
    mobile of
    and
    devices
    applications,
    according to systems,
    the data services
    the asset and
    stores, data. transmitsor -developers implementation
    (HVAs). Metrics are and of secure
    integrators
    developed that networking
    to create
    provide practices
    and
    -function,
    -implementation
    cybersecurity
    Management
    -and/or
    An IT Asset
    Security
    A Technology
    facilitates
    Administrative
    processes
    Management
    and ofand
    engineering, the
    privacy
    processes
    (MDM) secure
    Infrastructureto implementation
    or
    applies
    (ITAM)
    aobligations
    ensureexist
    networking
    similar program,
    mobile
    team,
    the orare
    toappropriate
    perform of IAP
    devices
    practices
    function,
    similar
    availability
    maintenance
    -safety
    -statutory,
    that A
    AnGovernance,
    of
    store,
    protect
    IT the
    Asset
    and safety
    operations
    Riskand/or
    organization’s
    regulatory
    transmit
    the & ofCompliance
    and
    confidentiality,
    Management
    the
    to organization’s
    reduce
    mobile
    contractual
    process
    (ITAM)
    the
    (GRC) chance
    devices.
    sensitive
    integrity,
    program, team,
    or
    of
    network
    similar
    properly security
    function,
    governed controls
    categorizes
    to across
    facilitate endpoint
    the the enterprise.
    devices execute
    management
    applications,
    business
    or similar a Information
    oversight
    systems,
    interruptions
    function, ensuresAssurance
    to
    services
    from ensure
    that and
    maintenanceProgram
    thedata.
    applicable (IAP)
    electronic
    activities
    that
    ensures that store,
    protectto evaluate
    transmit
    the the
    and/or
    confidentiality,
    mobilethe devices design,
    process
    conform implementation
    sensitive
    integrity,to of -
    cybersecurity
    organizational An IT Asset Management
    and
    anddata privacy (ITAM)
    obligations program,
    are or
    function,
    technology
    -according
    implementation
    facilitates
    IT/cybersecurity controls
    toandthe to
    architects
    data
    of securetheimplementation
    protect
    asset workthe
    practices
    asset
    with
    stores, that theand
    protect plan
    transmits availability
    similar
    messaging
    -operations.
    statutory, to function,
    identify
    A Technology processsafety
    regulatory isare
    categorizes
    and ofappropriately
    the endpoint
    remediate
    operating
    Infrastructure organization’s
    flaws
    in anor
    team,
    protected
    devices
    during
    optimal
    similar
    and
    organizational
    availability
    industry-recognized
    -network
    data. A
    effectiveness
    security
    Governance, data of
    safety technical
    are
    controls
    Risk & appropriately
    ofCompliance
    standardstheacross security
    organization’s
    for the and
    protected
    configuration
    enterprise.
    (GRC) team, similar
    properly
    from
    applications,
    according
    development.
    capacity. function,
    governed
    physical to and
    systems,
    the toand
    governs
    digital
    data the contractual
    Mobile
    facilitate
    threats.
    services
    asset the
    and Device
    stores, data. transmits
    Technology
    and/or
    the
    privacy
    from
    applications,
    hardening processes
    controls.
    physical Infrastructure
    confidentiality, and
    systems,
    (e.g., and
    DISAdigital applies
    integrity,
    STIGs, team
    threats.
    services CISthe
    andto implement
    appropriate
    availabilitydata.
    Benchmarks a
    and or implementation function,
    -
    cybersecurity
    Management
    --and/or An IT
    SecurityAssetfacilitates
    Management
    and
    (MDM)
    ofand
    engineering, the
    privacyto
    secure implementation
    orensure(ITAM)
    aobligations
    networking
    similar program,
    mobile are of or
    devices
    practices
    function,
    -“layered
    or
    technology IT/cybersecurity
    Administrative
    similar function,
    defense”
    controls architects
    processes
    ensures
    network
    to protect work
    ensure
    that the with
    systems,
    applicable
    architecture asset thethat
    and network
    similar A Technology
    Metrics processes
    Administrative
    reporting
    security
    function, Infrastructure
    processes applies
    includes
    controls
    categorizes existteam,
    the
    this
    across to
    endpointprocess
    the or similar
    appropriate
    perform so itIAP
    enterprise.
    devices can
    safety
    -OEM
    Technology
    projects Security
    A of the
    Technology
    security
    and organization’s
    engineering,
    Infrastructure
    guides).
    Infrastructure
    services are mobile
    or officially
    ateam
    similar
    team, devices.
    function,
    or similar a function,
    toauthorized
    implement properly
    that
    ensures
    technology store,governed
    protect
    that transmit
    the
    facilitates
    controls to facilitate
    and/or
    confidentiality,
    mobile devices
    the
    to the
    process
    conform
    implementation
    protect the sensitive
    integrity,
    asset to ofand
    statutory,
    facilitates
    data.
    -ensures An IT aregulatory
    defense-in-depth and contractual
    approach that activities
    be
    -
    according to
    quantitatively
    IT/cybersecurity
    to evaluate
    the the
    analyzed.
    architects
    data the design,
    asset work implementation
    with
    stores, the
    transmits
    function,
    “layered
    prior
    cybersecurity
    provides toAsset
    that
    Identity
    "go Management
    mobile
    facilitates
    defense”&
    live"Access
    and
    redundancy
    devices
    athe
    network
    inprivacyproduction
    andMobile
    (ITAM)
    conform
    implementation
    Managementarchitecture
    obligations
    risk
    program,
    to of
    (IAM),
    environment.
    reduction that
    arefor oror implementation organizational
    availability
    industry-recognized
    network
    data.
    and
    -the
    Technology
    anddata
    security
    effectiveness
    A Governance,
    of
    safety secure
    are
    controls
    ofintegrity,
    Risk
    Infrastructure technical
    &applies
    practices
    appropriately
    ofCompliance
    the
    standards organization’s
    across
    team
    forthe
    security
    that protect
    protected
    configuration
    enterprise.
    (GRC)
    toappropriateand
    implement team,
    similar
    industry-recognized
    network
    similar
    facilitates
    properly
    function,
    security
    function,
    governed
    governs standards
    controls
    facilitates
    a defense-in-depth
    to across
    facilitatethe for Device
    configuration
    the enterprise.
    implementation
    approach
    the that
    and/or
    from
    applications,
    hardening
    -privacy
    or
    processes
    confidentiality,
    physical
    IT/cybersecurity
    Administrative
    similar and
    systems,
    (e.g.,
    controls.
    function,
    and
    DISAdigital
    processes STIGs,
    architects
    ensures threats.
    services CISthe
    availability
    work
    ensure
    that and data.
    Benchmarks
    with
    systems,
    applicable
    and
    the ora
    network-based
    -Management security
    (MDM) controls.
    to ensure mobile devices “layered
    technology defense”
    controls network
    to protect architecture
    the asset that
    and
    hardening
    access
    provides
    implementation IT/cybersecurity
    controls(e.g.,
    redundancy DISA
    for mobileSTIGs,
    ofarchitects
    and
    secure CIS
    work
    devices.
    risk Benchmarks
    reduction
    networking for or -safety
    withpractices
    the OEM
    Technology
    projects Security
    A ofand
    the
    Technology
    security organization’s
    engineering,
    Infrastructure
    guides).
    Infrastructure
    services are mobile
    or officially
    ateam
    similar
    team, devices.
    function,
    or similar a
    toauthorized
    implement
    -Technology
    that
    OEM
    -that
    network-based
    An IT Asset
    store,
    security
    Technologies Management
    transmit
    guides).
    Infrastructure
    are and/or
    configured
    security
    (ITAM)
    process
    team
    controls. to to sensitiveor a statutory,
    program,
    implement
    enforce -facilitates
    data.
    ensures
    function,
    -
    “layered
    prior An
    An IT Asset
    that
    Identity aregulatory
    defense-in-depth
    Management
    mobile
    facilitates
    defense”
    to "go &
    live"Access the
    and
    devices
    network
    inprivacy
    contractual
    approach
    (ITAM)
    conform
    implementation
    Management
    a production architecture to that
    program,
    (IAM),
    environment. of
    that oror
    similar
    organizational protect
    function, thedata
    confidentiality,
    categorizes
    are network
    appropriately integrity,devices
    protected cybersecurity
    provides
    similar andgoverns
    redundancy
    function, and obligations
    risk
    Mobile reduction
    Device are for
    --“layered
    requirements
    availability An Identity
    An IT Assetdefense”&
    and Access
    for the
    Management
    safety network Management
    connection
    of the architecture
    (ITAM) (IAM),
    ofprogram,
    organization’smobile or
    thator facilitates industry-recognized
    network
    similar
    properly security
    function, standards
    controls
    facilitates
    a defense-in-depth
    governed to facilitate across for
    theapproach configuration
    the enterprise.
    implementation
    the that
    according
    from
    similar
    facilitates
    devices physical
    to ato
    function, the
    and data
    digital
    facilitates
    defense-in-depth
    organizational the asset
    threats.
    the
    systems. stores,
    implementation
    approach transmits
    that network-based
    Management
    hardening
    -
    access IT/cybersecurity
    controls(e.g., security
    (MDM)
    DISA
    for to controls.
    ensure
    STIGs,
    architects
    mobile CIS
    work
    devices. mobile
    Benchmarks
    with devices
    the or
    similar
    applications,
    and/or function,
    processes categorizes
    systems,and services
    applies network
    the devices
    andappropriate
    data. provides
    -implementation
    An IT redundancy
    Asset of secure
    Management and risk reduction
    networking
    (ITAM) program, for or
    practices
    -according
    access
    provides Security engineering,
    controls
    redundancy for
    tocontrols mobileand
    theInfrastructure
    datatothe or a similar
    devices.
    risk reduction
    assetteam, stores,function, for that
    OEM
    Technology
    - store,
    security
    Technologies transmit
    guides).
    Infrastructure
    are and/or
    configured process
    team to to sensitive
    implement
    enforce a
    -technology
    ensures A Technology
    that mobile protect
    devices the
    conform ortotransmits
    asset similar
    and network-based
    that
    similar
    organizational protect
    function, security
    thedata
    categorizes
    are
    controls.
    confidentiality, network
    appropriately integrity, devices
    protected
    -function,
    network-based
    and/or Administrative
    processes
    facilitates processes
    security
    and the applies and
    controls. technologies
    the appropriate
    implementation of -
    “layered
    requirements
    -according
    availabilityAn Identity
    An IT Assetdefense”&
    and Access
    for the
    Management
    safety networkManagement
    connection
    of the architecture
    (ITAM) of (IAM),
    mobile
    program,
    organization’s that oror
    data.
    industry-recognized standards for configuration to ato the data the asset stores, transmits
    protect
    -technology
    -network Security
    mobile
    An IT Assetsecurity
    devices
    Management
    controls
    engineering, to
    controls
    from
    protect
    or a
    tampering
    (ITAM)
    across the
    similar
    program,
    theasset andor from
    through
    enterprise.
    function,
    similar
    facilitates
    devices
    similar
    applications,
    and/or
    physical
    function,
    function,
    processes
    and digital
    facilitates
    defense-in-depth
    organizational
    categorizes
    systems,and
    threats.
    services
    applies
    the
    systems. implementation
    approach
    network
    and
    the data. that
    devices
    appropriate
    hardening
    inspecting
    similar (e.g.,
    devices
    function, DISA STIGs, CIS
    returning
    categorizes from Benchmarks
    network locations that or -access Security engineering,
    controls for mobile or aassetsimilar
    devices. function,
    data.
    -OEM
    ensures IT/cybersecurity
    that
    security network architects
    guides). devices work
    conform withdevices
    to risk, according
    the provides
    -ensures
    technology A Technologyredundancy
    that
    tocontrols
    mobile to
    and
    theInfrastructure
    data the risk
    protect
    devices
    reduction
    stores,
    team,
    the
    conform asset
    for
    ortotransmits
    similar
    and
    the
    according
    -industry-recognized organization
    to the
    Security engineering, deems
    data the
    orto be
    asset
    a of
    similar significant
    stores, transmits
    function, - Administrative
    network-based
    and/or processes processes
    security
    and and
    controls.
    applies thetechnologies
    appropriate
    Technology
    -ensures An Identity Infrastructure
    & Access standards team
    Management forto implement
    configuration
    (IAM), or a function,
    data.
    industry-recognized facilitates the implementation
    standards for of
    configuration
    prior
    and/or toprocesses
    the
    that device
    network being
    and connected
    applies
    devices the
    conform to the
    appropriate
    tothat -protect
    technology mobile
    An IT Asset devices
    Management
    controls to from
    protect tampering
    (ITAM) the program,
    asset through
    andor
    “layered
    hardening
    similar defense”
    (e.g.,
    function, DISA network
    facilitatesSTIGs, architecture
    CIS
    the Benchmarks
    implementation or network -hardeningSecurity security
    engineering,
    (e.g., controls
    DISA or
    STIGs, aacross
    similar
    CIS the enterprise.
    function,
    Benchmarks or
    organization’s
    technology
    industry-recognized
    facilitates network.
    controls
    a defense-in-depth to protect
    standards the
    for
    approach asset and
    configuration
    that inspecting
    similar
    data.
    -ensures IT/cybersecuritydevices
    function, returning
    categorizes
    architects from
    network
    work locations
    with thedevices that
    OEM
    access
    data. security
    controls guides)
    for mobile for test, development,
    devices. OEM
    the that
    security
    organization network
    guides).
    deems devices
    to be conform
    of significant to risk,
    hardening
    provides (e.g.,
    redundancy DISA STIGs,and riskCIS Benchmarks
    reduction or according
    for exist -industry-recognized toInfrastructure
    the data the
    Security engineering,
    Technology or aassetsimilar
    team stores,
    function,transmits
    toconfiguration
    implement
    staging
    --OEM Security and
    Administrative
    security
    production
    processes
    engineering,
    guides)
    environments.
    or
    for a and
    test,similartechnologies This
    function,
    development, -prior
    and/orAn Identity
    ensures to the
    processes
    that & Access
    device
    network and standards
    being Management
    connected
    applies
    devices
    for
    the
    conform (IAM),
    to the
    appropriate
    tothat or a
    network-based
    includes creating security
    special controls.
    hardening requirements “layered
    hardening defense”
    (e.g., DISA network
    STIGs, architecture
    CIS Benchmarks
    to
    ensures
    -staging
    remotely
    and
    AnHigh-Value
    IT Asset
    purge
    thatproduction
    network
    Management
    selected
    devices information
    conform
    environments.
    (ITAM) program,tofromor technology
    This similar
    organization’sfunction,
    industry-recognized
    facilitates a controls
    facilitates
    network.
    defense-in-depthto protect
    standards the forimplementation
    theconfiguration
    approach assetthat and or
    for
    mobile
    industry-recognized devices. Assets (HVAs).
    standards for configuration OEM
    access
    data. security
    controls guides)
    for mobilefor test, development,
    devices.
    includes
    similar
    -hardening An Identitycreating
    function, & Accessspecial
    categorizes hardening
    Management network requirements
    devices
    (IAM), oror provides hardening
    staging and (e.g.,
    redundancy DISA STIGs,
    production and riskCIS Benchmarks
    reduction
    environments. or
    for exist
    This
    for High-Value (e.g., DISA
    Assets STIGs,
    (HVAs). CIS Benchmarks - Administrative
    Security processes
    engineering, or aandsimilartechnologies
    function,
    according
    similar to the facilitates
    function, data the asset the stores, transmits OEM
    implementation includes
    to
    security
    network-based
    remotely creating guides)
    purge security
    special for
    selected
    test,
    controls.
    hardening development,
    information requirements
    OEM
    -of
    and/or An security
    Identity
    processes &guides)
    Access
    andaccessfor test, the
    Management
    applies development,(IAM), or
    appropriate ensures
    staging
    -mobile thatproduction
    and
    AnHigh-Value
    IT Asset network
    Management devices conform
    environments.
    (ITAM) program, tofromor
    This
    staging identification
    and and
    production management
    environments. This for devices.
    industry-recognized Assetsstandards
    (HVAs). for configuration
    similar
    technology
    controls function,
    for controls
    networkfacilitates
    to protect
    devices. the implementation
    the asset and includes
    similar creating
    function, special
    categorizes hardening
    network requirements
    devices
    includes
    of
    data. creating
    identification special
    and access hardening
    management requirements -hardening for
    An Identity
    High-Value
    according to
    & Access
    (e.g.,
    the DISA
    Assets
    data
    Management
    STIGs,
    (HVAs).
    the assetCIS stores, (IAM),
    Benchmarks oror
    transmits
    -for AnHigh-Value
    IAM, or similar function,
    Assetsdevices.(HVAs). centrally-manages similar function, facilitates the implementation
    controls Securityfor
    -permissions network
    engineering,
    and implements or a similar“leastfunction,
    privileges” -OEM An
    and/or
    of
    security
    Identity
    processes
    identification &guides)
    Access
    and
    for
    andaccess test, the
    Management
    applies development,
    management (IAM), or
    appropriate
    --ensures An
    An Identity
    IAM, thator & Access
    similar Management
    function, (IAM),
    centrally-manages or staging
    similar and
    function, production
    facilitates environments.
    the implementation This
    practices
    similar the network
    function, management
    facilitates
    devices
    the
    conform
    of user, group
    implementation
    to and technology
    controls
    includes for controls
    network
    creating special
    to protect the asset
    devices.
    hardening
    and
    requirements
    permissions
    industry-recognized
    system accounts, and implements
    standards
    including “least
    privileged privileges”
    for configuration
    accounts. of
    data.
    - Anidentification
    IAM, or and
    similar access
    function, management
    centrally-manages
    of
    practices identification
    the and access
    management management group andor is for High-Value Assetsdevices.
    (HVAs).
    hardening
    -controls
    Active Directory
    for
    (e.g.,
    network
    DISA
    (AD), or aof
    STIGs,
    devices.
    CISuser,
    similarBenchmarks
    technology, -controls
    Security
    permissions
    - An
    for
    Identity
    network
    engineering,
    and
    & implements
    Access
    or a similar
    Management “leastfunction,
    privileges”
    (IAM), or
    system
    OEM
    used to accounts,
    security
    centrally-manage including
    guides) for test,privileged
    development,
    identities and accounts. - An
    ensures IAM,
    practices thator
    the similar
    network
    management function,
    devices of centrally-manages
    conform
    user, group to and
    --staging
    An IAM,
    Active or
    Directorysimilar
    and production function,
    (AD), or a centrally-manages
    similar
    environments. technology, is similar
    permissionsfunction, and facilitates
    implements the implementation
    “least privileges”
    permissions.
    permissions Onlyimplements
    and by exception “least to aThis
    due privileges” industry-recognized
    system
    of accounts,and
    identification
    standards
    including
    access
    for configuration
    privileged
    management accounts.
    used
    includes
    technical to centrally-manage
    creating
    or business special identities
    hardening
    limitation are and
    requirements
    solutions practices
    hardening
    - Active the
    Directory management
    (e.g., DISA
    (AD), STIGs,
    or a of
    CISuser,
    similar group andor is
    Benchmarks
    technology,
    practices
    permissions.
    for High-Valuethe Onlymanagement
    by exception
    Assets (HVAs). of user,
    duegroup a and
    to access controls
    system
    OEM for network
    accounts,
    security devices.
    including
    guides) for test, privileged
    development, accounts.
    authorized
    system to operate
    accounts, including a decentralized
    privileged accounts. used
    - An to
    IAM, centrally-manage
    or similar function, identities and
    centrally-manages
    -technical
    An
    control Identityor
    program business
    & Access
    for limitation
    Management
    network are solutions
    infrastructure(IAM), or Active
    staging Directory
    and production(AD), or a similar
    environments. technology,
    to aThis is
    -similar
    Activefunction,
    authorized Directory
    to operate(AD),
    facilitates a or athesimilar
    decentralized technology,
    implementationaccess is permissions. permissions
    used
    includes to
    Onlyimplements
    and
    centrally-manage
    creating
    by exception
    special identities
    hardening
    due privileges”
    “least and
    requirements
    devices.
    used to program
    centrally-manage identities and technical
    practices or business
    the management limitation are solutions
    of user,
    control
    of identification
    -permissions.
    Boundary for network
    and
    protection access infrastructure
    management
    technologies monitor and permissions. for High-Value
    authorized toOnly by exception
    Assets
    operate (HVAs).
    a decentralized duegroup a and
    to access
    devices.
    controls Only by
    for network devices. exception due to a system
    technical accounts,
    or business including
    limitation privileged
    are accounts.
    solutions
    control
    technical communications at the external network -control An Identity
    program & Access
    for Management
    network infrastructure(IAM), or
    An IAM, or
    -boundary or
    and
    business
    similar
    at key
    limitation
    function,
    internal
    are solutions
    centrally-manages
    boundaries within
    -similar
    Activefunction,
    authorized
    devices.
    Directory
    to operate (AD),
    facilitates aor athesimilar
    decentralized technology,
    implementation access is
    authorized
    permissions to operate a decentralized access used
    control to centrally-manage
    program for network identities and
    infrastructure
    the network.and implements “least privileges” of identification
    - Boundary and
    protection access management
    technologies monitor and
    cybersecurity
    for High-Value andAssets privacy(HVAs). obligations are - A Governance, Risk &for Compliance (GRC) team,
    network
    industry-recognized
    properly security
    governed controls
    tostandards across
    facilitate for
    the the enterprise. OEM
    configuration applications,
    data.
    or
    securitysystems,
    similar
    guides)
    function, ensures
    test, development,
    services thatand data.
    applicable
    --hardening An Identity
    IT/cybersecurity & Access
    (e.g., DISA Management
    architects work
    STIGs,networking
    CIS (IAM),
    withpractices
    Benchmarks or staging
    the or -statutory, A and
    Technology
    Security production
    engineering,Infrastructure environments.
    or contractual
    a similar or This
    team,function, similar
    implementation
    similar function, of secure
    facilitates the implementation includes regulatory
    creating specialand hardening requirements
    Technology
    OEM
    that security Infrastructure
    protect the and guides) for
    confidentiality, team
    test, to implement
    development,
    integrity, a function,
    ensures
    cybersecurity facilitates
    that network
    and the
    privacy implementation
    devices conform
    obligations toof
    are
    of
    “layered
    staging identification
    defense”
    and production access
    network management
    architecture
    environments. that
    This -network
    for
    industry-recognized Metrics are developed
    High-Value
    security Assets
    controls that
    (HVAs).
    standards across provide
    for the enterprise.
    configuration
    availability and safetydevices.of the organization’s -
    properly
    management Metrics are
    governed developed
    &oversight that
    to facilitate
    to ensure provide
    thethe(IAM),
    controls
    includes for
    facilitates
    applications,
    network
    a defense-in-depth
    creating systems, special hardening
    services approach
    and data. that
    requirements --hardening
    management
    implementation
    An Identity
    IT/cybersecurity(e.g., Access
    DISA
    oversight
    of architectsManagement
    STIGs,
    secure work
    CIS
    to networking
    ensure withphysical
    Benchmarks
    the the oror&
    physical
    practices
    -provides An IAM, or similar
    redundancy function,
    and centrally-manages
    risk team,
    reduction for access
    similar
    Technology authorizations
    function, facilitates
    Infrastructure process the
    team is operating
    implementation
    to implement in an
    for
    --permissions A
    A
    High-Value
    Technology
    Governance, and
    Assets
    Risk &
    implements
    (HVAs).
    Infrastructure Compliance “least or similar
    (GRC)
    privileges”team,
    OEM
    environmental
    that
    optimal
    of
    security
    protect
    capacity.
    identification
    guides)
    the protections for test,
    confidentiality,
    and access process is operatinga
    development,
    integrity,
    management
    network-based
    -function, An Identity
    Asimilar
    Governance, security
    & Access controls. (GRC)
    &Management
    Riskensures Compliance (IAM), or “layered
    staging defense”
    and production network thearchitecture
    ofenvironments. that
    This
    or
    practices
    -similar An IT Asset
    facilitates
    function,
    the
    function, management
    Management
    the
    facilitates
    implementation
    that
    of
    the user,
    (ITAM) groupofteam,
    applicable
    program,
    implementation andor
    in
    availability
    -controls
    facilitates
    includes
    an optimal
    Metrics fora
    and
    reporting capacity.
    networksafety
    defense-in-depth
    creating includes
    specialdevices.hardening
    organization’s
    this process
    approach so it can
    that
    requirements
    or
    network
    statutory,
    system similar function,
    security
    regulatory
    accounts, ensures
    controls
    and
    including that
    across
    contractual applicable
    privilegedthe enterprise.
    accounts. -
    applications,
    be
    - Metrics
    An reporting
    quantitatively
    IAM, or systems,
    similar includes
    analyzed. this and data. so it can
    process
    servicescentrally-manages
    function,
    similar
    of
    statutory, function,
    identification
    regulatory categorizes
    and access
    and network
    management devices provides
    -for Metrics redundancy
    are developed
    High-Value Assets and risk
    that provide
    (HVAs). reduction for
    -- IT/cybersecurity
    cybersecurity
    according
    controls Active Directory
    for anddata
    toInfrastructure
    the
    network
    architects
    privacy
    (AD), theorcontractual
    devices. asset
    work with
    obligations
    a similar stores, arethe
    technology,
    transmits is be --permissions
    network-based
    management
    --function,
    A quantitatively
    A
    An
    Technology
    Governance,
    Identity and analyzed.
    Infrastructure
    Risk &Management
    implements
    security
    &oversight
    Access Compliance
    controls.
    to
    team,privileges”
    “least
    ensure the
    or similar
    (GRC) team,
    physical
    (IAM), or
    cybersecurity
    Technology
    properly
    used to governed and
    centrally-manage privacy
    to obligations
    team
    facilitate to
    the
    identities andare
    implement a or
    practices A Governance,
    similar facilitates
    function,
    the Risk
    management &
    the
    ensures Compliance
    implementation
    that
    of (GRC)
    applicable
    user, group ofteam,
    and
    and/or
    -properly
    “layered An processes
    IAM, or
    governed
    defense” similar andto applies
    function,
    networkfacilitate the appropriate
    centrally-manages
    the
    architecture that -
    access
    similar
    or
    network An IT Asset
    control
    function,
    similar Management
    function,
    security process
    facilitates
    ensures
    controls is (ITAM)
    operating
    the program,
    in
    implementation
    that applicable
    across an
    the enterprise. or
    optimal
    implementation
    permissions.
    -technology
    permissions A Governance, controls
    and of
    OnlyRisk byappropriate
    exception
    to
    &
    implements protect
    Compliance physical
    due
    the
    “least to a security
    asset
    (GRC) and
    privileges”team, statutory,
    system
    similar
    capacity.
    of regulatory
    accounts,
    function,
    identification and contractual
    including
    categorizes
    and access privileged
    network
    management accounts.
    devices
    implementation
    facilitates
    practices
    technical that
    or of appropriate
    a defense-in-depth
    protect
    business physical
    approach
    the confidentiality,
    limitation are solutionssecurity statutory,
    that -cybersecurity
    --according Active regulatory
    IT/cybersecurity anddata and
    architects
    privacy orcontractual
    work with
    obligations the
    are
    data.
    or
    practices
    provides similarredundancy
    function,
    the
    that management
    protect ensures
    the
    and that
    of
    risk user,applicable
    confidentiality,
    reduction groupfor and controls
    cybersecurity
    Technology MetricsDirectory
    for toInfrastructure
    reportingthe
    network (AD),
    and privacy the
    includes
    devices. a similar
    assetthisstores,
    obligations
    team to
    technology,
    process transmits
    are
    implement so it can
    a
    is
    integrity,
    authorized
    -statutory,
    system accounts, Security availability
    to operate
    engineering,
    regulatory andaor safety
    decentralized
    a
    andcontrols.
    including similar
    contractual of
    privileged the access
    function,
    accounts. be properly
    used
    and/or
    - Anquantitatively to governed
    centrally-manage
    processes
    IAM,defense”
    or similar andto
    analyzed.facilitate
    applies
    function, identitiesthe
    the and
    appropriate
    centrally-manages
    integrity,
    network-based
    organization’s availability security
    technology and safety ofandthedata. properly
    “layered governed to
    networkfacilitate the
    architecture that
    control
    ensures
    cybersecurity
    -organization’s
    --devices. Active
    An IT
    program
    that Management
    Directory
    Asset network
    and for
    (AD),
    technology
    network
    privacy devicesaassets
    infrastructure
    conform
    or obligations
    similar
    assets
    (ITAM) and areto or is implementation
    technology,
    data.
    program,
    permissions.
    -technology
    permissions
    implementation
    facilitates A Governance, a controls
    and of
    OnlyRisk
    of
    byappropriate
    exception
    to
    &
    implements protect
    Compliance
    appropriate
    defense-in-depth
    physical
    due
    the
    “least
    physical
    approach
    to a security
    asset
    (GRC) and
    privileges”team,
    security
    that
    industry-recognized
    properly
    used A physical
    to securitytoteam,
    governed
    centrally-manage standards
    facilitateor similar
    for
    the
    identities function,
    configuration
    and practices
    technical
    data.
    or
    practices similar that
    or
    function,
    the protect
    business
    management the confidentiality,
    limitation
    ensures that
    of are solutions
    applicable
    user, group and
    -similar
    facilitates
    -implementation A physical
    Boundaryfunction,
    the security
    operation
    protection team,
    categorizes of or similarsecurity
    network
    physical
    technologies function,
    devicesand -practices
    monitor provides
    integrity,
    authorized that
    Metrics redundancy
    are protectand
    todeveloped
    availability
    operate the
    and thatconfidentiality,
    risk
    safety reduction
    provide
    aordecentralized of the for
    access
    hardening
    permissions.
    facilitates
    according (e.g.,
    the Only DISA
    of by
    operation
    to the data theatasset STIGs,
    appropriate
    exception
    of CIS
    physical Benchmarks
    physical
    due to a
    security
    stores, transmits or
    security -
    statutory,
    system
    integrity,
    network-based Security engineering,
    regulatory
    accounts,
    availability and
    including
    security and a
    safetysimilar
    contractual
    privileged
    controls. of function,
    the accounts.
    controls.
    control
    OEM
    practices
    technical communications
    security
    that guides)
    protect
    or business for
    thetest, thedevelopment,
    external
    confidentiality,
    limitation areappropriate
    solutionsnetwork management organization’s
    control
    ensures
    cybersecurity
    -security Active program
    that
    Directory
    oversight
    technology
    network
    and for network
    privacy
    (AD),
    to
    devices
    ensure
    aassets
    or obligationsconform
    similar
    the data.
    and
    infrastructure physical
    toin anor is
    are
    technology,
    controls.
    -and/or
    boundary A processes
    facilities and maintenance
    at andinternal
    key applies
    team, the or
    boundaries similar within organization’s
    -devices.
    - Anphysical
    A IT Asset technology
    Management
    of facilities
    security process
    team, assets
    (ITAM)
    orissimilarand
    operating data.
    program,
    function,
    staging
    integrity,
    authorized
    -technology and
    A facilities toproduction
    availability
    operate
    maintenance anda environments.
    safety
    decentralized
    team,the of
    orof the This
    access
    similar team, -similar industry-recognized
    properly
    used A to governed
    centrally-manage
    physical security to standards
    facilitate
    team, identitiesfor
    the configuration
    and
    function,
    the
    includes
    organization’s
    control
    Governance,
    network. controls
    facilitates
    creating
    program
    Riskthe to
    special
    technology
    for
    & protect
    Compliance
    operation
    network hardening
    assets and
    asset
    (GRC)and
    requirements
    infrastructure data.
    optimal
    facilitates
    -implementation
    hardening
    permissions. Boundaryfunction,
    capacity.
    the
    (e.g.,
    Only
    categorizes
    operation
    protectionDISA
    of by STIGs,
    appropriate of or
    exception
    similarsecurity
    network
    physical
    technologiesCIS stores,
    Benchmarks
    physical
    due
    function,
    devicesand
    monitor or
    security
    to atransmits
    function,
    data.
    or
    environmental
    --for similar facilitates
    Administrativefunction, the
    ensures
    protection
    processes operation
    that
    controls.
    define, of
    applicable
    control and facilitates
    according
    -
    controls.
    control Metrics the
    to
    reporting
    communicationsoperation
    the data the
    includes of
    at physical
    assetthis process
    thedevelopment,
    external security so it can
    network
    devices.
    environmental
    --review
    statutory, A High-Value
    physical
    Security Assets
    security
    engineering,
    regulatory protection (HVAs).
    team,
    and or similar
    acontrols.
    or contractual
    similar function,
    function, OEM
    practices
    technical
    controls.
    and/or
    be security
    that
    or
    processes guides)
    protect
    business for
    the test,
    limitation
    andinternal
    applies confidentiality,
    are solutions
    theorappropriate
    A physical
    remote securityaccess team,
    methods. or similar function, orand -boundary A quantitatively
    facilities
    Metrics and
    are maintenance
    at key
    developedanalyzed. thatteam, boundaries
    provide similar within
    --maintains
    facilitates
    ensures
    -cybersecurity
    An Identity
    Boundary
    A physical
    that
    Technologies
    the
    a
    & Access
    operation
    protection
    security
    network
    and
    current
    are privacy
    list
    Management
    team, ofobligations
    devices
    of
    configured
    physical
    technologies
    or similar
    conform
    personnel
    to monitor
    (IAM),
    security
    monitor
    function,
    are
    withto and -staging
    integrity,
    authorized
    -technology
    function,
    the A
    A
    and
    facilities
    Governance,
    network.
    toproduction
    availability
    operate
    maintenance
    controls
    facilitates Risk and
    to
    &
    the
    environments.
    safety
    aprotect
    decentralized
    team,
    Compliance
    operation
    of
    orof
    the the
    similar
    asset
    (GRC)
    This
    access
    and
    team,
    similar
    controls.
    control
    maintains function,
    communications
    aaccess
    current facilitates the
    ofatpersonnel
    theforimplementation
    external withnetwork management
    includes
    organization’s
    control creating
    program oversight
    special
    technology
    forensures
    networkto ensure
    hardening
    assets the
    and
    infrastructure secure
    requirements
    data.
    industry-recognized
    properly
    authorized
    control governed
    remote tolist
    to
    access standards
    facilitate
    organizational
    sessions. the configuration
    facilities and function,
    data.
    or
    environmental
    -
    work similar facilitates
    Administrativefunction,
    areas management
    the
    protection
    processes operationthat
    controls.
    define,
    process
    of
    applicable
    control
    is operating andin
    -of
    boundary
    authorized
    hardening
    implementation Aidentification
    facilities andaccess
    (e.g., and
    maintenance
    atDISA
    key
    of to access
    internal management
    team,
    organizational
    STIGs,
    appropriate CIS or similar
    boundaries
    physical within
    facilities
    Benchmarks and
    or
    security -for
    devices.
    environmental
    -
    statutory, A High-Value
    physical
    Security Assets
    security
    engineering,
    regulatory protection and(HVAs).
    team, or a or similar
    controls.
    similar
    contractual function,
    function,
    facilitates
    -function,
    controls
    the Technologies
    A Governance,
    for
    network. the implementation
    are
    network
    facilitates configured
    Riskthe & Compliance
    devices.
    operation of
    to physical
    use
    of(GRC) team, access -
    review
    an
    -cybersecurity
    facilitates A
    An physical
    remote
    optimal
    Identity
    Boundary the security
    capacity.
    & access
    Access
    operation
    protection team,
    methods.
    Management
    of or or similar
    physical
    technologies function,
    (IAM),
    security
    monitor orand
    facilitates
    OEM
    practices
    management
    cryptographic securitythe
    that implementation
    guides)
    protect
    controls.
    mechanisms for
    the test, of physical
    development,
    confidentiality,
    to protect the access -maintains
    ensures A physical
    that
    Technologies a security
    network
    and
    current
    are team,
    privacy
    list devices
    configured similar
    conform
    ofatobligations
    personnelto monitor function,
    toso
    are
    with and
    or
    -integrity,
    environmental
    management Ansimilar
    IAM,
    Administrativefunction,
    or similar ensures
    function,
    protection
    processes
    controls. that
    controls.
    define, applicable
    centrally-manages
    control and -controls.
    similar
    control
    maintains Metrics reporting
    function,
    communications
    a current includes
    facilitates
    list of this
    the
    the
    personnel process
    implementation
    external with it can
    network
    staging
    -confidentiality
    statutory, An and
    Identify production
    availability
    and
    regulatoryand Access and
    integrity
    and environments.
    safety
    Management
    of of the (IAM),
    remote
    contractual This
    access or industry-recognized
    properly
    authorized
    control
    be governed
    remote
    quantitativelyaccess tostandards
    to
    access facilitate
    organizational
    analyzed. sessions. for
    theconfiguration
    facilities and
    permissions
    -review
    -includes
    organization’s A physical
    An remote
    Identify
    creating and
    security
    and implements
    access
    Accessteam,
    special
    technology methods.
    Management
    hardening“least
    or similar
    assets privileges”
    function,
    (IAM), or authorized
    andrequirements
    data. of
    -boundary
    hardening
    implementation identification
    A facilities andaccess
    (e.g., and
    maintenance
    atDISA
    key
    of to access
    internal
    organizational
    STIGs,
    appropriate management
    team,CIS or similar
    boundaries facilities
    Benchmarks within
    and
    or
    similar
    sessions.
    cybersecurity
    practices
    maintains
    -for function,
    Technologies the
    a and centrally-manages
    management
    current
    are privacy
    list of
    configured obligations
    of user,
    personnel
    to permissions
    are
    group
    monitor with and
    and facilitates
    -function,
    controls
    the Technologies
    A Governance,
    for
    network. the implementation
    are
    network
    facilitates Risk configured
    & Compliance
    devices.
    the operation ofphysical
    to physical
    useof (GRC) security
    access
    team,
    similar
    -and A function,
    High-Value
    physical centrally-manages
    Assets
    security (HVAs). permissions facilitates
    OEM securitythe implementation
    guides) for test, of physical
    development, access
    -properly
    system
    authorized
    control implements
    Technologies
    governed
    accounts,
    remote access are toteam,
    “least
    configured
    including
    to
    access facilitateor similar
    privileges” tothe
    privileged
    organizational
    sessions. route function,
    practices
    accounts.
    facilities the
    and management
    all remote practices
    cryptographic
    or
    -integrity,
    environmental Ansimilar
    IAM,
    that
    Administrativefunction,protect
    controls.
    mechanisms
    orproduction
    similar
    the confidentiality,
    ensures
    function,
    protection
    processes to
    that protect
    applicable
    centrally-manages
    controls.
    define, the and
    -and
    facilitates
    management
    accesses
    implementation An implements
    Identity the
    through &of “least
    Access
    operation
    user,
    ofmanaged privileges”
    Management
    of physical
    group
    appropriate and
    network practices
    system
    physical (IAM),
    security
    access the
    or
    security
    management
    staging
    -
    confidentiality
    statutory, An and
    Identify controls.
    availability
    and
    regulatoryand Access and
    integrity
    and environments.
    safety
    Management
    of
    contractual of control
    remote This
    the (IAM),
    accessor
    -controls.
    facilitates
    management
    similar Active Directory
    Technologies the of
    function, (AD),
    implementation
    areuser,
    facilitates or athe
    configured
    group similar
    andof
    to technology,
    physical
    use
    system
    implementation accessis -permissions review
    includes
    organization’s A
    An physical
    remote
    Identify
    creating and
    security
    and implements
    access
    Accessteam,
    special
    technology methods. or “least
    Management
    hardening
    assetssimilar
    and privileges”
    function,
    (IAM),
    requirements
    data. or
    accounts.
    control
    practices
    used
    management
    cryptographic to IAM
    points
    that integrates
    (e.g.,
    protect
    centrally-manage
    controls.
    mechanisms VPN the into physical
    concentrator).
    confidentiality,
    identities
    to protect and access
    the for similar
    sessions.
    cybersecurity
    practices
    maintains
    --for function,
    Technologies the and centrally-manages
    management
    a security
    current
    are privacy
    list
    configured obligations
    of
    of personnel user,
    to monitor permissions
    groupare
    with and and
    accounts.
    -aof
    -integrity, A facilities
    holistic IAM
    identification
    approach
    Administrative integrates
    and
    maintenance toaccess
    processes into
    physical and physical
    management
    team, andor similar
    logical
    technologies access for similar
    access. and
    - A function,
    High-Value
    physical
    implements
    Technologies are centrally-manages
    Assets
    “least (HVAs).
    team, or
    privileges”
    configured similar
    to route permissions
    function,
    practicesall the
    remote
    permissions.
    -confidentiality An Identifyavailability
    Only
    and by
    Access and safety
    exception
    Management of the
    due aaccessor properly
    to (IAM), system governed
    accounts, toorganizational
    includingfacilitate thepractices
    privileged accounts.
    acontrols
    function,
    -govern
    organization’s
    holistic
    Active approach
    for
    Directory
    remote
    and
    network
    facilitates integrity
    to
    (AD),
    access
    technology
    physical
    devices.
    the operation
    toor
    of and
    aassets
    remote
    similar
    systems oflogical
    dataaccess.
    technology,
    and
    and data. for is and -authorized
    control
    facilitates
    management
    accesses
    implementation
    remote
    An implements
    Identity theaccess
    through &of
    operationto
    access
    “least
    Access
    user,
    ofmanaged
    sessions.
    privileges”
    Management
    group
    appropriate of physical
    and
    network system
    physical
    facilities
    (IAM),
    security
    access
    and
    the
    or
    security
    technical
    similar
    sessions.
    -used
    environmental Active
    An IAM, or
    function,
    Directory
    or business
    similar (AD), limitation
    centrally-manages
    or
    function,
    protection a are
    similar solutions
    permissions
    technology,
    centrally-manages
    controls. is -
    facilitates
    management
    similar
    controls. Active Directory
    Technologies the
    function, of (AD),
    implementation
    areuser,configured
    facilitates or
    group a similar
    theand of
    to technology,
    physical
    use
    system
    implementation accessis
    remote
    -and
    authorized
    --used A to workers.
    centrally-manage
    physical
    implements
    Technologies security
    to operate
    are “least team, identities
    or similar
    aprivileges”
    configureddecentralized
    to route and
    function,
    access
    practices the accounts.
    all remote control
    practices
    used
    management
    cryptographic IAMcontrols.
    to points
    that integrates
    (e.g.,
    protect
    centrally-manage
    mechanisms VPN into
    theconcentrator).physical
    confidentiality,
    identities
    to protect and access for
    the
    permissions
    permissions.
    -management A to centrally-manage
    physical
    Administrative and
    security
    Only implements
    by team,
    processesexception identities
    or
    and “least
    similar
    due and
    privileges”
    tofunction,
    technologies a -accounts.
    of
    a
    - Aholistic
    AdministrativeIAM
    identification
    facilities integrates
    and
    maintenance
    approach toaccess
    processes into
    physicalteam,
    and physical
    management
    or the
    and similar
    logical
    technologies access for
    access.
    facilitates
    control
    accesses
    permissions. the
    program
    through operation
    Only for
    of user, network
    managed
    by of
    group
    exception physical
    networkdue security
    infrastructure
    and systemtoaccess
    a integrity,
    -permissions.
    confidentiality
    a An Identify
    holistic availability
    approach Only
    and and by
    Access and
    exception
    integrity
    to safety
    Management
    physical of and of
    due
    remote to (IAM),
    logicalaaccess or
    access.
    practices
    maintains
    technical
    proactively the
    ora management
    current
    business
    control list
    and of
    limitation
    monitor of user,
    personnel are group
    with
    physical
    third-party and controls
    function,
    -technical
    govern for
    Activefunction,
    Directory
    remote network
    facilitates (AD),
    access devices.
    the operation
    toorsystems
    aassets
    similar of
    technology,
    and data for is
    controls.
    devices.
    accounts.
    control IAM
    points integrates
    (e.g., into physical accessand for organization’s -similar or technology
    business limitation
    centrally-manages areand data.
    solutions
    permissions
    technical
    system
    authorized
    security
    accounts
    -a-security A facilities
    or
    accounts,
    used business
    access
    solutionsmaintenance toVPN
    including
    authorized
    toprocesses
    access,
    concentrator).
    limitation
    support,
    team,
    are
    privileged
    organizational toandoperate
    or or physical
    accounts.
    facilities
    similar a access.
    maintain
    sessions.
    environmental
    used
    remote
    -and Active
    An IAM, Directory
    orsecurity
    to workers.
    Metrics
    A similar
    centrally-manage
    physical are developed (AD),
    team,
    or
    function,
    protection that acontrols.
    similar
    identities
    or provide
    similar
    technology,
    centrally-manages
    and
    function,
    is
    -decentralized Boundary
    holistic
    Administrative
    Active protection
    approach
    solutions
    Directory to
    authorized
    (AD), technologies
    physical
    or a and to
    similaroperate monitor
    logical
    technologies a
    technology, and is authorized
    -
    used
    permissions implements
    Technologies
    to to operate
    are
    centrally-manage
    and “least
    implements a decentralized
    privileges”
    configured to
    identities
    “least route and access
    practicesall
    privileges” the
    remote
    facilitates the access
    implementationcontrol ofaccess.
    program physical for access management --management A physicalthe security byteam, or similar function,
    system
    function,
    -control
    govern
    decentralized
    used
    management Active components
    facilitates
    communications
    Directory
    toremote
    centrally-manage (AD),
    access
    access
    controls.
    via
    the remote
    operation
    toor
    controlat athesimilar
    systemsprogram
    identities
    oftechnology,
    external
    and and data
    for for is permissions.
    network facilitates
    control
    accesses
    permissions.
    practices
    maintains
    Administrative
    program
    through
    the
    Only
    Only
    processes
    oversight
    operation
    of for
    user,
    managed
    by
    management
    acontrol
    current
    exception
    networkto
    group
    exception
    list of
    and
    ofensure
    physical
    ofand
    network
    personnel
    due
    due
    user,system to
    technologies
    the a
    supporting
    security
    infrastructure access
    to
    group a and
    with
    systems,
    -used
    environmental
    boundary
    remote applications
    Administrativeandand
    to workers.
    centrally-manage processes
    protection
    at key or services.
    internal and
    controls.technologies
    boundaries
    identities and within technical
    proactively
    utilities
    controls.
    devices.
    accounts.
    control or
    process
    IAM
    points businessis and
    integrates
    (e.g., VPNlimitation
    operating monitor
    into in are
    an
    physical
    concentrator). physical
    third-party
    optimal accessand for
    -systems,
    permissions.
    -validate An
    A
    applications
    Identify
    IT Asset
    software
    Governance,
    physical Only
    security by
    Access
    Management or services.
    exception
    Management
    versions/patch
    Risk &
    team, (ITAM)
    Compliance
    or due
    similar to
    program,
    levels
    (GRC) a
    (IAM),
    and or
    or capacity.
    team,
    function,
    technical
    system
    authorized
    -security
    accounts A
    or
    accounts,
    solutions
    facilitiesused business
    access
    maintenance
    limitation
    including
    to organizational
    authorized
    toprocesses
    access, support,
    team,
    are
    privileged
    toandoperate
    oror
    physical
    accounts.
    facilities
    a access.
    maintain
    similar
    the
    -permissions.
    technical An network.
    Administrative
    IT Assetor Only
    Management
    business by
    processesexception
    limitation and
    (ITAM) due
    are to
    technologies
    program,a
    solutions or a
    -
    security
    -function, Boundary
    holistic protection
    approach
    Administrative
    solutions
    Active components
    Directory to
    authorized
    (AD), technologies
    physical
    or and to
    a similar monitor
    logical
    technologies
    operate a and
    similar
    similar
    control
    or
    maintains
    -technical
    proactively
    similar
    function,
    function,
    similarremote
    Administrativefunction,
    oracontrol
    function, current
    business
    centrally-manages
    categorizes
    devicesensures
    list
    processes
    and
    categorizes
    connecting
    of endpoint
    that
    personnel
    limitation
    monitorand are
    permissions
    to
    applicable devices
    corporate
    with
    technologies
    physical
    third-party
    endpoint devices
    facilitates
    -decentralized
    system
    control
    -decentralized
    govern Metrics
    Active
    thedeveloped
    are
    reporting implementation
    access
    facilitates
    communications
    Directory
    remote access
    control
    via
    includes
    the
    (AD),
    access that
    remote
    operation
    toor
    control at athe
    systems provide
    program
    this oftechnology,
    ofaccess.
    physical
    process
    external
    similar
    program
    for soaccess
    it can
    network
    technology,
    and data
    for for
    is
    is
    authorized
    and
    according
    networks
    statutory,
    authorized implements to
    or to operate
    the
    storing
    regulatory
    access “least
    data and a
    the
    and decentralized
    privileges”
    asset
    accessing
    contractual
    to organizational stores, access
    practices the
    transmits
    organization used
    management
    systems,
    -
    be to centrally-manage
    controls.
    oversight
    applications
    Administrative
    quantitatively processes
    analyzed. or to identities
    ensure
    services.
    and the and
    technologies automatic
    establish
    security
    accounts
    according
    control
    management trust
    solutions
    used
    to
    program the
    ofrelationships
    authorized
    touser,
    access,
    data
    for the
    network
    group assetwith
    support,tostores,orfacilities
    other
    operate
    infrastructure
    and system a and environmental
    maintain
    transmits boundary
    used
    remote
    systems,
    permissions.
    - An andand
    to workers.
    applications
    Identify at
    centrally-manage
    Only
    protection
    key
    by
    Access internal
    or controls.
    services.
    exception
    Management boundar

    You might also like