SEARCH CSRC: ABOUT MISSION CONTACT

CSRC HOME

GROUPS

PUBLICATIONS

DRIVERS

NEWS & EVENTS

ARCHIVE

CSRC HOME > GROUPS > SMA > FISMA

FISMA Detailed Overview Risk Management Framework (RMF) RMF Steps / FAQs / Guides Applying the RMF to Federal Information Systems Course Security Categorization Security Controls Security Assessment Assessment Cases Overview Assessment Cases Access Control Awareness and Training Audit and Accountability Certification, Accreditation, and Security Assessments Configuration Management Contingency Planning Identification and Authentication Incident Response Maintenance Media Protection Physical and Environmental Protection Planning Program Management Personnel Security Risk Assessment System and Services Acquisition System and Communications Protection System and Information Integrity Authorization and Monitoring Security Configuration Settings Industrial Control System Security Compliance Resources News Events Schedule

ASSESSMENT CASES - DOWNLOAD PAGE (CONSISTENT WITH SP 800-53A REVISION 1 DATED JUNE 2010)

Key to Download Case Assessment Files: There is a Microsoft (MS) Word file for each assessment case, and an assessment case for each security control identified below. For example, file name: SP-800-53A-R1_ Assessment Case _ AC-02_ipd.docx is the Word file for assessment case for the Access Control family security control AC which is named Account Management.

To make it easier to download these assessment cases, we created 19 separate zip files. There is a zip MS Word file for each security control All assessment case files for a particular family (e.g., Access Control, Maintenance, etc.) are within one zip file. For example, for the Access Contro family, there are 22 MS Word documents inside the zip file, for the 22 separa assessment cases that are included in Access Control family. There are 18 separate families for these assessment cases. The tables below should help you figure out what family you need to download and/or what files to open within that particular family. The 19th zip file contains ALL of the assessment case files for all 18 families, which are separately zipped up in one zipped

Download All 18 Families (Word Format) In 1 .Zip File MB)

Note: After downloading the complete set of 18 families in one zipped file, once the file is unzipped, then you will find each family in its own separate zipped file - 18 zipped files total. Once a particular family zipped file is unzipped, then you will find multiple MS Word files - one for each Control Name for that particular family. Refer to tables below for guidance for titles of each control name.

ACCESS CONTROL
CONTROL NUMBER AC-1 AC-2 AC-3 AC-4 AC-5 AC-6 AC-7 AC-8 CONTROL NAME

Access Control Policy and Procedures Account Management Access Enforcement Information Flow Enforcement Separation of Duties Least Privilege Unsuccessful Login Attempts System Use Notification

FAQs - FISMA Project

AC-9 AC-10 AC-11 AC-12 AC-13 AC-14 AC-15 AC-16 AC-17 AC-18 AC-19 AC-20 AC-21 AC-22

Previous Logon (Access) Notification Concurrent Session Control Session Lock Session Termination Supervision and ReviewAccess Control Permitted Actions without Identification or Authentication Automated Marking Security Attributes Remote Access Wireless Access Access Control for Mobile Devices Use of External Information Systems User-Based Collaboration And Information Sharing Publicly Accessible Content

Download The 22 Access Control Assessment Cases (Word Zip)

AWARENESS AND TRAINING

CONTROL NUMBER AT-1 AT-2 AT-3 AT-4 AT-5 CONTROL NAME

Security Awareness and Training Policy and Procedures Security Awareness Security Training Security Training Records Contacts with Security Groups and Associations

Download The 5 Awareness And Training Assessment Cases (Word Zip)

AUDIT AND ACCOUNTABILITY

CONTROL NUMBER AU-1 AU-2 AU-3 AU-4 CONTROL NAME

Audit and Accountability Policy and Procedures Auditable Events Content of Audit Records Audit Storage Capacity

AU-5 AU-6 AU-7 AU-8 AU-9 AU-10 AU-11 AU-12 AU-13 AU-14

Response to Audit Processing Failures Audit Review, Analysis, and Reporting Audit Reduction and Report Generation Time Stamps Protection of Audit Information Non-repudiation Audit Record Retention Audit Generation Monitoring and Disclosure Session Audit

Last updated: February 3, 2012 Page created: August 7, 2008

Download The 14 Audit And Accountability Assessment Cases (Word Zip)

Back To Top

CERTIFICATION, ACCREDITATION AND SECURITY ASSESSMENTS

CONTROL NUMBER CA-1 CA-2 CA-3 CA-4 CA-5 CA-6 CA-7 CONTROL NAME

Security Assessment and Authorization Policies and Procedures Security Assessments Information System Connections Security Certification Plan of Action and Milestones Security Authorization Continuous Monitoring

Download The 7 Certification, Accreditation And Security Assessment Cases (Word Zip)

Back To Top

CONFIGURATION MANAGEMENT
CONTROL NUMBER CM-1 CM-2 CM-3 CM-4 CM-5 CONTROL NAME

Configuration Management Policy and Procedures Baseline Configuration Configuration Change Control Security Impact Analysis Access Restrictions for Change

CM-6 CM-7 CM-8 CM-9

Configuration Settings Least Functionality Information System Component Inventory Configuration Management Plan

Download The 9 Configuration Management Assessment Cases (Word Zip)

Back To Top

CONTINGENCY PLANNING
CONTROL NUMBER CP-1 CP-2 CP-3 CP-4 CP-5 CP-6 CP-7 CP-8 CP-9 CP-10 CONTROL NAME

Contingency Planning Policy and Procedures Contingency Plan Contingency Training Contingency Plan Testing and Exercises Contingency Plan Update Alternate Storage Site Alternate Processing Site Telecommunications Services Information System Backup Information System Recovery and Reconstitution

Download The 10 Contingency Planning Assessment Cases (Word Zip)

Back To Top

IDENTIFICATION AND AUTHENTICATION

CONTROL NUMBER IA-1 IA-2 IA-3 IA-4 IA-5 IA-6 IA-7 IA-8 CONTROL NAME

Identification and Authentication Policy and Procedures User Identification and Authentication (Organizational Users) Device Identification and Authentication Identifier Management Authenticator Management Authenticator Feedback Cryptographic Module Authentication Identification and Authentication (Non-Organizational Users)

Download The 8 Identification And Authentication Assessment Cases (Word Zip)

Back To Top

INCIDENT RESPONSE
CONTROL NUMBER IR-1 IR-2 IR-3 IR-4 IR-5 IR-6 IR-7 IR-8 CONTROL NAME

Incident Response Policy and Procedures Incident Response Training Incident Response Testing and Exercises Incident Handling Incident Monitoring Incident Reporting Incident Response Assistance Incident Response Plan

Download The 8 Incident Response Assessment Cases (Word Zip)

Back To Top

MAINTENANCE
CONTROL NUMBER MA-1 MA-2 MA-3 MA-4 MA-5 MA-6 CONTROL NAME

System Maintenance Policy and Procedures Controlled Maintenance Maintenance Tools Non-Local Maintenance Maintenance Personnel Timely Maintenance

Download The 6 Maintenance Assessment Cases (Word Zip)

Back To Top

MEDIA PROTECTION
CONTROL NUMBER MP-1 MP-2 CONTROL NAME

Media Protection Policy and Procedures Media Access

MP-3 MP-4 MP-5 MP-6

Media Marking Media Storage Media Transport Media Sanitization

Download The 6 Media Protection Assessment Cases (Word Zip)

Back To Top

PHYSICAL AND ENVIRONMENTAL PROTECTION

CONTROL NUMBER PE-1 PE-2 PE-3 PE-4 PE-5 PE-6 PE-7 PE-8 PE-9 PE-10 PE-11 PE-12 PE-13 PE-14 PE-15 PE-16 PE-17 PE-18 PE-19 CONTROL NAME

Physical and Environmental Protection Policy and Procedures Physical Access Authorizations Physical Access Control Access Control for Transmission Medium Access Control for Output Devices Monitoring Physical Access Visitor Control Access Records Power Equipment and Power Cabling Emergency Shutoff Emergency Power Emergency Lighting Fire Protection Temperature and Humidity Controls Water Damage Protection Delivery and Removal Alternate Work Site Location of Information System Components Information Leakage

Download The 19 Physical And Environmental Protection Assessment Cases (Word Zip)

Back To Top

PLANNING
CONTROL NUMBER CONTROL NAME

PL-1 PL-2 PL-3 PL-4 PL-5 PL-6

Security Planning Policy and Procedures System Security Plan System Security Plan Update Rules of Behavior Privacy Impact Assessment Security-Related Activity Planning

Download The 6 Planning Assessment Cases (Word Zip)

Back To Top

PROGRAM MANAGEMENT
CONTROL NUMBER PM-1 PM-2 PM-3 PM-4 PM-5 PM-6 PM-7 PM-8 PM-9 PM-10 PM-11 CONTROL NAME

Information Security Program Plan Senior Information Security Officer Information Security Resources Plan of Action and Milestones Process Information System Inventory Information Security Measures of Performance Enterprise Architecture Critical Infrastructure Plan Risk Management Strategy Security Authorization Process Mission/Business Process Definition

Download The 11 Program Management Assessment Cases (Word Zip)

Back To Top

PERSONNEL SECURITY
CONTROL NUMBER PS-1 PS-2 PS-3 PS-4 PS-5 PS-6 CONTROL NAME

Personnel Security Policy and Procedures Position Categorization Personnel Screening Personnel Termination Personnel Transfer Access Agreements

PS-7 PS-8

Third-Party Personnel Security Personnel Sanctions

Download The 8 Personnel Security Assessment Cases (Word Zip)

Back To Top

RISK ASSESSMENT
CONTROL NUMBER RA-1 RA-2 RA-3 RA-4 RA-5 CONTROL NAME

Risk Assessment Policy and Procedures Security Categorization Risk Assessment Risk Assessment Update Vulnerability Scanning

Download The 5 Risk Assessment Cases (Word Zip)

Back To Top

SYSTEM AND SERVICES ACQUISITION

CONTROL NUMBER SA-1 SA-2 SA-3 SA-4 SA-5 SA-6 SA-7 SA-8 SA-9 SA-10 SA-11 SA-12 SA-13 SA-14 CONTROL NAME

System and Services Acquisition Policy and Procedures Allocation of Resources Life Cycle Support Acquisitions Information System Documentation Software Usage Restrictions User-Installed Software Security Engineering Principles External Information System Services Developer Configuration Management Developer Security Testing Supply Chain Protection Trustworthiness Critical Information System Components

Download The 14 System And Services Acquisition Assessment Cases (Word Zip)

Back To Top

SYSTEM AND COMMUNICATIONS PROTECTION

CONTROL NUMBER SC-1 SC-2 SC-3 SC-4 SC-5 SC-6 SC-7 SC-8 SC-9 SC-10 SC-11 SC-12 SC-13 SC-14 SC-15 SC-16 SC-17 SC-18 SC-19 SC-20 SC-21 SC-22 SC-23 SC-24 SC-25 SC-26 SC-27 SC-28 SC-29 CONTROL NAME

System and Communications Protection Policy and Procedures Application Partitioning Security Function Isolation Information In Shared Resources Denial of Service Protection Resource Priority Boundary Protection Transmission Integrity Transmission Confidentiality Network Disconnect Trusted Path Cryptographic Key Establishment and Management Use of Cryptography Public Access Protections Collaborative Computing Devices Transmission of Security Attributes Public Key Infrastructure Certificates Mobile Code Voice Over Internet Protocol Secure Name /Address Resolution Service (Authoritative Source) Secure Name /Address Resolution Service (Recursive or Caching Resolver) Architecture and Provisioning for Name/Address Resolution Service Session Authenticity Fail in Known State Thin Nodes Honeypots Operating System-Independent Applications Protection of Information at Rest Heterogeneity

SC-30 SC-31 SC-32 SC-33 SC-34

Virtualization Techniques Covert Channel Analysis Information System Partitioning Transmission Preparation Integrity Non-Modifiable Executable Programs

Download The 34 System And Communications Protection Assessment Cases (Word Zip)

Back To Top

SYSTEM AND INFORMATION INTEGRITY

CONTROL NUMBER SI-1 SI-2 SI-3 SI-4 SI-5 SI-6 SI-7 SI-8 SI-9 SI-10 SI-11 SI-12 SI-13 CONTROL NAME

System and Information Integrity Policy and Procedures Flaw Remediation Malicious Code Protection Information System Monitoring Security Alerts, Advisories and Directives Security Functionality Verification Software and Information Integrity Spam Protection Information Input Restrictions Information Input Validation Error Handling Information Output Handling and Retention Predictable Failure Prevention

Download The 13 System And Information Integrity Assessment Cases (Word Zip)

Back To Top
CSRC Webmaster, Disclaimer Notice & Privacy Policy NIST is an Agency of the U.S. Department of Commerce