O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

The CISSP® and CAP

The CISSP® and CAP

by Russell Dean Vines, CISSP, CISM, Security +, CCNA, MCSE, MCNE, Ronald L. Krutz, Ph.D. P.E., CISSP, ISSEP
Publisher: John Wiley & Sons
Release Date: November 2006
ISBN: 9780470007921
View table of contents
Start reading

Book Description

This follow-on edition to The CISSP Prep Guide: Mastering CISSP and ISSEP offers value-add coverage not featured anywhere else! You'll prepare for passing CISSP with a revised review of each of the ten CISSP domains, updated to reflect current thinking/technology, especially in the areas of cyber-terrorism prevention and disaster recovery. You'll also cover CAP, a major section of the ISSEP that has been elevated from its status as part of an advanced concentration to its own certification. The accompanying CD-ROM contains revised test questions to make your preparation complete. Order your copy today and make your exam preparation complete!

Table of Contents

  1. Copyright
  2. About the Authors
  3. Credits
  4. Foreword
  5. Acknowledgments
  6. Introduction
    1. The (ISC)2 Organization
    2. Candidate CISSP Requirements
    3. The CISSP Examination
    4. The ISSEP, ISSAP, and ISSMP Concentration Examinations
    5. The Approach of This Book
    6. Changes to the Platinum Edition
    7. Organization of the Book
    8. CD-ROM
    9. Who Should Read This Book?
    10. Summary
  7. 1. Focused Review of the CISSP Ten Domains
    1. 1. Information Security and Risk Management
      1. 1.1. Our Approach
      2. 1.2. Security Management Concepts
        1. 1.2.1. System Security Life Cycle
        2. 1.2.2. The Three Fundamentals
        3. 1.2.3. Other Important Concepts
          1. 1.2.3.1. NIST 33 Security Principles
          2. 1.2.3.2. Trade-Off Analysis (TOA)
          3. 1.2.3.3. TOA Elements
        4. 1.2.4. Objectives of Security Controls
      3. 1.3. Information Classification Process
        1. 1.3.1. Information Classification Objectives
        2. 1.3.2. Information Classification Benefits
        3. 1.3.3. Information Classification Concepts
          1. 1.3.3.1. Classification Terms
          2. 1.3.3.2. Classification Criteria
          3. 1.3.3.3. Information Classification Procedures
          4. 1.3.3.4. Distribution of Classified Information
        4. 1.3.4. Information Classification Roles
          1. 1.3.4.1. Owner
          2. 1.3.4.2. Custodian
          3. 1.3.4.3. User
          4. 1.3.4.4. Employee Termination
      4. 1.4. Security Policy Implementation
        1. 1.4.1. Policies, Standards, Guidelines, and Procedures
          1. 1.4.1.1. Policy Types
          2. 1.4.1.2. Standards, Guidelines, and Procedures
          3. 1.4.1.3. Baselines
      5. 1.5. Roles and Responsibilities
      6. 1.6. Risk Management and Assessment
        1. 1.6.1. Principles of Risk Management
          1. 1.6.1.1. The Purpose of Risk Analysis
          2. 1.6.1.2. Terms and Definitions
        2. 1.6.2. RM Roles
        3. 1.6.3. Overview of Risk Analysis
          1. 1.6.3.1. Quantitative Risk Analysis
          2. 1.6.3.2. Risk Analysis Steps
            1. 1.6.3.2.1. Estimate Potential Losses
            2. 1.6.3.2.2. Analyze Potential Threats
            3. 1.6.3.2.3. Define the Annualized Loss Expectancy (ALE)
            4. 1.6.3.2.4. Results
            5. 1.6.3.2.5. Remedies
          3. 1.6.3.3. Qualitative Risk Analysis
            1. 1.6.3.3.1. Qualitative Scenario Procedure
          4. 1.6.3.4. Asset Valuation Process
            1. 1.6.3.4.1. Reasons for Determining the Value of an Asset
            2. 1.6.3.4.2. Elements Used to Determine the Value of an Asset
          5. 1.6.3.5. Safeguard Selection Criteria
            1. 1.6.3.5.1. Cost-Benefit Analysis
            2. 1.6.3.5.2. Level of Manual Operations
            3. 1.6.3.5.3. Auditability and Accountability Features
            4. 1.6.3.5.4. Recovery Ability
            5. 1.6.3.5.5. Vendor Relations
        4. 1.6.4. Security Posture Assessment Methodologies
          1. 1.6.4.1. INFOSEC Assessment Methodology (IAM)
          2. 1.6.4.2. The IAM Process
          3. 1.6.4.3. Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)
          4. 1.6.4.4. Federal Information Technology Security Assessment Framework (FITSAF)
      7. 1.7. Security Awareness
        1. 1.7.1. Awareness
        2. 1.7.2. Training and Education
      8. 1.8. Assessment Questions
    2. 2. Access Control
      1. 2.1. Rationale
      2. 2.2. Controls
      3. 2.3. Models for Controlling Access
        1. 2.3.1. Control Combinations
          1. 2.3.1.1. Preventive/Administrative
          2. 2.3.1.2. Preventive/Technical
          3. 2.3.1.3. Preventive/Physical
          4. 2.3.1.4. Detective/Administrative
          5. 2.3.1.5. Detective/Technical
          6. 2.3.1.6. Detective/Physical
      4. 2.4. Access Control Attacks
        1. 2.4.1. Denial of Service/Distributed Denial of Service (DoS/DDoS)
        2. 2.4.2. Back Door
        3. 2.4.3. Spoofing
        4. 2.4.4. Man-in-the-Middle
        5. 2.4.5. Replay
        6. 2.4.6. TCP Hijacking
        7. 2.4.7. Social Engineering
        8. 2.4.8. Dumpster Diving
        9. 2.4.9. Password Guessing
          1. 2.4.9.1. Brute Force
          2. 2.4.9.2. Dictionary Attack
        10. 2.4.10. Software Exploitation
        11. 2.4.11. Mobile Code
        12. 2.4.12. Trojan Horses
        13. 2.4.13. Logic Bomb
        14. 2.4.14. System Scanning
      5. 2.5. Penetration Testing
      6. 2.6. Identification and Authentication
        1. 2.6.1. Passwords
          1. 2.6.1.1. Tokens
          2. 2.6.1.2. Memory Cards
          3. 2.6.1.3. Smart Cards
        2. 2.6.2. Biometrics
      7. 2.7. Single Sign-On (SSO)
        1. 2.7.1. Kerberos
        2. 2.7.2. Kerberos Operation
          1. 2.7.2.1. Client-TGS Server: Initial Exchange
          2. 2.7.2.2. Client to TGS Server: Request for Service
          3. 2.7.2.3. TGS Server to Client: Issuing of Ticket for Service
          4. 2.7.2.4. Client to Server Authentication: Exchange and Providing of Service
          5. 2.7.2.5. Kerberos Vulnerabilities
        3. 2.7.3. SESAME
        4. 2.7.4. KryptoKnight
      8. 2.8. Access Control Methodologies
        1. 2.8.1. Centralized Access Control
        2. 2.8.2. Decentralized/Distributed Access Control
          1. 2.8.2.1. Relational Database Security
          2. 2.8.2.2. Entity and Referential Integrity
          3. 2.8.2.3. Relational Database Operations
          4. 2.8.2.4. Data Normalization
          5. 2.8.2.5. SQL
          6. 2.8.2.6. Object-Oriented Databases (OODB)
          7. 2.8.2.7. Object-Relational Databases
          8. 2.8.2.8. Thin-Client Systems
          9. 2.8.2.9. Security Domain
        3. 2.8.3. Intrusion Detection
          1. 2.8.3.1. Network-Based IDS
          2. 2.8.3.2. Host-Based IDS
          3. 2.8.3.3. IDS Detection Methods
          4. 2.8.3.4. Signature-Based ID
          5. 2.8.3.5. Statistical Anomaly–Based ID
        4. 2.8.4. Some Access Control Issues
      9. 2.9. Assessment Questions
    3. 3. Telecommunications and Network Security
      1. 3.1. The C.I.A. Triad
        1. 3.1.1. Confidentiality
        2. 3.1.2. Integrity
        3. 3.1.3. Availability
      2. 3.2. Protocols
        1. 3.2.1. The Layered Architecture Concept
          1. 3.2.1.1. How Data Moves through a Layered Architecture
        2. 3.2.2. Open Systems Interconnect (OSI) Model
          1. 3.2.2.1. The Seven Layers
          2. 3.2.2.2. OSI Security Services and Mechanisms
        3. 3.2.3. Transmission Control Protocol/Internet Protocol (TCP/IP)
          1. 3.2.3.1. TCP/IP Protocols
            1. 3.2.3.1.1. Transmission Control Protocol (TCP)
            2. 3.2.3.1.2. User Datagram Protocol (UDP)
            3. 3.2.3.1.3. Internet Protocol (IP)
            4. 3.2.3.1.4. Address Resolution Protocol (ARP)
            5. 3.2.3.1.5. Reverse Address Resolution Protocol (RARP)
            6. 3.2.3.1.6. Internet Control Message Protocol (ICMP)
          2. 3.2.3.2. Other TCP/IP Protocols
      3. 3.3. LAN Technologies
        1. 3.3.1. Ethernet
        2. 3.3.2. ARCnet
        3. 3.3.3. Token Ring
        4. 3.3.4. Fiber Distributed Data Interface (FDDI)
      4. 3.4. Cabling Types
        1. 3.4.1. Coaxial Cable (Coax)
        2. 3.4.2. Twisted Pair
        3. 3.4.3. Fiber-Optic Cable
        4. 3.4.4. Cabling Vulnerabilities
        5. 3.4.5. Transmission Types
      5. 3.5. Network Topologies
        1. 3.5.1. Bus
        2. 3.5.2. Ring
        3. 3.5.3. Star
        4. 3.5.4. Tree
        5. 3.5.5. Mesh
      6. 3.6. LAN Transmission Protocols
        1. 3.6.1. Carrier-Sense Multiple Access (CSMA)
          1. 3.6.1.1. Carrier-Sense Multiple Access with Collision Avoidance (CSMA/CA)
          2. 3.6.1.2. Carrier-Sense Multiple Access with Collision Detection (CSMA/CD)
        2. 3.6.2. Polling
        3. 3.6.3. Token Passing
        4. 3.6.4. Unicast, Multicast, Broadcast
      7. 3.7. Networking Devices
        1. 3.7.1. Hubs and Repeaters
        2. 3.7.2. Bridges
        3. 3.7.3. Spanning Tree
        4. 3.7.4. Switches
        5. 3.7.5. Transparent Bridging
        6. 3.7.6. Routers
          1. 3.7.6.1. Routing Methodologies
          2. 3.7.6.2. Layer 3 Switching
        7. 3.7.7. VLANs
        8. 3.7.8. Gateways
        9. 3.7.9. LAN Extenders
      8. 3.8. Firewall Types
        1. 3.8.1. Packet-Filtering Firewalls
        2. 3.8.2. Application-Level Firewalls
        3. 3.8.3. Circuit-Level Firewalls
        4. 3.8.4. Stateful Inspection Firewalls
      9. 3.9. Firewall Architectures
        1. 3.9.1. Packet-Filtering Routers
        2. 3.9.2. Screened-Host Firewalls
        3. 3.9.3. Dual-Homed Host Firewalls
        4. 3.9.4. Screened-Subnet Firewalls
        5. 3.9.5. SOCKS
      10. 3.10. Common Data Network Services
        1. 3.10.1. File Transfer Services
        2. 3.10.2. SFTP
        3. 3.10.3. SSH/SSH-2
        4. 3.10.4. TFTP
      11. 3.11. Data Network Types
        1. 3.11.1. Wide Area Networks
        2. 3.11.2. Internet
        3. 3.11.3. Intranet
        4. 3.11.4. Extranet
      12. 3.12. WAN Technologies
        1. 3.12.1. Dedicated Lines
        2. 3.12.2. T-carriers
        3. 3.12.3. WAN Switching
        4. 3.12.4. Circuit-Switched Networks
        5. 3.12.5. Packet-Switched Networks
          1. 3.12.5.1. Packet-Switched Technologies
        6. 3.12.6. Other WAN Protocols
        7. 3.12.7. Common WAN Devices
        8. 3.12.8. Network Address Translation (NAT)
      13. 3.13. Remote Access Technologies
        1. 3.13.1. Remote Access Types
        2. 3.13.2. Remote Access Security Methods
        3. 3.13.3. Virtual Private Networking (VPN)
          1. 3.13.3.1. VPN Examples
            1. 3.13.3.1.1. Remote Access VPNs
            2. 3.13.3.1.2. Network-to-Network VPNs
            3. 3.13.3.1.3. Intranet Access VPNs
          2. 3.13.3.2. VPN Tunneling
          3. 3.13.3.3. VPN and Remote Access Protocols
            1. 3.13.3.3.1. Point-to-Point Tunneling Protocol (PPTP)
            2. 3.13.3.3.2. Layer 2 Tunneling Protocol (L2TP)
            3. 3.13.3.3.3. Internet Protocol Security (IPSec)
            4. 3.13.3.3.4. Serial Line Internet Protocol (SLIP)
            5. 3.13.3.3.5. Point-to-Point Protocol (PPP)
            6. 3.13.3.3.6. Password Authentication Protocol
            7. 3.13.3.3.7. Challenge Handshake Authentication Protocol
            8. 3.13.3.3.8. MS-CHAP
            9. 3.13.3.3.9. MS-CHAP version 2
            10. 3.13.3.3.10. Extensible Authentication Protocol
            11. 3.13.3.3.11. EAP Transport Level Security
          4. 3.13.3.4. Wireless VPNs
        4. 3.13.4. RADIUS and TACACS
          1. 3.13.4.1. Remote Authentication Dial-in User Service (RADIUS)
          2. 3.13.4.2. Wireless RADIUS
          3. 3.13.4.3. Terminal Access Controller Access Control System (TACACS)
      14. 3.14. Network Availability
        1. 3.14.1. High Availability and Fault Tolerance
      15. 3.15. Wireless Technologies
        1. 3.15.1. IEEE Wireless Standards
          1. 3.15.1.1. 802.1x
          2. 3.15.1.2. Spread-Spectrum Technologies
            1. 3.15.1.2.1. Direct Sequence Spread Spectrum (DSSS)
            2. 3.15.1.2.2. Frequency-Hopping Spread Spectrum (FHSS)
          3. 3.15.1.3. WLAN Operational Modes
            1. 3.15.1.3.1. Ad Hoc Mode
            2. 3.15.1.3.2. Infrastructure Mode
        2. 3.15.2. Bluetooth
          1. 3.15.2.1. Bluetooth Security
        3. 3.15.3. Wireless Application Protocol (WAP)
          1. 3.15.3.1. Application layer
          2. 3.15.3.2. Session Layer
          3. 3.15.3.3. Transaction Layer
          4. 3.15.3.4. Security Layer
          5. 3.15.3.5. Transport Layer
      16. 3.16. Wireless Security
        1. 3.16.1. Wireless Transport Layer Security Protocol
        2. 3.16.2. WEP Encryption
        3. 3.16.3. Wireless Vulnerabilities
          1. 3.16.3.1. Denial-of-Service Attacks
          2. 3.16.3.2. The "WAP Gap"
          3. 3.16.3.3. Insertion Attacks
          4. 3.16.3.4. Rogue Access Points
          5. 3.16.3.5. WEP Weaknesses
          6. 3.16.3.6. WEP Encryption Workarounds
          7. 3.16.3.7. Service Set Identifier (SSID) Issues
          8. 3.16.3.8. Wireless Scanning and Eavesdropping
          9. 3.16.3.9. War Driving
          10. 3.16.3.10. Wireless Packet Sniffers and Scanners
          11. 3.16.3.11. PDA Security Issues
            1. 3.16.3.11.1. Loss of Confidentiality
            2. 3.16.3.11.2. Physical Loss of Unit
      17. 3.17. Intrusion Detection and Response
        1. 3.17.1. Types of Intrusion Detection Systems
          1. 3.17.1.1. Host-Based ID Systems
          2. 3.17.1.2. Network-Based ID Systems
        2. 3.17.2. IDS Approaches
          1. 3.17.2.1. Knowledge-Based ID
          2. 3.17.2.2. Behavior-Based ID
        3. 3.17.3. Honey Pots
          1. 3.17.3.1. Honey Pot Issues
        4. 3.17.4. Computer Incident Response Team
        5. 3.17.5. IDS and a Layered Security Approach
        6. 3.17.6. IDS and Switches
        7. 3.17.7. IDS Performance
      18. 3.18. Network Attacks and Abuses
        1. 3.18.1. Logon Abuse
        2. 3.18.2. Inappropriate System Use
        3. 3.18.3. Eavesdropping
        4. 3.18.4. Network Intrusion
        5. 3.18.5. Denial of Service (DoS) Attacks
        6. 3.18.6. Session Hijacking Attacks
        7. 3.18.7. Fragmentation Attacks
        8. 3.18.8. Dial-Up Attacks
      19. 3.19. Probing and Scanning
        1. 3.19.1. Vulnerability Scanning
          1. 3.19.1.1. Discovery Scanning
          2. 3.19.1.2. Workstation Scanning
          3. 3.19.1.3. Server Scanning
        2. 3.19.2. Port Scanning
          1. 3.19.2.1. TCP/UDP Scanning Types
            1. 3.19.2.1.1. Stealth Scans
            2. 3.19.2.1.2. Spoofed Scans
          2. 3.19.2.2. Determining the OS Type
          3. 3.19.2.3. Scanning Tools
          4. 3.19.2.4. NMap
          5. 3.19.2.5. Vulnerable Ports
        3. 3.19.3. Issues with Vulnerability Scanning
      20. 3.20. Malicious Code
        1. 3.20.1. Viruses
          1. 3.20.1.1. The Virus Life Cycle
          2. 3.20.1.2. Macro Viruses
          3. 3.20.1.3. Polymorphic Viruses
          4. 3.20.1.4. Stealth Viruses
        2. 3.20.2. Spyware
          1. 3.20.2.1. Adware
          2. 3.20.2.2. Keyloggers
          3. 3.20.2.3. Hardware Keyloggers
          4. 3.20.2.4. Software Keyloggers
          5. 3.20.2.5. Web Bugs
          6. 3.20.2.6. Spambots
          7. 3.20.2.7. Pop-Up Download
          8. 3.20.2.8. Drive-By Download
          9. 3.20.2.9. Bogus Spyware Removal Programs
          10. 3.20.2.10. Multistage and Blended Threats
        3. 3.20.3. Trojan Horses
        4. 3.20.4. Remote Access Trojans (RATs)
        5. 3.20.5. Logic Bombs
        6. 3.20.6. Worms
        7. 3.20.7. Malicious Code Prevention
          1. 3.20.7.1. Virus Scanners
          2. 3.20.7.2. Virus Prevention
          3. 3.20.7.3. Virus Detection
          4. 3.20.7.4. Spyware Removers
      21. 3.21. Web Security
        1. 3.21.1. Phishing
        2. 3.21.2. Browser Hijacking
        3. 3.21.3. SSL/TLS
          1. 3.21.3.1. SSL 3.0
          2. 3.21.3.2. TLS 1.0
        4. 3.21.4. S-HTTP
        5. 3.21.5. Instant Messaging Security
          1. 3.21.5.1. IM Vulnerabilities
          2. 3.21.5.2. IM Solutions
          3. 3.21.5.3. Enterprise IM
        6. 3.21.6. 8.3 Naming Conventions
      22. 3.22. Assessment Questions
    4. 4. Cryptography
      1. 4.1. Introduction
      2. 4.2. Definitions
      3. 4.3. Background
      4. 4.4. Cryptographic Technologies
      5. 4.5. Classical Ciphers
        1. 4.5.1. Substitution
        2. 4.5.2. Transposition (Permutation)
        3. 4.5.3. Vernam Cipher (One-Time Pad)
        4. 4.5.4. Book or Running-Key Cipher
        5. 4.5.5. Codes
        6. 4.5.6. Steganography
      6. 4.6. Secret-Key Cryptography (Symmetric-Key)
        1. 4.6.1. Data Encryption Standard (DES)
          1. 4.6.1.1. Cipher Block Chaining
          2. 4.6.1.2. Electronic Code Book (ECB)
          3. 4.6.1.3. Cipher Feedback (CFB)
          4. 4.6.1.4. Output Feedback
          5. 4.6.1.5. DES Security
        2. 4.6.2. Triple DES
        3. 4.6.3. The Advanced Encryption Standard (AES)
        4. 4.6.4. The Rijndael Block Cipher
        5. 4.6.5. The Twofish Algorithm
        6. 4.6.6. The IDEA Cipher
        7. 4.6.7. RC5/RC6
      7. 4.7. Public-Key (Asymmetric) Cryptosystems
        1. 4.7.1. One-Way Functions
        2. 4.7.2. Public-Key Algorithms
          1. 4.7.2.1. RSA
          2. 4.7.2.2. Diffie-Hellman Key Exchange
          3. 4.7.2.3. El Gamal
          4. 4.7.2.4. Merkle-Hellman Knapsack
          5. 4.7.2.5. Elliptic Curve (EC)
        3. 4.7.3. Public-Key Cryptosystem Algorithm Categories
        4. 4.7.4. Asymmetric and Symmetric Key Length Strength Comparisons
        5. 4.7.5. Digital Signatures
        6. 4.7.6. Digital Signature Standard (DSS) and Secure Hash Standard (SHS)
        7. 4.7.7. MD5
        8. 4.7.8. Sending a Message with a Digital Signature
        9. 4.7.9. Hashed Message Authentication Code (HMAC)
        10. 4.7.10. Hash Function Characteristics
      8. 4.8. Cryptographic Attacks
      9. 4.9. Public-Key Certification Systems
        1. 4.9.1. Digital Certificates
        2. 4.9.2. Public-Key Infrastructure (PKI)
          1. 4.9.2.1. Digital Certificates
          2. 4.9.2.2. Directories and X.500
          3. 4.9.2.3. The Lightweight Directory Access Protocol
          4. 4.9.2.4. X.509 Certificates
          5. 4.9.2.5. Certificate Revocation Lists
          6. 4.9.2.6. Key Management
            1. 4.9.2.6.1. Key Distribution
            2. 4.9.2.6.2. Key Revocation
            3. 4.9.2.6.3. Key Recovery
            4. 4.9.2.6.4. Key Renewal
            5. 4.9.2.6.5. Key Destruction
            6. 4.9.2.6.6. Multiple Keys
            7. 4.9.2.6.7. Distributed versus Centralized Key Management
      10. 4.10. Approaches to Escrowed Encryption
        1. 4.10.1. The Escrowed Encryption Standard
        2. 4.10.2. Key Escrow Approaches Using Public-Key Cryptography
      11. 4.11. Identity-Based Encryption
        1. 4.11.1. Cryptographic Export Issues
      12. 4.12. Quantum Computing
      13. 4.13. E-mail Security Issues and Approaches
        1. 4.13.1. Secure Multi-Purpose Internet Mail Extensions (S/MIME)
        2. 4.13.2. MIME Object Security Services (MOSS)
        3. 4.13.3. Privacy Enhanced Mail (PEM)
        4. 4.13.4. Pretty Good Privacy (PGP)
      14. 4.14. Internet Security Applications
        1. 4.14.1. Message Authentication Code (MAC) or the Financial Institution Message Authentication Standard (FIMAS)
        2. 4.14.2. Secure Electronic Transaction (SET)
        3. 4.14.3. Secure Sockets Layer (SSL)/Transaction Layer Security (TLS)
        4. 4.14.4. Internet Open Trading Protocol (IOTP)
        5. 4.14.5. MONDEX
        6. 4.14.6. IPSec
        7. 4.14.7. Secure Hypertext Transfer Protocol (S-HTTP)
        8. 4.14.8. Secure Shell (SSH-2)
      15. 4.15. Wireless Security
        1. 4.15.1. Wireless Application Protocol (WAP)
        2. 4.15.2. The IEEE 802.11 Wireless Standard
      16. 4.16. Assessment Questions
    5. 5. Security Architecture and Design
      1. 5.1. Computer Architecture
        1. 5.1.1. Memory
        2. 5.1.2. Instruction Execution Cycle
        3. 5.1.3. Input/Output Structures
        4. 5.1.4. Software
        5. 5.1.5. Open and Closed Systems
        6. 5.1.6. Distributed Architecture
      2. 5.2. Protection Mechanisms
        1. 5.2.1. Rings
        2. 5.2.2. Logical Security Guard
        3. 5.2.3. Enterprise Architecture Issues
        4. 5.2.4. Security Labels
        5. 5.2.5. Security Modes
        6. 5.2.6. Additional Security Considerations
        7. 5.2.7. Recovery Procedures
      3. 5.3. Assurance
        1. 5.3.1. Evaluation Criteria
        2. 5.3.2. Certification and Accreditation
        3. 5.3.3. DITSCAP and NIACAP
          1. 5.3.3.1. DITSCAP
          2. 5.3.3.2. NIACAP
          3. 5.3.3.3. DIACAP
        4. 5.3.4. The Systems Security Engineering Capability Maturity Model (SSE-CMM)
          1. 5.3.4.1. Security Engineering
          2. 5.3.4.2. Project and Organizational Practices
      4. 5.4. Information Security Models
        1. 5.4.1. Access Control Models
          1. 5.4.1.1. The Access Matrix
          2. 5.4.1.2. Take-Grant Model
          3. 5.4.1.3. Bell-LaPadula Model
        2. 5.4.2. Integrity Models
          1. 5.4.2.1. The Biba Integrity Model
          2. 5.4.2.2. The Clark-Wilson Integrity Model
        3. 5.4.3. Information Flow Models
          1. 5.4.3.1. Non-Interference Model
          2. 5.4.3.2. Chinese Wall Model
          3. 5.4.3.3. Composition Theories
      5. 5.5. Assessment Questions
    6. 6. Operations Security
      1. 6.1. Operations Security Concepts
        1. 6.1.1. Triples
        2. 6.1.2. C.I.A.
      2. 6.2. Controls and Protections
        1. 6.2.1. Categories of Controls
        2. 6.2.2. Orange Book Controls
          1. 6.2.2.1. Covert Channel Analysis
            1. 6.2.2.1.1. Covert Storage Channel
            2. 6.2.2.1.2. Covert Timing Channel
          2. 6.2.2.2. Trusted Facility Management
            1. 6.2.2.2.1. Separation of Duties
            2. 6.2.2.2.2. Rotation of Duties
          3. 6.2.2.3. Trusted Recovery
            1. 6.2.2.3.1. Failure Preparation
            2. 6.2.2.3.2. System Recovery
          4. 6.2.2.4. Modes of Operation
          5. 6.2.2.5. Configuration Management and Change Control
            1. 6.2.2.5.1. Configuration Identification
            2. 6.2.2.5.2. Configuration Control
            3. 6.2.2.5.3. Configuration Status Accounting
            4. 6.2.2.5.4. Configuration Audit
          6. 6.2.2.6. Configuration Management Plan
          7. 6.2.2.7. Configuration Control Board (CCB)
          8. 6.2.2.8. Administrative Controls
          9. 6.2.2.9. Least Privilege
          10. 6.2.2.10. Operations Job Function Overview
          11. 6.2.2.11. Record Retention
          12. 6.2.2.12. Data Remanence
            1. 6.2.2.12.1. Due Care and Due Diligence
            2. 6.2.2.12.2. Documentation Control
        3. 6.2.3. Operations Controls
          1. 6.2.3.1. Resource Protection
            1. 6.2.3.1.1. Hardware Resources
            2. 6.2.3.1.2. Software Resources
            3. 6.2.3.1.3. Data Resources
          2. 6.2.3.2. Hardware Controls
            1. 6.2.3.2.1. Hardware Maintenance
            2. 6.2.3.2.2. Maintenance Accounts
            3. 6.2.3.2.3. Diagnostic Port Control
            4. 6.2.3.2.4. Hardware Physical Control
          3. 6.2.3.3. Software Controls
          4. 6.2.3.4. Privileged-Entity Controls
          5. 6.2.3.5. Media Resource Protection
            1. 6.2.3.5.1. Media Security Controls
            2. 6.2.3.5.2. Overwriting
            3. 6.2.3.5.3. Degaussing
            4. 6.2.3.5.4. Destruction
            5. 6.2.3.5.5. Media Viability Controls
          6. 6.2.3.6. Physical Access Controls
            1. 6.2.3.6.1. Hardware
            2. 6.2.3.6.2. Software
      3. 6.3. Monitoring and Auditing
        1. 6.3.1. Monitoring
          1. 6.3.1.1. Monitoring Techniques
            1. 6.3.1.1.1. Intrusion Detection (ID)
            2. 6.3.1.1.2. Penetration Testing
            3. 6.3.1.1.3. Violation Analysis
            4. 6.3.1.1.4. Benefits of Incident-Handling Capability
        2. 6.3.2. Auditing
          1. 6.3.2.1. Security Auditing
          2. 6.3.2.2. Audit Trails
          3. 6.3.2.3. Problem Management Concepts
      4. 6.4. Threats and Vulnerabilities
        1. 6.4.1. Threats
          1. 6.4.1.1. Accidental Loss
          2. 6.4.1.2. Inappropriate Activities
          3. 6.4.1.3. Illegal Computer Operations and Intentional Attacks
        2. 6.4.2. Vulnerabilities and Attacks
      5. 6.5. Maintaining Resource Availability
        1. 6.5.1. RAID
        2. 6.5.2. RAID Levels
        3. 6.5.3. Backup Concepts
          1. 6.5.3.1. Tape Backup Methods
          2. 6.5.3.2. Other Backup Formats
          3. 6.5.3.3. Common Backup Issues and Problems
      6. 6.6. Operational E-Mail Security
      7. 6.7. E-Mail Phishing
        1. 6.7.1.
          1. 6.7.1.1. Standard Customer Communication Policy
          2. 6.7.1.2. E-Mail Authentication Systems
      8. 6.8. Fax Security
      9. 6.9. Assessment Questions
    7. 7. Application Security
      1. 7.1. Systems Engineering
      2. 7.2. The System Life Cycle or System Development Life Cycle (SDLC)
      3. 7.3. The Software Life Cycle Development Process
        1. 7.3.1. The Waterfall Model
        2. 7.3.2. The Spiral Model
        3. 7.3.3. Cost Estimation Models
        4. 7.3.4. Information Security and the Life Cycle Model
        5. 7.3.5. Testing Issues
        6. 7.3.6. The Software Maintenance Phase and the Change Control Process
        7. 7.3.7. Configuration Management
      4. 7.4. The Software Capability Maturity Model (CMM)
      5. 7.5. Agile Methodology
      6. 7.6. Object-Oriented Systems
      7. 7.7. Artificial Intelligence Systems
        1. 7.7.1. Expert Systems
        2. 7.7.2. Neural Networks
        3. 7.7.3. Genetic Algorithms
        4. 7.7.4. Knowledge Management
      8. 7.8. Database Systems
        1. 7.8.1. Database Security Issues
        2. 7.8.2. Data Warehouse and Data Mining
        3. 7.8.3. Data Dictionaries
      9. 7.9. Application Controls
        1. 7.9.1. Distributed Systems
        2. 7.9.2. Centralized Architecture
        3. 7.9.3. Real-Time Systems
      10. 7.10. Assessment Questions
    8. 8. Business Continuity Planning and Disaster Recovery Planning
      1. 8.1. Business Continuity Planning
        1. 8.1.1. Continuity Disruptive Events
        2. 8.1.2. The Four Prime Elements of BCP
          1. 8.1.2.1. Scope and Plan Initiation
            1. 8.1.2.1.1. Roles and Responsibilities
          2. 8.1.2.2. Business Impact Assessment
            1. 8.1.2.2.1. Gathering Assessment Materials
            2. 8.1.2.2.2. The Vulnerability Assessment
            3. 8.1.2.2.3. Analyzing the Information
            4. 8.1.2.2.4. Documentation and Recommendation
          3. 8.1.2.3. Business Continuity Plan Development
            1. 8.1.2.3.1. Defining the Continuity Strategy
            2. 8.1.2.3.2. Documenting the Continuity Strategy
          4. 8.1.2.4. Plan Approval and Implementation
      2. 8.2. Disaster Recovery Planning (DRP)
        1. 8.2.1. Goals and Objectives of DRP
        2. 8.2.2. The Disaster Recovery Planning Process
          1. 8.2.2.1. Data Processing Continuity Planning
            1. 8.2.2.1.1. Mutual Aid Agreements
            2. 8.2.2.1.2. Subscription Services
            3. 8.2.2.1.3. Multiple Centers
            4. 8.2.2.1.4. Service Bureaus
            5. 8.2.2.1.5. Other Data Center Backup Alternatives
            6. 8.2.2.1.6. Transaction Redundancy Implementations
          2. 8.2.2.2. Disaster Recovery Plan Maintenance
        3. 8.2.3. Testing the Disaster Recovery Plan
          1. 8.2.3.1. Reasons for Testing
          2. 8.2.3.2. Creating the Test Document
          3. 8.2.3.3. The Five Disaster Recovery Plan Test Types
        4. 8.2.4. Disaster Recovery Procedures
          1. 8.2.4.1. The Recovery Team
          2. 8.2.4.2. The Salvage Team
          3. 8.2.4.3. Normal Operations Resume
        5. 8.2.5. Other Recovery Issues
          1. 8.2.5.1. Interfacing with External Groups
          2. 8.2.5.2. Employee Relations
          3. 8.2.5.3. Fraud and Crime
          4. 8.2.5.4. Financial Disbursement
          5. 8.2.5.5. Media Relations
      3. 8.3. Assessment Questions
    9. 9. Legal, Regulations, Compliance, and Investigations
      1. 9.1. Types of Computer Crime
      2. 9.2. Examples of Computer Crime
      3. 9.3. Law
        1. 9.3.1. Example: The United States
          1. 9.3.1.1. Compilation of Statutory Law
          2. 9.3.1.2. Compilation of Administrative Law
          3. 9.3.1.3. Compilation of Common Law
        2. 9.3.2. Common Law System Categories
          1. 9.3.2.1. Intellectual Property Law
          2. 9.3.2.2. Information Privacy and Privacy Laws
            1. 9.3.2.2.1. Privacy Policy
            2. 9.3.2.2.2. Privacy-Related Legislation and Guidelines
            3. 9.3.2.2.3. European Union (EU) Principles
            4. 9.3.2.2.4. Health Care–Related Privacy Issues
          3. 9.3.2.3. The Platform for Privacy Preferences (P3P)
          4. 9.3.2.4. Electronic Monitoring
        3. 9.3.3. Computer Security, Privacy, and Crime Laws
      4. 9.4. Investigation
        1. 9.4.1. Computer Investigation Issues
          1. 9.4.1.1. Evidence
            1. 9.4.1.1.1. Evidence Admissibility
            2. 9.4.1.1.2. Types of Evidence
          2. 9.4.1.2. Searching and Seizing Computers
          3. 9.4.1.3. Conducting the Investigation
        2. 9.4.2. Export Issues and Technology
      5. 9.5. Liability
      6. 9.6. Ethics
        1. 9.6.1. (ISC)2 Code of Ethics
        2. 9.6.2. The Computer Ethics Institute's Ten Commandments of Computer Ethics
        3. 9.6.3. The Internet Architecture Board (IAB) Ethics and the Internet (RFC 1087)
        4. 9.6.4. The U.S. Department of Health and Human Services Code of Fair Information Practices
        5. 9.6.5. The Organization for Economic Cooperation and Development (OECD)
      7. 9.7. Assessment Questions
    10. 10. Physical (Environmental) Security
      1. 10.1. Threats to Physical Security
      2. 10.2. Controls for Physical Security
        1. 10.2.1. Administrative Controls
          1. 10.2.1.1. Facility Requirements Planning
            1. 10.2.1.1.1. Choosing a Secure Site
            2. 10.2.1.1.2. Designing a Secure Site
          2. 10.2.1.2. Secure Facility Management
            1. 10.2.1.2.1. Audit Trails
            2. 10.2.1.2.2. Emergency Procedures
          3. 10.2.1.3. Administrative Personnel Controls
        2. 10.2.2. Environmental and Life Safety Controls
          1. 10.2.2.1. Electrical Power
            1. 10.2.2.1.1. Noise
            2. 10.2.2.1.2. Brownouts
            3. 10.2.2.1.3. Humidity
          2. 10.2.2.2. Fire Detection and Suppression
            1. 10.2.2.2.1. Fire Classes and Combustibles
            2. 10.2.2.2.2. Fire Detectors
            3. 10.2.2.2.3. Fire Extinguishing Systems
            4. 10.2.2.2.4. Suppression Mediums
            5. 10.2.2.2.5. Contamination
            6. 10.2.2.2.6. Water Damage
          3. 10.2.2.3. Heating, Ventilation, and Air Conditioning
        3. 10.2.3. Physical and Technical Controls
          1. 10.2.3.1. Facility Perimeter Control
            1. 10.2.3.1.1. Guards
            2. 10.2.3.1.2. Dogs
            3. 10.2.3.1.3. Fencing
            4. 10.2.3.1.4. Mantrap
            5. 10.2.3.1.5. Lighting
            6. 10.2.3.1.6. Bollards
            7. 10.2.3.1.7. Locks
            8. 10.2.3.1.8. Closed-Circuit Television (CCTV)
          2. 10.2.3.2. Access Control Devices
            1. 10.2.3.2.1. Security Access Cards
            2. 10.2.3.2.2. Biometric Devices
          3. 10.2.3.3. Intrusion Detectors and Alarms
            1. 10.2.3.3.1. Perimeter Intrusion Detectors
            2. 10.2.3.3.2. Motion Detectors
            3. 10.2.3.3.3. Alarm Systems
          4. 10.2.3.4. Computer Inventory Control
            1. 10.2.3.4.1. PC Physical Control
            2. 10.2.3.4.2. Laptop Control
          5. 10.2.3.5. Media Storage Requirements
            1. 10.2.3.5.1. Data Destruction and Reuse
            2. 10.2.3.5.2. Object Reuse and Data Remanence
      3. 10.3. Assessment Questions
  8. 2. The Certification and Accreditation Professional (CAP) Credential
    1. 11. Understanding Certification and Accreditation
      1. 11.1. System Authorization
        1. 11.1.1. A Select History of Systems Authorization
          1. 11.1.1.1. Federal Information Processing Standard (FIPS) 102
          2. 11.1.1.2. Trusted Computer System Evaluation Criteria (TCSEC)
          3. 11.1.1.3. Office of Management and Budget Circular A-130
          4. 11.1.1.4. DoD Information Technology Security Certification and Accreditation Process (DITSCAP)
          5. 11.1.1.5. The System Security Authorization Agreement (SSAA)
          6. 11.1.1.6. The National Information Assurance Certification and Accreditation Process (NIACAP)
            1. 11.1.1.6.1. NIACAP and NSTISSP # 6
            2. 11.1.1.6.2. NIACAP Accreditation Types
          7. 11.1.1.7. Defense Information Assurance Certification and Accreditation Process (DIACAP)
          8. 11.1.1.8. British Standard 7799 and ISO/IEC 17799
          9. 11.1.1.9. Common Criteria ISO/IEC 15408
          10. 11.1.1.10. Federal Information Security Management Act (FISMA)
          11. 11.1.1.11. Federal Information Technology Security Assessment Framework (FITSAF)
          12. 11.1.1.12. FIPS 199
          13. 11.1.1.13. FIPS 200
        2. 11.1.2. More and More Standards
      2. 11.2. What Is Certification and Accreditation?
        1. 11.2.1. NIST C&A Documents
        2. 11.2.2. C&A Roles and Responsibilities
          1. 11.2.2.1. Program Manager
          2. 11.2.2.2. Designated Approving Authority (DAA)
          3. 11.2.2.3. Certification Agent
          4. 11.2.2.4. User Representative
          5. 11.2.2.5. Information Systems Security Officer (ISSO)
          6. 11.2.2.6. NIACAP Roles
          7. 11.2.2.7. DIACAP ROLES
          8. 11.2.2.8. NIST C&A Roles
        3. 11.2.3. C&A Phases
        4. 11.2.4. DIACAP Phases
      3. 11.3. Assessment Questions
    2. 12. Initiation of the System Authorization Process
      1. 12.1. Security Categorization
        1. 12.1.1. Identification of Information Types
        2. 12.1.2. Potential Harmful Impact Levels
        3. 12.1.3. Assignment of Impact Level Scores
        4. 12.1.4. Assignment of System Impact Level
      2. 12.2. Initial Risk Estimation
        1. 12.2.1. Threat-Source Identification
          1. 12.2.1.1. Environmental Threat Sources
          2. 12.2.1.2. Natural Threat-Sources
          3. 12.2.1.3. Human Threat-Sources
        2. 12.2.2. Threat Likelihood of Occurrence
        3. 12.2.3. Analyzing for Vulnerabilities
        4. 12.2.4. System Accreditation Boundary
        5. 12.2.5. Legal and Regulatory Requirements
      3. 12.3. Selection of Security Controls
        1. 12.3.1. The Control Section
        2. 12.3.2. The Supplemental Guidance Section
        3. 12.3.3. The Control Enhancements Section
        4. 12.3.4. Assurance
        5. 12.3.5. Common and System-Specific Security Controls
        6. 12.3.6. Security Controls and the Management of Organizational Risk
      4. 12.4. Documenting Security Controls in the System Security Plan
      5. 12.5. Assessment Questions
    3. 13. The Certification Phase
      1. 13.1. Security Control Assessment
        1. 13.1.1. Prepare for the Assessment
          1. 13.1.1.1. Gather the Documentation
          2. 13.1.1.2. Define the Assessment Methods and Procedures
        2. 13.1.2. Conduct the Security Assessment
        3. 13.1.3. Prepare the Security Assessment Report
      2. 13.2. Security Certification Documentation
        1. 13.2.1. Provide the Findings and Recommendations
        2. 13.2.2. Update the System Security Plan
        3. 13.2.3. Prepare the Plan of Action
        4. 13.2.4. Assemble the Accreditation Package
      3. 13.3. DITSCAP Certification Phases
        1. 13.3.1. Phase 1: Definition
          1. 13.3.1.1. Document Mission Need
          2. 13.3.1.2. Registration
          3. 13.3.1.3. Negotiation
        2. 13.3.2. The System Security Authorization Agreement (SSAA)
        3. 13.3.3. SSAA Outline
        4. 13.3.4. SSAA Additional Material
        5. 13.3.5. The Requirements Traceability Matrix (RTM)
        6. 13.3.6. Phase 2: Verification
          1. 13.3.6.1. Refine the SSAA
          2. 13.3.6.2. System Development and Integration
          3. 13.3.6.3. Initial Certification Analysis
          4. 13.3.6.4. Assess Analysis Results
        7. 13.3.7. Key DITSCAP Roles
      4. 13.4. DIACAP Certification Phases
      5. 13.5. End of the Certification Phase
      6. 13.6. Assessment Questions
    4. 14. The Accreditation Phase
      1. 14.1. Security Accreditation Decision
        1. 14.1.1. Final Risk Assessment
        2. 14.1.2. Accreditation Decision
          1. 14.1.2.1. Authorization to Operate (ATO)
          2. 14.1.2.2. Interim Authorization to Operate (IATO)
          3. 14.1.2.3. Not Authorized (NA)
          4. 14.1.2.4. The Security Accreditation Decision Letter
      2. 14.2. Security Accreditation Documentation
        1. 14.2.1. Accreditation Package Transmission
        2. 14.2.2. System Security Plan Update
      3. 14.3. DITSCAP Accreditation Phases
        1. 14.3.1. Phase 3: Validation
          1. 14.3.1.1. Refine the SSAA
          2. 14.3.1.2. Certification Evaluation of the Integrated System
          3. 14.3.1.3. Develop Recommendation to the DAA
          4. 14.3.1.4. The Certification and Accreditation Decision
        2. 14.3.2. Phase 4: Post Accreditation
          1. 14.3.2.1. System and Security Operations
          2. 14.3.2.2. Secure System Management
          3. 14.3.2.3. SSAA Maintenance
          4. 14.3.2.4. Change Management
          5. 14.3.2.5. Compliance Validation
      4. 14.4. DIACAP Accreditation Phases
      5. 14.5. End of the Accreditation Phase
      6. 14.6. Assessment Questions
    5. 15. Continuous Monitoring Process
      1. 15.1. Continuous Monitoring
        1. 15.1.1. Monitoring Security Controls
          1. 15.1.1.1. The Interview
          2. 15.1.1.2. The Examination
          3. 15.1.1.3. Testing
        2. 15.1.2. Configuration Management and Control
        3. 15.1.3. Environment Monitoring
        4. 15.1.4. Documentation and Reporting
      2. 15.2. Assessment Questions
  9. A. Answers to Assessment Questions
    1. A.1. Chapter 1
    2. A.2. Chapter 2
    3. A.3. Chapter 3
    4. A.4. Chapter 4
    5. A.5. Chapter 5
    6. A.6. Chapter 6
    7. A.7. Chapter 7
    8. A.8. Chapter 8 Answers
    9. A.9. Chapter 9
    10. A.10. Chapter 10
    11. A.11. Chapter 11
    12. A.12. Chapter 12
    13. A.13. Chapter 13
    14. A.14. Chapter 14
    15. A.15. Chapter 15
    16. A.16. Appendix C:
    17. A.17. Appendix D:
      1. A.17.1. Systems Security Engineering
      2. A.17.2. Technical Management
      3. A.17.3. Certification and Accreditation
      4. A.17.4. U.S. Government Information Assurance Regulations
    18. A.18. Appendix E
  10. B. Glossary of Terms and Acronyms
  11. C. The Information System Security Architecture Professional (ISSAP) Certification
    1. C.1. Access Control Systems Methodology
    2. C.2. Telecommunications and Network Security
    3. C.3. Cryptography
    4. C.4. Requirements Analysis and Security Standards/Guidelines Criteria
      1. C.4.1. Analysis of Design Requirements
      2. C.4.2. Design Architecture
      3. C.4.3. Understanding Information System Security Standards and Guidelines
      4. C.4.4. Assessment of Effectiveness and Security of Information Systems Design
    5. C.5. Technology-Related Business Continuity Planning and Disaster Recovery Planning
    6. C.6. Physical Security Integration
    7. C.7. Assessment Questions: ISSAP
  12. D. The Information System Security Engineering Professional (ISSEP) Certification
    1. D.1. Systems Security Engineering
      1. D.1.1. The Information Assurance Technical Framework
        1. D.1.1.1. Principles of Defense in Depth
        2. D.1.1.2. Types and Classes of Attack
        3. D.1.1.3. The Defense in Depth Strategy
          1. D.1.1.3.1. People
          2. D.1.1.3.2. Technology
          3. D.1.1.3.3. Operations
        4. D.1.1.4. Sample U.S. Government User Environments
      2. D.1.2. Systems Engineering/Systems Security Engineering Processes
        1. D.1.2.1. The Systems Engineering Process
        2. D.1.2.2. The Information Systems Security Engineering Process
        3. D.1.2.3. Discover Information Protection Needs
        4. D.1.2.4. Define System Security Requirements
        5. D.1.2.5. Design System Security Architecture
        6. D.1.2.6. Develop Detailed Security Design
        7. D.1.2.7. Implement System Security
        8. D.1.2.8. Assess Information Protection Effectiveness
      3. D.1.3. Summary Showing the Correspondence of the SE and ISSE Activities
      4. D.1.4. ISSE and Its Relationship to C&A Processes
      5. D.1.5. Implementing Information Assurance in the System Life Cycle
      6. D.1.6. The System Life Cycle Phases
    2. D.2. Risk Management and the System Development Life Cycle
      1. D.2.1. Roles of Key Personnel in the Risk Management Process
      2. D.2.2. The Risk Assessment Process
        1. D.2.2.1. System Characterization
        2. D.2.2.2. Threat Identification
        3. D.2.2.3. Vulnerability Identification
        4. D.2.2.4. Control Analysis
        5. D.2.2.5. Likelihood Determination
        6. D.2.2.6. Impact Analysis
        7. D.2.2.7. Risk Determination
        8. D.2.2.8. Control Recommendations
        9. D.2.2.9. Results Documentation
      3. D.2.3. Risk Mitigation
        1. D.2.3.1. Risk Mitigation Options
        2. D.2.3.2. Categories of Controls
        3. D.2.3.3. Determination of Residual Risk
      4. D.2.4. Risk Management Summary
    3. D.3. Technical Management
      1. D.3.1. Capability Maturity Models (CMMs)
      2. D.3.2. Program Manager Responsibilities
      3. D.3.3. Program Management Plan (PMP)
      4. D.3.4. Systems Engineering Management Plan (SEMP)
        1. D.3.4.1. SEMP Elements
          1. D.3.4.1.1. Development Program Planning and Control
          2. D.3.4.1.2. Security Systems Engineering Process
          3. D.3.4.1.3. Statement of Work (SOW)
      5. D.3.5. Work Breakdown Structure (WBS)
        1. D.3.5.1. WBS Components
        2. D.3.5.2. Cost Control and Estimating
      6. D.3.6. Outsourcing
      7. D.3.7. System Design Testing
        1. D.3.7.1. Test and Evaluation Master Plan (TEMP)
        2. D.3.7.2. Testing and Evaluation Categories
        3. D.3.7.3. Technical Performance Measurement (TPM)
    4. D.4. Certification and Accreditation
    5. D.5. United States Government Information Assurance (IA) Regulations
      1. D.5.1. Common U.S. Government Information Assurance Terminology
      2. D.5.2. Important Government IA Definitions
      3. D.5.3. U.S. National Policy
      4. D.5.4. Additional Agency Policy Guidance
        1. D.5.4.1. Information Management Policy
        2. D.5.4.2. Management of Information Systems and Information Technology Policy
      5. D.5.5. Department of Defense Policies
      6. D.5.6. DoD Directive 8500.1
    6. D.6. Assessment Questions
      1. D.6.1. Systems Security Engineering
      2. D.6.2. Technical Management
      3. D.6.3. Certification and Accreditation
      4. D.6.4. U.S. Government Information Assurance Regulations
  13. E. The Information System Security Management Professional (ISSMP) Certification
    1. E.1. Enterprise Security Management Practices
    2. E.2. Enterprise-Wide Systems Development Practices
      1. E.2.1. Building Security into the Systems Development Life Cycle (SDLC)
        1. E.2.1.1. The System Development Life Cycle Phases
        2. E.2.1.2. Information System Security Applied to the SDLC
      2. E.2.2. Integrating Application and Network Security Controls
        1. E.2.2.1. Systems Engineering
        2. E.2.2.2. The Information Systems Security Engineering Process
        3. E.2.2.3. Discover Information Protection Needs
        4. E.2.2.4. Define System Security Requirements
        5. E.2.2.5. Design System Security Architecture
        6. E.2.2.6. Develop Detailed Security Design
        7. E.2.2.7. Implement System Security
        8. E.2.2.8. Assess Information Protection Effectiveness
      3. E.2.3. Summary Showing the Correspondence of the SE and ISSE Activities
      4. E.2.4. ISSE and Its Relationship to C&A Processes
    3. E.3. Integrating Security with the Configuration Management Program
      1. E.3.1. Change Control
      2. E.3.2. Configuration Management
        1. E.3.2.1. Configuration Identification
        2. E.3.2.2. Configuration Control
        3. E.3.2.3. Configuration Accounting
        4. E.3.2.4. Configuration Audit
      3. E.3.3. Configuration Management Plan
      4. E.3.4. Configuration Control Board (CCB)
    4. E.4. Developing and Integrating Processes to Identify System Vulnerabilities and Threats
      1. E.4.1. Roles of Key Personnel in the Risk Management Process
      2. E.4.2. The Risk Assessment Process
      3. E.4.3. Risk Mitigation
        1. E.4.3.1. Risk Mitigation Options
        2. E.4.3.2. Categories of Controls
        3. E.4.3.3. Determination of Residual Risk
      4. E.4.4. Risk Management Summary
    5. E.5. Overseeing Compliance of Operations Security
      1. E.5.1. Operations Personnel Procedures
      2. E.5.2. Incident Management
      3. E.5.3. Managing System Maintenance
    6. E.6. Business Continuity Planning (BCP), Disaster Recovery Planning (DRP), and Continuity of Operations Planning (COOP)
    7. E.7. Law, Investigation, Forensics, and Ethics
    8. E.8. Assessment Questions-ISSMP
  14. F. Security Control Catalog
    1. F.1. Security Controls, Supplemental Guidance, and Control Enhancements
      1. F.1.1. Family: Access Control–Class: Technical
        1. F.1.1.1. AC-1 ACCESS CONTROL POLICY AND PROCEDURES
          1. F.1.1.1.1. Control
          2. F.1.1.1.2. Supplemental Guidance
          3. F.1.1.1.3. Control Enhancements
          4. F.1.1.1.4. LOW
          5. F.1.1.1.5. MOD
          6. F.1.1.1.6. HIGH
        2. F.1.1.2. AC-2 ACCOUNT MANAGEMENT
          1. F.1.1.2.1. Control
          2. F.1.1.2.2. Supplemental Guidance
          3. F.1.1.2.3. Control Enhancements
          4. F.1.1.2.4. LOW
          5. F.1.1.2.5. MOD
          6. F.1.1.2.6. HIGH
        3. F.1.1.3. AC-3 ACCESS ENFORCEMENT
          1. F.1.1.3.1. Control
          2. F.1.1.3.2. Supplemental Guidance
          3. F.1.1.3.3. Control Enhancements
          4. F.1.1.3.4. LOW
          5. F.1.1.3.5. MOD
          6. F.1.1.3.6. HIGH
        4. F.1.1.4. AC-4 INFORMATION FLOW ENFORCEMENT
          1. F.1.1.4.1. Control
          2. F.1.1.4.2. Supplemental Guidance
          3. F.1.1.4.3. Control Enhancements
          4. F.1.1.4.4. LOW
          5. F.1.1.4.5. MOD
          6. F.1.1.4.6. HIGH
        5. F.1.1.5. AC-5 SEPARATION OF DUTIES
          1. F.1.1.5.1. Control
          2. F.1.1.5.2. Supplemental Guidance
          3. F.1.1.5.3. Control Enhancements
          4. F.1.1.5.4. LOW
          5. F.1.1.5.5. MOD
          6. F.1.1.5.6. HIGH
        6. F.1.1.6. AC-6 LEAST PRIVILEGE
          1. F.1.1.6.1. Control
          2. F.1.1.6.2. Supplemental Guidance
          3. F.1.1.6.3. Control Enhancements
          4. F.1.1.6.4. LOW
          5. F.1.1.6.5. MOD
          6. F.1.1.6.6. HIGH
        7. F.1.1.7. AC-7 UNSUCCESSFUL LOGIN ATTEMPTS
          1. F.1.1.7.1. Control
          2. F.1.1.7.2. Supplemental Guidance
          3. F.1.1.7.3. Control Enhancements:
          4. F.1.1.7.4. LOW
          5. F.1.1.7.5. MOD
          6. F.1.1.7.6. HIGH
        8. F.1.1.8. AC-8 SYSTEM USE NOTIFICATION
          1. F.1.1.8.1. Control
          2. F.1.1.8.2. Supplemental Guidance
          3. F.1.1.8.3. Control Enhancements
          4. F.1.1.8.4. LOW
          5. F.1.1.8.5. MOD
          6. F.1.1.8.6. HIGH
        9. F.1.1.9. AC-9 PREVIOUS LOGON NOTIFICATION
          1. F.1.1.9.1. Control
          2. F.1.1.9.2. Supplemental Guidance
          3. F.1.1.9.3. Control Enhancements
          4. F.1.1.9.4. LOW
          5. F.1.1.9.5. MOD
          6. F.1.1.9.6. HIGH
        10. F.1.1.10. AC-10 CONCURRENT SESSION CONTROL
          1. F.1.1.10.1. Control
          2. F.1.1.10.2. Supplemental Guidance
          3. F.1.1.10.3. Control Enhancements
          4. F.1.1.10.4. LOW
          5. F.1.1.10.5. MOD
          6. F.1.1.10.6. HIGH
        11. F.1.1.11. AC-11 SESSION LOCK
          1. F.1.1.11.1. Control
          2. F.1.1.11.2. Supplemental Guidance
          3. F.1.1.11.3. Control Enhancements
          4. F.1.1.11.4. LOW
          5. F.1.1.11.5. MOD
          6. F.1.1.11.6. HIGH
        12. F.1.1.12. AC-12 SESSION TERMINATION
          1. F.1.1.12.1. Control
          2. F.1.1.12.2. Supplemental Guidance
          3. F.1.1.12.3. Control Enhancements
          4. F.1.1.12.4. LOW
          5. F.1.1.12.5. MOD
          6. F.1.1.12.6. HIGH
        13. F.1.1.13. AC-13 SUPERVISION AND REVIEW—ACCESS CONTROL
          1. F.1.1.13.1. Control
          2. F.1.1.13.2. Supplemental Guidance
          3. F.1.1.13.3. Control Enhancements
          4. F.1.1.13.4. LOW
          5. F.1.1.13.5. MOD
          6. F.1.1.13.6. HIGH
        14. F.1.1.14. AC-14 PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION
          1. F.1.1.14.1. Control
          2. F.1.1.14.2. Supplemental Guidance
          3. F.1.1.14.3. Control Enhancements
          4. F.1.1.14.4. LOW
          5. F.1.1.14.5. MOD
          6. F.1.1.14.6. HIGH
        15. F.1.1.15. AC-15 AUTOMATED MARKING
          1. F.1.1.15.1. Control
          2. F.1.1.15.2. Supplemental Guidance
          3. F.1.1.15.3. Control Enhancements
          4. F.1.1.15.4. LOW
          5. F.1.1.15.5. MOD
          6. F.1.1.15.6. HIGH
        16. F.1.1.16. AC-16 AUTOMATED LABELING
          1. F.1.1.16.1. Control
          2. F.1.1.16.2. Supplemental Guidance
          3. F.1.1.16.3. Control Enhancements
          4. F.1.1.16.4. LOW
          5. F.1.1.16.5. MOD
          6. F.1.1.16.6. HIGH
        17. F.1.1.17. AC-17 REMOTE ACCESS
          1. F.1.1.17.1. Control
          2. F.1.1.17.2. Supplemental Guidance
          3. F.1.1.17.3. Control Enhancements
          4. F.1.1.17.4. LOW
          5. F.1.1.17.5. MOD
          6. F.1.1.17.6. HIGH
        18. F.1.1.18. AC-18 WIRELESS ACCESS RESTRICTIONS
          1. F.1.1.18.1. Control
          2. F.1.1.18.2. Supplemental Guidance
          3. F.1.1.18.3. Control Enhancements
          4. F.1.1.18.4. LOW
          5. F.1.1.18.5. MOD
          6. F.1.1.18.6. HIGH
        19. F.1.1.19. AC-19 ACCESS CONTROL FOR PORTABLE AND MOBILE DEVICES
          1. F.1.1.19.1. Control
          2. F.1.1.19.2. Supplemental Guidance
          3. F.1.1.19.3. Control Enhancements
          4. F.1.1.19.4. LOW
          5. F.1.1.19.5. MOD
          6. F.1.1.19.6. HIGH
        20. F.1.1.20. AC-20 PERSONALLY OWNED INFORMATION SYSTEMS
          1. F.1.1.20.1. Control
          2. F.1.1.20.2. Supplemental Guidance
          3. F.1.1.20.3. Control Enhancements
          4. F.1.1.20.4. LOW
          5. F.1.1.20.5. MOD
          6. F.1.1.20.6. HIGH
      2. F.1.2. Family: Awareness And Training—Class: Operational
        1. F.1.2.1. AT-1 SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES
          1. F.1.2.1.1. Control
          2. F.1.2.1.2. Supplemental Guidance
          3. F.1.2.1.3. Control Enhancements
          4. F.1.2.1.4. LOW
          5. F.1.2.1.5. MOD
          6. F.1.2.1.6. HIGH
        2. F.1.2.2. AT-2 SECURITY AWARENESS
          1. F.1.2.2.1. Control
          2. F.1.2.2.2. Supplemental Guidance
          3. F.1.2.2.3. Control Enhancements
          4. F.1.2.2.4. LOW
          5. F.1.2.2.5. MOD
          6. F.1.2.2.6. HIGH
        3. F.1.2.3. AT-3 SECURITY TRAINING
          1. F.1.2.3.1. Control
          2. F.1.2.3.2. Supplemental Guidance
          3. F.1.2.3.3. Control Enhancements
          4. F.1.2.3.4. LOW
          5. F.1.2.3.5. MOD
          6. F.1.2.3.6. HIGH
        4. F.1.2.4. AT-4 SECURITY TRAINING RECORDS
          1. F.1.2.4.1. Control
          2. F.1.2.4.2. Supplemental Guidance
          3. F.1.2.4.3. Control Enhancements
          4. F.1.2.4.4. LOW
          5. F.1.2.4.5. MOD
          6. F.1.2.4.6. HIGH
      3. F.1.3. Family: Audit And Accountability—Class: Technical
        1. F.1.3.1. AU-1 AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES
          1. F.1.3.1.1. Control
          2. F.1.3.1.2. Supplemental Guidance
          3. F.1.3.1.3. Control Enhancements
          4. F.1.3.1.4. LOW
          5. F.1.3.1.5. MOD
          6. F.1.3.1.6. HIGH
        2. F.1.3.2. AU-2 AUDITABLE EVENTS
          1. F.1.3.2.1. Control
          2. F.1.3.2.2. Supplemental Guidance
          3. F.1.3.2.3. Control Enhancements
          4. F.1.3.2.4. LOW
          5. F.1.3.2.5. MOD
          6. F.1.3.2.6. HIGH
        3. F.1.3.3. AU-3 CONTENT OF AUDIT RECORDS
          1. F.1.3.3.1. Control
          2. F.1.3.3.2. Supplemental Guidance
          3. F.1.3.3.3. Control Enhancements
          4. F.1.3.3.4. LOW
          5. F.1.3.3.5. MOD
          6. F.1.3.3.6. HIGH
        4. F.1.3.4. AU-4 AUDIT STORAGE CAPACITY
          1. F.1.3.4.1. Control
          2. F.1.3.4.2. Supplemental Guidance
          3. F.1.3.4.3. Control Enhancements
          4. F.1.3.4.4. LOW
          5. F.1.3.4.5. MOD
          6. F.1.3.4.6. HIGH
        5. F.1.3.5. AU-5 AUDIT PROCESSING
          1. F.1.3.5.1. Control
          2. F.1.3.5.2. Supplemental Guidance
          3. F.1.3.5.3. Control Enhancements:
          4. F.1.3.5.4. LOW
          5. F.1.3.5.5. MOD
          6. F.1.3.5.6. HIGH
        6. F.1.3.6. AU-6 AUDIT MONITORING, ANALYSIS, AND REPORTING
          1. F.1.3.6.1. Control
          2. F.1.3.6.2. Supplemental Guidance
          3. F.1.3.6.3. Control Enhancements
          4. F.1.3.6.4. LOW
          5. F.1.3.6.5. MOD
          6. F.1.3.6.6. HIGH
        7. F.1.3.7. AU-7 AUDIT REDUCTION AND REPORT GENERATION
          1. F.1.3.7.1. Control
          2. F.1.3.7.2. Supplemental Guidance
          3. F.1.3.7.3. Control Enhancements
          4. F.1.3.7.4. LOW
          5. F.1.3.7.5. MOD
          6. F.1.3.7.6. HIGH
        8. F.1.3.8. AU-8 TIME STAMPS
          1. F.1.3.8.1. Control
          2. F.1.3.8.2. Supplemental Guidance
          3. F.1.3.8.3. Control Enhancements
          4. F.1.3.8.4. LOW
          5. F.1.3.8.5. MOD
          6. F.1.3.8.6. HIGH
        9. F.1.3.9. AU-9 PROTECTION OF AUDIT INFORMATION
          1. F.1.3.9.1. Control:
          2. F.1.3.9.2. Supplemental Guidance
          3. F.1.3.9.3. Control Enhancements
          4. F.1.3.9.4. LOW
          5. F.1.3.9.5. MOD
          6. F.1.3.9.6. HIGH
        10. F.1.3.10. AU-10 NON-REPUDIATION
          1. F.1.3.10.1. Control:
          2. F.1.3.10.2. Supplemental Guidance
          3. F.1.3.10.3. Control Enhancements
          4. F.1.3.10.4. LOW
          5. F.1.3.10.5. MOD
          6. F.1.3.10.6. HIGH
        11. F.1.3.11. AU-11 AUDIT RETENTION
          1. F.1.3.11.1. Control
          2. F.1.3.11.2. Supplemental Guidance
          3. F.1.3.11.3. Control Enhancements
          4. F.1.3.11.4. LOW
          5. F.1.3.11.5. MOD
          6. F.1.3.11.6. HIGH
      4. F.1.4. Family: Certification, Accreditation, And Security—Class: Management Assessments
        1. F.1.4.1. CA-1 CERTIFICATION, ACCREDITATION, AND SECURITY ASSESSMENT POLICIES AND PROCEDURES
          1. F.1.4.1.1. Control
          2. F.1.4.1.2. Supplemental Guidance
          3. F.1.4.1.3. Control Enhancements
          4. F.1.4.1.4. LOW
          5. F.1.4.1.5. MOD
          6. F.1.4.1.6. HIGH
        2. F.1.4.2. CA-2 SECURITY ASSESSMENTS
          1. F.1.4.2.1. Control
          2. F.1.4.2.2. Supplemental Guidance
          3. F.1.4.2.3. Control Enhancements
          4. F.1.4.2.4. LOW
          5. F.1.4.2.5. MOD
          6. F.1.4.2.6. HIGH
        3. F.1.4.3. CA-3 INFORMATION SYSTEM CONNECTIONS
          1. F.1.4.3.1. Control
          2. F.1.4.3.2. Supplemental Guidance
          3. F.1.4.3.3. Control Enhancements
          4. F.1.4.3.4. LOW
          5. F.1.4.3.5. MOD
          6. F.1.4.3.6. HIGH
        4. F.1.4.4. CA-4 SECURITY CERTIFICATION
          1. F.1.4.4.1. Control
          2. F.1.4.4.2. Supplemental Guidance
          3. F.1.4.4.3. Control Enhancements
          4. F.1.4.4.4. LOW
          5. F.1.4.4.5. MOD
          6. F.1.4.4.6. HIGH
        5. F.1.4.5. CA-5 PLAN OF ACTION AND MILESTONES
          1. F.1.4.5.1. Control
          2. F.1.4.5.2. Supplemental Guidance
          3. F.1.4.5.3. Control Enhancements
          4. F.1.4.5.4. LOW
          5. F.1.4.5.5. MOD
          6. F.1.4.5.6. HIGH
        6. F.1.4.6. CA-6 SECURITY ACCREDITATION
          1. F.1.4.6.1. Control
          2. F.1.4.6.2. Supplemental Guidance
          3. F.1.4.6.3. Control Enhancements
          4. F.1.4.6.4. LOW
          5. F.1.4.6.5. MOD
          6. F.1.4.6.6. HIGH
        7. F.1.4.7. CA-7 CONTINUOUS MONITORING
          1. F.1.4.7.1. Control:
          2. F.1.4.7.2. Supplemental Guidance
          3. F.1.4.7.3. Control Enhancements
          4. F.1.4.7.4. LOW
          5. F.1.4.7.5. MOD
          6. F.1.4.7.6. HIGH
      5. F.1.5. Family: Configuration Management—Class: Operational
        1. F.1.5.1. CM-1 CONFIGURATION MANAGEMENT POLICY AND PROCEDURES
          1. F.1.5.1.1. Control
          2. F.1.5.1.2. Supplemental Guidance
          3. F.1.5.1.3. Control Enhancements
          4. F.1.5.1.4. LOW
          5. F.1.5.1.5. MOD
          6. F.1.5.1.6. HIGH
        2. F.1.5.2. CM-2 BASELINE CONFIGURATION
          1. F.1.5.2.1. Control
          2. F.1.5.2.2. Supplemental Guidance
          3. F.1.5.2.3. Control Enhancements
          4. F.1.5.2.4. LOW
          5. F.1.5.2.5. MOD
          6. F.1.5.2.6. HIGH
        3. F.1.5.3. CM-3 CONFIGURATION CHANGE CONTROL
          1. F.1.5.3.1. Control
          2. F.1.5.3.2. Supplemental Guidance
          3. F.1.5.3.3. Control Enhancements
          4. F.1.5.3.4. LOW
          5. F.1.5.3.5. MOD
          6. F.1.5.3.6. HIGH
        4. F.1.5.4. CM-4 MONITORING CONFIGURATION CHANGES
          1. F.1.5.4.1. Control
          2. F.1.5.4.2. Supplemental Guidance
          3. F.1.5.4.3. Control Enhancements
          4. F.1.5.4.4. LOW
          5. F.1.5.4.5. MOD
          6. F.1.5.4.6. HIGH
        5. F.1.5.5. CM-5 ACCESS RESTRICTIONS FOR CHANGE
          1. F.1.5.5.1. Control
          2. F.1.5.5.2. Supplemental Guidance
          3. F.1.5.5.3. Control Enhancements
          4. F.1.5.5.4. LOW
          5. F.1.5.5.5. MOD
          6. F.1.5.5.6. HIGH
        6. F.1.5.6. CM-6 CONFIGURATION SETTINGS
          1. F.1.5.6.1. Control
          2. F.1.5.6.2. Supplemental Guidance
          3. F.1.5.6.3. Control Enhancements
          4. F.1.5.6.4. LOW
          5. F.1.5.6.5. MOD
          6. F.1.5.6.6. HIGH
        7. F.1.5.7. CM-7 LEAST FUNCTIONALITY
          1. F.1.5.7.1. Control
          2. F.1.5.7.2. Supplemental Guidance
          3. F.1.5.7.3. Control Enhancements
          4. F.1.5.7.4. LOW
          5. F.1.5.7.5. MOD
          6. F.1.5.7.6. HIGH
      6. F.1.6. Family: Contingency Planning—Class: Operational
        1. F.1.6.1. CP-1 CONTINGENCY PLANNING POLICY AND PROCEDURES
          1. F.1.6.1.1. Control
          2. F.1.6.1.2. Supplemental Guidance
          3. F.1.6.1.3. Control Enhancements
          4. F.1.6.1.4. LOW
          5. F.1.6.1.5. MOD
          6. F.1.6.1.6. HIGH
        2. F.1.6.2. CP-2 CONTINGENCY PLAN
          1. F.1.6.2.1. Control
          2. F.1.6.2.2. Supplemental Guidance
          3. F.1.6.2.3. Control Enhancements
          4. F.1.6.2.4. LOW
          5. F.1.6.2.5. MOD
          6. F.1.6.2.6. HIGH
        3. F.1.6.3. CP-3 CONTINGENCY TRAINING
          1. F.1.6.3.1. Control
          2. F.1.6.3.2. Supplemental Guidance
          3. F.1.6.3.3. Control Enhancements
          4. F.1.6.3.4. LOW
          5. F.1.6.3.5. MOD
          6. F.1.6.3.6. HIGH
        4. F.1.6.4. CP-4 CONTINGENCY PLAN TESTING
          1. F.1.6.4.1. Control
          2. F.1.6.4.2. Supplemental Guidance
          3. F.1.6.4.3. Control Enhancements
          4. F.1.6.4.4. LOW
          5. F.1.6.4.5. MOD
          6. F.1.6.4.6. HIGH
        5. F.1.6.5. CP-5 CONTINGENCY PLAN UPDATE
          1. F.1.6.5.1. Control
          2. F.1.6.5.2. Supplemental Guidance
          3. F.1.6.5.3. Control Enhancements
          4. F.1.6.5.4. LOW
          5. F.1.6.5.5. MOD
          6. F.1.6.5.6. HIGH
        6. F.1.6.6. CP-6 ALTERNATE STORAGE SITES
          1. F.1.6.6.1. Control
          2. F.1.6.6.2. Supplemental Guidance
          3. F.1.6.6.3. Control Enhancements
          4. F.1.6.6.4. LOW
          5. F.1.6.6.5. MOD
          6. F.1.6.6.6. HIGH
        7. F.1.6.7. CP-7 ALTERNATE PROCESSING SITES
          1. F.1.6.7.1. Control
          2. F.1.6.7.2. Supplemental Guidance
          3. F.1.6.7.3. Control Enhancements
          4. F.1.6.7.4. LOW
          5. F.1.6.7.5. MOD
          6. F.1.6.7.6. HIGH
        8. F.1.6.8. CP-8 TELECOMMUNICATIONS SERVICES
          1. F.1.6.8.1. Control
          2. F.1.6.8.2. Supplemental Guidance
          3. F.1.6.8.3. Control Enhancements
          4. F.1.6.8.4. LOW
          5. F.1.6.8.5. MOD
          6. F.1.6.8.6. HIGH
        9. F.1.6.9. CP-9 INFORMATION SYSTEM BACKUP
          1. F.1.6.9.1. Control
          2. F.1.6.9.2. Supplemental Guidance
          3. F.1.6.9.3. Control Enhancements
          4. F.1.6.9.4. LOW
          5. F.1.6.9.5. MOD
          6. F.1.6.9.6. HIGH
        10. F.1.6.10. CP-10 INFORMATION SYSTEM RECOVERY AND RECONSTITUTION
          1. F.1.6.10.1. Control
          2. F.1.6.10.2. Supplemental Guidance
          3. F.1.6.10.3. Control Enhancements
          4. F.1.6.10.4. LOW
          5. F.1.6.10.5. MOD
          6. F.1.6.10.6. HIGH
      7. F.1.7. Family: Identification And Authentication—Class: Technical
        1. F.1.7.1. IA-1 IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES
          1. F.1.7.1.1. Control
          2. F.1.7.1.2. Supplemental Guidance
          3. F.1.7.1.3. Control Enhancements
          4. F.1.7.1.4. LOW
          5. F.1.7.1.5. MOD
          6. F.1.7.1.6. HIGH
        2. F.1.7.2. IA-2 USER IDENTIFICATION AND AUTHENTICATION
          1. F.1.7.2.1. Control
          2. F.1.7.2.2. Supplemental Guidance
          3. F.1.7.2.3. Control Enhancements:
          4. F.1.7.2.4. LOW
          5. F.1.7.2.5. MOD
          6. F.1.7.2.6. HIGH
        3. F.1.7.3. IA-3 DEVICE IDENTIFICATION AND AUTHENTICATION
          1. F.1.7.3.1. Control
          2. F.1.7.3.2. Supplemental Guidance
          3. F.1.7.3.3. Control Enhancements
          4. F.1.7.3.4. LOW
          5. F.1.7.3.5. MOD
          6. F.1.7.3.6. HIGH
        4. F.1.7.4. IA-4 IDENTIFIER MANAGEMENT
          1. F.1.7.4.1. Control
          2. F.1.7.4.2. Supplemental Guidance
          3. F.1.7.4.3. Control Enhancements
          4. F.1.7.4.4. LOW
          5. F.1.7.4.5. MOD
          6. F.1.7.4.6. HIGH
        5. F.1.7.5. IA-5 AUTHENTICATOR MANAGEMENT
          1. F.1.7.5.1. Control
          2. F.1.7.5.2. Supplemental Guidance
          3. F.1.7.5.3. Control Enhancements
          4. F.1.7.5.4. LOW
          5. F.1.7.5.5. MOD
          6. F.1.7.5.6. HIGH
        6. F.1.7.6. IA-6 AUTHENTICATOR FEEDBACK
          1. F.1.7.6.1. Control
          2. F.1.7.6.2. Supplemental Guidance
          3. F.1.7.6.3. Control Enhancements
          4. F.1.7.6.4. LOW
          5. F.1.7.6.5. MOD
          6. F.1.7.6.6. HIGH
        7. F.1.7.7. IA-7 CRYPTOGRAPHIC MODULE AUTHENTICATION
          1. F.1.7.7.1. Control
          2. F.1.7.7.2. Supplemental Guidance
          3. F.1.7.7.3. Control Enhancements
          4. F.1.7.7.4. LOW
          5. F.1.7.7.5. MOD
          6. F.1.7.7.6. HIGH
      8. F.1.8. Family: Incident Response—Class: Operational
        1. F.1.8.1. IR-1 INCIDENT RESPONSE POLICY AND PROCEDURES
          1. F.1.8.1.1. Control
          2. F.1.8.1.2. Supplemental Guidance
          3. F.1.8.1.3. Control Enhancements
          4. F.1.8.1.4. LOW
          5. F.1.8.1.5. MOD
          6. F.1.8.1.6. HIGH
        2. F.1.8.2. IR-2 INCIDENT RESPONSE TRAINING
          1. F.1.8.2.1. Control
          2. F.1.8.2.2. Supplemental Guidance
          3. F.1.8.2.3. Control Enhancements
          4. F.1.8.2.4. LOW
          5. F.1.8.2.5. MOD
          6. F.1.8.2.6. HIGH
        3. F.1.8.3. IR-3 INCIDENT RESPONSE TESTING
          1. F.1.8.3.1. Control
          2. F.1.8.3.2. Supplemental Guidance
          3. F.1.8.3.3. Control Enhancements
          4. F.1.8.3.4. LOW
          5. F.1.8.3.5. MOD
          6. F.1.8.3.6. HIGH
        4. F.1.8.4. IR-4 INCIDENT HANDLING
          1. F.1.8.4.1. Control
          2. F.1.8.4.2. Supplemental Guidance
          3. F.1.8.4.3. Control Enhancements:
          4. F.1.8.4.4. LOW
          5. F.1.8.4.5. MOD
          6. F.1.8.4.6. HIGH
        5. F.1.8.5. IR-5 INCIDENT MONITORING
          1. F.1.8.5.1. Control
          2. F.1.8.5.2. Supplemental Guidance
          3. F.1.8.5.3. Control Enhancements
          4. F.1.8.5.4. LOW
          5. F.1.8.5.5. MOD
          6. F.1.8.5.6. HIGH
        6. F.1.8.6. IR-6 INCIDENT REPORTING
          1. F.1.8.6.1. Control
          2. F.1.8.6.2. Supplemental Guidance:
          3. F.1.8.6.3. Control Enhancements
          4. F.1.8.6.4. LOW
          5. F.1.8.6.5. MOD
          6. F.1.8.6.6. HIGH
        7. F.1.8.7. IR-7 INCIDENT RESPONSE ASSISTANCE
          1. F.1.8.7.1. Control
          2. F.1.8.7.2. Supplemental Guidance
          3. F.1.8.7.3. Control Enhancements
          4. F.1.8.7.4. LOW
          5. F.1.8.7.5. MOD
          6. F.1.8.7.6. HIGH
      9. F.1.9. Family: Maintenance—Class: Operational
        1. F.1.9.1. MA-1 SYSTEM MAINTENANCE POLICY AND PROCEDURES
          1. F.1.9.1.1. Control
          2. F.1.9.1.2. Supplemental Guidance
          3. F.1.9.1.3. Control Enhancements
          4. F.1.9.1.4. LOW
          5. F.1.9.1.5. MOD
          6. F.1.9.1.6. HIGH
        2. F.1.9.2. MA-2 PERIODIC MAINTENANCE
          1. F.1.9.2.1. Control
          2. F.1.9.2.2. Supplemental Guidance
          3. F.1.9.2.3. Control Enhancements
          4. F.1.9.2.4. LOW
          5. F.1.9.2.5. MOD
          6. F.1.9.2.6. HIGH
        3. F.1.9.3. MA-3 MAINTENANCE TOOLS
          1. F.1.9.3.1. Control
          2. F.1.9.3.2. Supplemental Guidance
          3. F.1.9.3.3. Control Enhancements
          4. F.1.9.3.4. LOW
          5. F.1.9.3.5. MOD
          6. F.1.9.3.6. HIGH
        4. F.1.9.4. MA-4 REMOTE MAINTENANCE
          1. F.1.9.4.1. Control
          2. F.1.9.4.2. Supplemental Guidance
          3. F.1.9.4.3. Control Enhancements
          4. F.1.9.4.4. LOW
          5. F.1.9.4.5. MOD
          6. F.1.9.4.6. HIGH
        5. F.1.9.5. MA-5 MAINTENANCE PERSONNEL
          1. F.1.9.5.1. Control
          2. F.1.9.5.2. Supplemental Guidance
          3. F.1.9.5.3. Control Enhancements
          4. F.1.9.5.4. LOW
          5. F.1.9.5.5. MOD
          6. F.1.9.5.6. HIGH
        6. F.1.9.6. MA-6 TIMELY MAINTENANCE
          1. F.1.9.6.1. Control
          2. F.1.9.6.2. Supplemental Guidance
          3. F.1.9.6.3. Control Enhancements
          4. F.1.9.6.4. LOW
          5. F.1.9.6.5. MOD
          6. F.1.9.6.6. HIGH
      10. F.1.10. Family: Media Protection—Class: Operational
        1. F.1.10.1. MP-1 MEDIA PROTECTION POLICY AND PROCEDURES
          1. F.1.10.1.1. Control
          2. F.1.10.1.2. Supplemental Guidance
          3. F.1.10.1.3. Control Enhancements
          4. F.1.10.1.4. LOW
          5. F.1.10.1.5. MOD
          6. F.1.10.1.6. HIGH
        2. F.1.10.2. MP-2 MEDIA ACCESS
          1. F.1.10.2.1. Control
          2. F.1.10.2.2. Supplemental Guidance
          3. F.1.10.2.3. Control Enhancements
          4. F.1.10.2.4. LOW
          5. F.1.10.2.5. MOD
          6. F.1.10.2.6. HIGH
        3. F.1.10.3. MP-3 MEDIA LABELING
          1. F.1.10.3.1. Control
          2. F.1.10.3.2. Supplemental Guidance
          3. F.1.10.3.3. Control Enhancements
          4. F.1.10.3.4. LOW
          5. F.1.10.3.5. MOD
          6. F.1.10.3.6. HIGH
        4. F.1.10.4. MP-4 MEDIA STORAGE
          1. F.1.10.4.1. Control
          2. F.1.10.4.2. Supplemental Guidance
          3. F.1.10.4.3. Control Enhancements
          4. F.1.10.4.4. LOW
          5. F.1.10.4.5. MOD
          6. F.1.10.4.6. HIGH
        5. F.1.10.5. MP-5 MEDIA TRANSPORT
          1. F.1.10.5.1. Control
          2. F.1.10.5.2. Supplemental Guidance
          3. F.1.10.5.3. Control Enhancements
          4. F.1.10.5.4. LOW
          5. F.1.10.5.5. MOD
          6. F.1.10.5.6. HIGH
        6. F.1.10.6. MP-6 MEDIA SANITIZATION
          1. F.1.10.6.1. Control
          2. F.1.10.6.2. Supplemental Guidance
          3. F.1.10.6.3. Control Enhancements
          4. F.1.10.6.4. LOW
          5. F.1.10.6.5. MOD
          6. F.1.10.6.6. HIGH
        7. F.1.10.7. MP-7 MEDIA DESTRUCTION AND DISPOSAL
          1. F.1.10.7.1. Control
          2. F.1.10.7.2. Supplemental Guidance
          3. F.1.10.7.3. Control Enhancements
          4. F.1.10.7.4. LOW
          5. F.1.10.7.5. MOD
          6. F.1.10.7.6. HIGH
      11. F.1.11. Family: Physical And Environmental Protection—Class: Operational
        1. F.1.11.1. PE-1 PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES
          1. F.1.11.1.1. Control
          2. F.1.11.1.2. Supplemental Guidance
          3. F.1.11.1.3. Control Enhancements
          4. F.1.11.1.4. LOW
          5. F.1.11.1.5. MOD
          6. F.1.11.1.6. HIGH
        2. F.1.11.2. PE-2 PHYSICAL ACCESS AUTHORIZATIONS
          1. F.1.11.2.1. Control
          2. F.1.11.2.2. Supplemental Guidance
          3. F.1.11.2.3. Control Enhancements
          4. F.1.11.2.4. LOW
          5. F.1.11.2.5. MOD
          6. F.1.11.2.6. HIGH
        3. F.1.11.3. PE-3 PHYSICAL ACCESS CONTROL
          1. F.1.11.3.1. Control
          2. F.1.11.3.2. Supplemental Guidance
          3. F.1.11.3.3. Control Enhancements
          4. F.1.11.3.4. LOW
          5. F.1.11.3.5. MOD
          6. F.1.11.3.6. HIGH
        4. F.1.11.4. PE-4 ACCESS CONTROL FOR TRANSMISSION MEDIUM
          1. F.1.11.4.1. Control
          2. F.1.11.4.2. Supplemental Guidance
          3. F.1.11.4.3. Control Enhancements
          4. F.1.11.4.4. LOW
          5. F.1.11.4.5. MOD
          6. F.1.11.4.6. HIGH
        5. F.1.11.5. PE-5 ACCESS CONTROL FOR DISPLAY MEDIUM
          1. F.1.11.5.1. Control
          2. F.1.11.5.2. Supplemental Guidance
          3. F.1.11.5.3. Control Enhancements
          4. F.1.11.5.4. LOW
          5. F.1.11.5.5. MOD
          6. F.1.11.5.6. HIGH
        6. F.1.11.6. PE-6 MONITORING PHYSICAL ACCESS
          1. F.1.11.6.1. Control
          2. F.1.11.6.2. Supplemental Guidance
          3. F.1.11.6.3. Control Enhancements
          4. F.1.11.6.4. LOW
          5. F.1.11.6.5. MOD
          6. F.1.11.6.6. HIGH
        7. F.1.11.7. PE-7 VISITOR CONTROL
          1. F.1.11.7.1. Control
          2. F.1.11.7.2. Supplemental Guidance
          3. F.1.11.7.3. Control Enhancements
          4. F.1.11.7.4. LOW
          5. F.1.11.7.5. MOD
          6. F.1.11.7.6. HIGH
        8. F.1.11.8. PE-8 ACCESS LOGS
          1. F.1.11.8.1. Control
          2. F.1.11.8.2. Supplemental Guidance
          3. F.1.11.8.3. Control Enhancements
          4. F.1.11.8.4. LOW
          5. F.1.11.8.5. MOD
          6. F.1.11.8.6. HIGH
        9. F.1.11.9. PE-9 POWER EQUIPMENT AND POWER CABLING
          1. F.1.11.9.1. Control
          2. F.1.11.9.2. Supplemental Guidance
          3. F.1.11.9.3. Control Enhancements
          4. F.1.11.9.4. LOW
          5. F.1.11.9.5. MOD
          6. F.1.11.9.6. HIGH
        10. F.1.11.10. PE-10 EMERGENCY SHUTOFF
          1. F.1.11.10.1. Control
          2. F.1.11.10.2. Supplemental Guidance
          3. F.1.11.10.3. Control Enhancements
          4. F.1.11.10.4. LOW
          5. F.1.11.10.5. MOD
          6. F.1.11.10.6. HIGH
        11. F.1.11.11. PE-11 EMERGENCY POWER
          1. F.1.11.11.1. Control
          2. F.1.11.11.2. Supplemental Guidance
          3. F.1.11.11.3. Control Enhancements
          4. F.1.11.11.4. LOW
          5. F.1.11.11.5. MOD
          6. F.1.11.11.6. HIGH
        12. F.1.11.12. PE-12 EMERGENCY LIGHTING
          1. F.1.11.12.1. Control
          2. F.1.11.12.2. Supplemental Guidance
          3. F.1.11.12.3. Control Enhancements
          4. F.1.11.12.4. LOW
          5. F.1.11.12.5. MOD
          6. F.1.11.12.6. HIGH
        13. F.1.11.13. PE-13 FIRE PROTECTION
          1. F.1.11.13.1. Control
          2. F.1.11.13.2. Supplemental Guidance
          3. F.1.11.13.3. Control Enhancements
          4. F.1.11.13.4. LOW
          5. F.1.11.13.5. MOD
          6. F.1.11.13.6. HIGH
        14. F.1.11.14. PE-14 TEMPERATURE AND HUMIDITY CONTROLS
          1. F.1.11.14.1. Control
          2. F.1.11.14.2. Supplemental Guidance
          3. F.1.11.14.3. Control Enhancements
          4. F.1.11.14.4. LOW
          5. F.1.11.14.5. MOD
          6. F.1.11.14.6. HIGH
        15. F.1.11.15. PE-15 WATER DAMAGE PROTECTION
          1. F.1.11.15.1. Control
          2. F.1.11.15.2. Supplemental Guidance
          3. F.1.11.15.3. Control Enhancements
          4. F.1.11.15.4. LOW
          5. F.1.11.15.5. MOD
          6. F.1.11.15.6. HIGH
        16. F.1.11.16. PE-16 DELIVERY AND REMOVAL
          1. F.1.11.16.1. Control
          2. F.1.11.16.2. Supplemental Guidance
          3. F.1.11.16.3. Control Enhancements
          4. F.1.11.16.4. LOW
          5. F.1.11.16.5. MOD
          6. F.1.11.16.6. HIGH
        17. F.1.11.17. PE-17 ALTERNATE WORK SITE
          1. F.1.11.17.1. Control
          2. F.1.11.17.2. Supplemental Guidance
          3. F.1.11.17.3. Control Enhancements
          4. F.1.11.17.4. LOW
          5. F.1.11.17.5. MOD
          6. F.1.11.17.6. HIGH
      12. F.1.12. Family: Planning—Class: Management
        1. F.1.12.1. PL-1 SECURITY PLANNING POLICY AND PROCEDURES
          1. F.1.12.1.1. Control
          2. F.1.12.1.2. Supplemental Guidance
          3. F.1.12.1.3. Control Enhancements
          4. F.1.12.1.4. LOW
          5. F.1.12.1.5. MOD
          6. F.1.12.1.6. HIGH
        2. F.1.12.2. PL-2 SYSTEM SECURITY PLAN
          1. F.1.12.2.1. Control
          2. F.1.12.2.2. Supplemental Guidance
          3. F.1.12.2.3. Control Enhancements
          4. F.1.12.2.4. LOW
          5. F.1.12.2.5. MOD
          6. F.1.12.2.6. HIGH
        3. F.1.12.3. PL-3 SYSTEM SECURITY PLAN UPDATE
          1. F.1.12.3.1. Control
          2. F.1.12.3.2. Supplemental Guidance
          3. F.1.12.3.3. Control Enhancements
          4. F.1.12.3.4. LOW
          5. F.1.12.3.5. MOD
          6. F.1.12.3.6. HIGH
        4. F.1.12.4. PL-4 RULES OF BEHAVIOR
          1. F.1.12.4.1. Control
          2. F.1.12.4.2. Supplemental Guidance
          3. F.1.12.4.3. Control Enhancements
          4. F.1.12.4.4. LOW
          5. F.1.12.4.5. MOD
          6. F.1.12.4.6. HIGH
        5. F.1.12.5. PL-5 PRIVACY IMPACT ASSESSMENT
          1. F.1.12.5.1. Control
          2. F.1.12.5.2. Supplemental Guidance
          3. F.1.12.5.3. Control Enhancements
          4. F.1.12.5.4. LOW
          5. F.1.12.5.5. MOD
          6. F.1.12.5.6. HIGH
      13. F.1.13. Family: Personnel Security—Class: Operational
        1. F.1.13.1. PS-1 PERSONNEL SECURITY POLICY AND PROCEDURES
          1. F.1.13.1.1. Control
          2. F.1.13.1.2. Supplemental Guidance
          3. F.1.13.1.3. Control Enhancements
          4. F.1.13.1.4. LOW
          5. F.1.13.1.5. MOD
          6. F.1.13.1.6. HIGH
        2. F.1.13.2. PS-2 POSITION CATEGORIZATION
          1. F.1.13.2.1. Control
          2. F.1.13.2.2. Supplemental Guidance
          3. F.1.13.2.3. Control Enhancements
          4. F.1.13.2.4. LOW
          5. F.1.13.2.5. MOD
          6. F.1.13.2.6. HIGH
        3. F.1.13.3. PS-3 PERSONNEL SCREENING
          1. F.1.13.3.1. Control
          2. F.1.13.3.2. Supplemental Guidance
          3. F.1.13.3.3. Control Enhancements
          4. F.1.13.3.4. LOW
          5. F.1.13.3.5. MOD
          6. F.1.13.3.6. HIGH
        4. F.1.13.4. PS-4 PERSONNEL TERMINATION
          1. F.1.13.4.1. Control
          2. F.1.13.4.2. Supplemental Guidance
          3. F.1.13.4.3. Control Enhancements
          4. F.1.13.4.4. LOW
          5. F.1.13.4.5. MOD
          6. F.1.13.4.6. HIGH
        5. F.1.13.5. PS-5 PERSONNEL TRANSFER
          1. F.1.13.5.1. Control
          2. F.1.13.5.2. Supplemental Guidance
          3. F.1.13.5.3. Control Enhancements
          4. F.1.13.5.4. LOW
          5. F.1.13.5.5. MOD
          6. F.1.13.5.6. HIGH
        6. F.1.13.6. PS-6 ACCESS AGREEMENTS
          1. F.1.13.6.1. Control
          2. F.1.13.6.2. Supplemental Guidance
          3. F.1.13.6.3. Control Enhancements
          4. F.1.13.6.4. LOW
          5. F.1.13.6.5. MOD
          6. F.1.13.6.6. HIGH
        7. F.1.13.7. PS-7 THIRD-PARTY PERSONNEL SECURITY
          1. F.1.13.7.1. Control
          2. F.1.13.7.2. Supplemental Guidance
          3. F.1.13.7.3. Control Enhancements
          4. F.1.13.7.4. LOW
          5. F.1.13.7.5. MOD
          6. F.1.13.7.6. HIGH
        8. F.1.13.8. PS-8 PERSONNEL SANCTIONS
          1. F.1.13.8.1. Control
          2. F.1.13.8.2. Supplemental Guidance
          3. F.1.13.8.3. Control Enhancements
          4. F.1.13.8.4. LOW
          5. F.1.13.8.5. MOD
          6. F.1.13.8.6. HIGH
      14. F.1.14. Family: Risk Assessment—Class: Management
        1. F.1.14.1. RA-1 RISK ASSESSMENT POLICY AND PROCEDURES
          1. F.1.14.1.1. Control
          2. F.1.14.1.2. Supplemental Guidance
          3. F.1.14.1.3. Control Enhancements
          4. F.1.14.1.4. LOW
          5. F.1.14.1.5. MOD
          6. F.1.14.1.6. HIGH
        2. F.1.14.2. RA-2 SECURITY CATEGORIZATION
          1. F.1.14.2.1. Control
          2. F.1.14.2.2. Supplemental Guidance
          3. F.1.14.2.3. Control Enhancements
          4. F.1.14.2.4. LOW
          5. F.1.14.2.5. MOD
          6. F.1.14.2.6. HIGH
        3. F.1.14.3. RA-3 RISK ASSESSMENT
          1. F.1.14.3.1. Control
          2. F.1.14.3.2. Supplemental Guidance
          3. F.1.14.3.3. Control Enhancements
          4. F.1.14.3.4. LOW
          5. F.1.14.3.5. MOD
          6. F.1.14.3.6. HIGH
        4. F.1.14.4. RA-4 RISK ASSESSMENT UPDATE
          1. F.1.14.4.1. Control
          2. F.1.14.4.2. Supplemental Guidance
          3. F.1.14.4.3. Control Enhancements
          4. F.1.14.4.4. LOW
          5. F.1.14.4.5. MOD
          6. F.1.14.4.6. HIGH
        5. F.1.14.5. RA-5 VULNERABILITY SCANNING
          1. F.1.14.5.1. Control
          2. F.1.14.5.2. Supplemental Guidance
          3. F.1.14.5.3. Control Enhancements
          4. F.1.14.5.4. LOW
          5. F.1.14.5.5. MOD
          6. F.1.14.5.6. HIGH
      15. F.1.15. Family: System And Services Acquisition—Class: Management
        1. F.1.15.1. SA-1 SYSTEM AND SERVICES ACQUISITION POLICY AND PROCEDURES
          1. F.1.15.1.1. Control
          2. F.1.15.1.2. Supplemental Guidance
          3. F.1.15.1.3. Control Enhancements
          4. F.1.15.1.4. LOW
          5. F.1.15.1.5. MOD
          6. F.1.15.1.6. HIGH
        2. F.1.15.2. SA-2 ALLOCATION OF RESOURCES
          1. F.1.15.2.1. Control
          2. F.1.15.2.2. Supplemental Guidance
          3. F.1.15.2.3. Control Enhancements
          4. F.1.15.2.4. LOW
          5. F.1.15.2.5. MOD
          6. F.1.15.2.6. HIGH
        3. F.1.15.3. SA-3 LIFE CYCLE SUPPORT
          1. F.1.15.3.1. Control
          2. F.1.15.3.2. Supplemental Guidance
          3. F.1.15.3.3. Control Enhancements
          4. F.1.15.3.4. LOW
          5. F.1.15.3.5. MOD
          6. F.1.15.3.6. HIGH
        4. F.1.15.4. SA-4 ACQUISITIONS
          1. F.1.15.4.1. Control
          2. F.1.15.4.2. Supplemental Guidance
          3. F.1.15.4.3. Control Enhancements
          4. F.1.15.4.4. LOW
          5. F.1.15.4.5. MOD
          6. F.1.15.4.6. HIGH
        5. F.1.15.5. SA-5 INFORMATION SYSTEM DOCUMENTATION
          1. F.1.15.5.1. Control
          2. F.1.15.5.2. Supplemental Guidance
          3. F.1.15.5.3. Control Enhancements
          4. F.1.15.5.4. LOW
          5. F.1.15.5.5. MOD
          6. F.1.15.5.6. HIGH
        6. F.1.15.6. SA-6 SOFTWARE USAGE RESTRICTIONS
          1. F.1.15.6.1. Control
          2. F.1.15.6.2. Supplemental Guidance
          3. F.1.15.6.3. Control Enhancements
          4. F.1.15.6.4. LOW
          5. F.1.15.6.5. MOD
          6. F.1.15.6.6. HIGH
        7. F.1.15.7. SA-7 USER INSTALLED SOFTWARE
          1. F.1.15.7.1. Control
          2. F.1.15.7.2. Supplemental Guidance
          3. F.1.15.7.3. Control Enhancements
          4. F.1.15.7.4. LOW
          5. F.1.15.7.5. MOD
          6. F.1.15.7.6. HIGH
        8. F.1.15.8. SA-8 SECURITY DESIGN PRINCIPLES
          1. F.1.15.8.1. Control
          2. F.1.15.8.2. Supplemental Guidance
          3. F.1.15.8.3. Control Enhancements
          4. F.1.15.8.4. LOW
          5. F.1.15.8.5. MOD
          6. F.1.15.8.6. HIGH
        9. F.1.15.9. SA-9 OUTSOURCED INFORMATION SYSTEM SERVICES
          1. F.1.15.9.1. Control
          2. F.1.15.9.2. Supplemental Guidance
          3. F.1.15.9.3. Control Enhancements
          4. F.1.15.9.4. LOW
          5. F.1.15.9.5. MOD
          6. F.1.15.9.6. HIGH
        10. F.1.15.10. SA-10 DEVELOPER CONFIGURATION MANAGEMENT
          1. F.1.15.10.1. Control
          2. F.1.15.10.2. Supplemental Guidance
          3. F.1.15.10.3. Control Enhancements
          4. F.1.15.10.4. LOW
          5. F.1.15.10.5. MOD
          6. F.1.15.10.6. HIGH
        11. F.1.15.11. SA-11 DEVELOPER SECURITY TESTING
          1. F.1.15.11.1. Control
          2. F.1.15.11.2. Supplemental Guidance
          3. F.1.15.11.3. Control Enhancements
          4. F.1.15.11.4. LOW
          5. F.1.15.11.5. MOD
          6. F.1.15.11.6. HIGH
      16. F.1.16. Family: System And Communications Protection—Class: Technical
        1. F.1.16.1. SC-1 SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURES
          1. F.1.16.1.1. Control
          2. F.1.16.1.2. Supplemental Guidance
          3. F.1.16.1.3. Control Enhancements
          4. F.1.16.1.4. LOW
          5. F.1.16.1.5. MOD
          6. F.1.16.1.6. HIGH
        2. F.1.16.2. SC-2 APPLICATION PARTITIONING
          1. F.1.16.2.1. Control
          2. F.1.16.2.2. Supplemental Guidance
          3. F.1.16.2.3. Control Enhancements
          4. F.1.16.2.4. LOW
          5. F.1.16.2.5. MOD
          6. F.1.16.2.6. HIGH
        3. F.1.16.3. SC-3 SECURITY FUNCTION ISOLATION
          1. F.1.16.3.1. Control
          2. F.1.16.3.2. Supplemental Guidance
          3. F.1.16.3.3. Control Enhancements
          4. F.1.16.3.4. LOW
          5. F.1.16.3.5. MOD
          6. F.1.16.3.6. HIGH
        4. F.1.16.4. SC-4 INFORMATION REMNANTS
          1. F.1.16.4.1. Control
          2. F.1.16.4.2. Supplemental Guidance
          3. F.1.16.4.3. Control Enhancements
          4. F.1.16.4.4. LOW
          5. F.1.16.4.5. MOD
          6. F.1.16.4.6. HIGH
        5. F.1.16.5. SC-5 DENIAL OF SERVICE PROTECTION
          1. F.1.16.5.1. Control
          2. F.1.16.5.2. Supplemental Guidance
          3. F.1.16.5.3. Control Enhancements
          4. F.1.16.5.4. LOW
          5. F.1.16.5.5. MOD
          6. F.1.16.5.6. HIGH
        6. F.1.16.6. SC-6 RESOURCE PRIORITY
          1. F.1.16.6.1. Control
          2. F.1.16.6.2. Supplemental Guidance
          3. F.1.16.6.3. Control Enhancements
          4. F.1.16.6.4. LOW
          5. F.1.16.6.5. MOD
          6. F.1.16.6.6. HIGH
        7. F.1.16.7. SC-7 BOUNDARY PROTECTION
          1. F.1.16.7.1. Control
          2. F.1.16.7.2. Supplemental Guidance
          3. F.1.16.7.3. Control Enhancements
          4. F.1.16.7.4. LOW
          5. F.1.16.7.5. MOD
          6. F.1.16.7.6. HIGH
        8. F.1.16.8. SC-8 TRANSMISSION INTEGRITY
          1. F.1.16.8.1. Control
          2. F.1.16.8.2. Supplemental Guidance
          3. F.1.16.8.3. Control Enhancements
          4. F.1.16.8.4. LOW
          5. F.1.16.8.5. MOD
          6. F.1.16.8.6. HIGH
        9. F.1.16.9. SC-9 TRANSMISSION CONFIDENTIALITY
          1. F.1.16.9.1. Control
          2. F.1.16.9.2. Supplemental Guidance
          3. F.1.16.9.3. Control Enhancements
          4. F.1.16.9.4. LOW
          5. F.1.16.9.5. MOD
          6. F.1.16.9.6. HIGH
        10. F.1.16.10. SC-10 NETWORK DISCONNECT
          1. F.1.16.10.1. Control
          2. F.1.16.10.2. Supplemental Guidance
          3. F.1.16.10.3. Control Enhancements
          4. F.1.16.10.4. LOW
          5. F.1.16.10.5. MOD
          6. F.1.16.10.6. HIGH
        11. F.1.16.11. SC-11 TRUSTED PATH
          1. F.1.16.11.1. Control
          2. F.1.16.11.2. Supplemental Guidance
          3. F.1.16.11.3. Control Enhancements
          4. F.1.16.11.4. LOW
          5. F.1.16.11.5. MOD
          6. F.1.16.11.6. HIGH
        12. F.1.16.12. SC-12 CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT
          1. F.1.16.12.1. Control
          2. F.1.16.12.2. Supplemental Guidance
          3. F.1.16.12.3. Control Enhancements
          4. F.1.16.12.4. LOW
          5. F.1.16.12.5. MOD
          6. F.1.16.12.6. HIGH
        13. F.1.16.13. SC-13 USE OF VALIDATED CRYPTOGRAPHY
          1. F.1.16.13.1. Control
          2. F.1.16.13.2. Supplemental Guidance
          3. F.1.16.13.3. Control Enhancements
          4. F.1.16.13.4. LOW
          5. F.1.16.13.5. MOD
          6. F.1.16.13.6. HIGH
        14. F.1.16.14. SC-14 PUBLIC ACCESS PROTECTIONS
          1. F.1.16.14.1. Control
          2. F.1.16.14.2. Supplemental Guidance
          3. F.1.16.14.3. Control Enhancements
          4. F.1.16.14.4. LOW
          5. F.1.16.14.5. MOD
          6. F.1.16.14.6. HIGH
        15. F.1.16.15. SC-15 COLLABORATIVE COMPUTING
          1. F.1.16.15.1. Control
          2. F.1.16.15.2. Supplemental Guidance
          3. F.1.16.15.3. Control Enhancements
          4. F.1.16.15.4. LOW
          5. F.1.16.15.5. MOD
          6. F.1.16.15.6. HIGH
        16. F.1.16.16. SC-16 TRANSMISSION OF SECURITY PARAMETERS
          1. F.1.16.16.1. Control
          2. F.1.16.16.2. Supplemental Guidance
          3. F.1.16.16.3. Control Enhancements
          4. F.1.16.16.4. LOW
          5. F.1.16.16.5. MOD
          6. F.1.16.16.6. HIGH
        17. F.1.16.17. SC-17 PUBLIC KEY INFRASTRUCTURE CERTIFICATES
          1. F.1.16.17.1. Control
          2. F.1.16.17.2. Supplemental Guidance
          3. F.1.16.17.3. Control Enhancements
          4. F.1.16.17.4. LOW
          5. F.1.16.17.5. MOD
          6. F.1.16.17.6. HIGH
        18. F.1.16.18. SC-18 MOBILE CODE
          1. F.1.16.18.1. Control
          2. F.1.16.18.2. Supplemental Guidance
          3. F.1.16.18.3. Control Enhancements
          4. F.1.16.18.4. LOW
          5. F.1.16.18.5. MOD
          6. F.1.16.18.6. HIGH
        19. F.1.16.19. SC-19 VOICE OVER INTERNET PROTOCOL
          1. F.1.16.19.1. Control
          2. F.1.16.19.2. Supplemental Guidance
          3. F.1.16.19.3. Control Enhancements
          4. F.1.16.19.4. LOW
          5. F.1.16.19.5. MOD
          6. F.1.16.19.6. HIGH
      17. F.1.17. Family: System And Information Integrity–Class: Operational
        1. F.1.17.1. SI-1 SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES
          1. F.1.17.1.1. Control
          2. F.1.17.1.2. Supplemental Guidance
          3. F.1.17.1.3. Control Enhancements
          4. F.1.17.1.4. LOW
          5. F.1.17.1.5. MOD
          6. F.1.17.1.6. HIGH
        2. F.1.17.2. SI-2 FLAW REMEDIATION
          1. F.1.17.2.1. Control
          2. F.1.17.2.2. Supplemental Guidance
          3. F.1.17.2.3. Control Enhancements
          4. F.1.17.2.4. LOW
          5. F.1.17.2.5. MOD
          6. F.1.17.2.6. HIGH
        3. F.1.17.3. SI-3 MALICIOUS CODE PROTECTION
          1. F.1.17.3.1. Control
          2. F.1.17.3.2. Supplemental Guidance
          3. F.1.17.3.3. Control Enhancements
          4. F.1.17.3.4. LOW
          5. F.1.17.3.5. MOD
          6. F.1.17.3.6. HIGH
        4. F.1.17.4. SI-4 INTRUSION DETECTION TOOLS AND TECHNIQUES
          1. F.1.17.4.1. Control
          2. F.1.17.4.2. Supplemental Guidance
          3. F.1.17.4.3. Control Enhancements
          4. F.1.17.4.4. LOW
          5. F.1.17.4.5. MOD
          6. F.1.17.4.6. HIGH
        5. F.1.17.5. SI-5 SECURITY ALERTS AND ADVISORIES
          1. F.1.17.5.1. Control
          2. F.1.17.5.2. Supplemental Guidance
          3. F.1.17.5.3. Control Enhancements
          4. F.1.17.5.4. LOW
          5. F.1.17.5.5. MOD
          6. F.1.17.5.6. HIGH
        6. F.1.17.6. SI-6 SECURITY FUNCTIONALITY VERIFICATION
          1. F.1.17.6.1. Control
          2. F.1.17.6.2. Supplemental Guidance
          3. F.1.17.6.3. Control Enhancements
          4. F.1.17.6.4. LOW
          5. F.1.17.6.5. MOD
          6. F.1.17.6.6. HIGH
        7. F.1.17.7. SI-7 SOFTWARE AND INFORMATION INTEGRITY
          1. F.1.17.7.1. Control
          2. F.1.17.7.2. Supplemental Guidance
          3. F.1.17.7.3. Control Enhancements
          4. F.1.17.7.4. LOW
          5. F.1.17.7.5. MOD
          6. F.1.17.7.6. HIGH
        8. F.1.17.8. SI-8 SPAM AND SPYWARE PROTECTION
          1. F.1.17.8.1. Control
          2. F.1.17.8.2. Supplemental Guidance
          3. F.1.17.8.3. Control Enhancements
          4. F.1.17.8.4. LOW
          5. F.1.17.8.5. MOD
          6. F.1.17.8.6. HIGH
        9. F.1.17.9. SI-9 INFORMATION INPUT RESTRICTIONS
          1. F.1.17.9.1. Control
          2. F.1.17.9.2. Supplemental Guidance
          3. F.1.17.9.3. Control Enhancements
          4. F.1.17.9.4. LOW
          5. F.1.17.9.5. MOD
          6. F.1.17.9.6. HIGH
        10. F.1.17.10. SI-10 INFORMATION INPUT ACCURACY, COMPLETENESS, AND VALIDITY
          1. F.1.17.10.1. Control:
          2. F.1.17.10.2. Supplemental Guidance
          3. F.1.17.10.3. Control Enhancements
          4. F.1.17.10.4. LOW
          5. F.1.17.10.5. MOD
          6. F.1.17.10.6. HIGH
        11. F.1.17.11. SI-11 ERROR HANDLING
          1. F.1.17.11.1. Control
          2. F.1.17.11.2. Supplemental Guidance
          3. F.1.17.11.3. Control Enhancements
          4. F.1.17.11.4. LOW
          5. F.1.17.11.5. MOD
          6. F.1.17.11.6. HIGH
        12. F.1.17.12. SI-12 INFORMATION OUTPUT HANDLING AND RETENTION
          1. F.1.17.12.1. Control
          2. F.1.17.12.2. Supplemental Guidance
          3. F.1.17.12.3. Control Enhancements
          4. F.1.17.12.4. LOW
          5. F.1.17.12.5. MOD
          6. F.1.17.12.6. HIGH
  15. G. Control Baselines