Joint task force transformation initiative



Download 5.8 Mb.
Page2/186
Date31.01.2017
Size5.8 Mb.
#13082
1   2   3   4   5   6   7   8   9   ...   186

Table of Contents

introduction 22

1.1 purpose and applicability 23

1.2 target audience 24

1.3 relationship to other security control publications 24

1.4 organizational responsibilities 25

1.5 organization of this special publication 27

the fundamentals 28

2.1 multitiered risk management 28

2.2 security control structure 32

2.4 security control designations 37

2.5 external service providers 41

2.6 assurance and trustworthiness 44

2.7 revisions and extensions 53

the process 55

3.1 selecting security control baselines 55

3.2 tailoring baseline security controls 58

3.3 creating overlays 68

3.4 documenting the control selection process 69

3.5 new development and legacy systems 73

references 76

glossary 87

acronyms 113

security control baselines – summary 115

assurance and trustworthiness 159

security control catalog 167

information security programs 415

international information security standards 425

overlay template 459

privacy control catalog 463




Prologue

“…Through the process of risk management, leaders must consider risk to US interests from adversaries using cyberspace to their advantage and from our own efforts to employ the global nature of cyberspace to achieve objectives in military, intelligence, and business operations… “

“…For operational plans development, the combination of threats, vulnerabilities, and impacts must be evaluated in order to identify important trends and decide where effort should be applied to eliminate or reduce threat capabilities; eliminate or reduce vulnerabilities; and assess, coordinate, and deconflict all cyberspace operations…”

“…Leaders at all levels are accountable for ensuring readiness and security to the same degree as in any other domain…"



-- The National Strategy for Cyberspace Operations

Office of the Chairman, Joint Chiefs of Staff, U.S. Department of Defense

Foreword

NIST Special Publication 800-53, Revision 4, represents the most comprehensive update to the security controls catalog since its inception in 2005. The publication was developed by NIST, the Department of Defense, the Intelligence Community, and the Committee on National Security Systems as part of the Joint Task Force, an interagency partnership formed in 2009. This update was motivated principally by the expanding threat space—characterized by the increasing sophistication of cyber attacks and the operations tempo of adversaries (i.e., the frequency of such attacks, the professionalism of the attackers, and the persistence of targeting by attackers). State-of-the-practice security controls and control enhancements have been developed and integrated into the catalog addressing such areas as: mobile and cloud computing; applications security; trustworthiness, assurance, and resiliency of information systems; insider threat; supply chain security; and the advanced persistent threat. In addition, Special Publication 800-53 has been expanded to include eight new families of privacy controls based on the internationally accepted Fair Information Practice Principles.

Special Publication 800-53, Revision 4, provides a more holistic approach to information security and risk management by providing organizations with the breadth and depth of security controls necessary to fundamentally strengthen their information systems and the environments in which those systems operate—contributing to systems that are more resilient in the face of cyber attacks and other threats. This “Build It Right” strategy is coupled with a variety of security controls for “Continuous Monitoring” to give organizations near real-time information that is essential for senior leaders making ongoing risk-based decisions affecting their critical missions and business functions.

To take advantage of the expanded set of security and privacy controls, and to give organizations greater flexibility and agility in defending their information systems, the concept of overlays was introduced in this revision. Overlays provide a structured approach to help organizations tailor security control baselines and develop specialized security plans that can be applied to specific missions/business functions, environments of operation, and/or technologies. This specialization approach is important as the number of threat-driven controls and control enhancements in the catalog increases and organizations develop risk management strategies to address their specific protection needs within defined risk tolerances.

Finally, there have been several new features added to this revision to facilitate ease of use by organizations. These include:


  • Assumptions relating to security control baseline development;

  • Expanded, updated, and streamlined tailoring guidance;

  • Additional assignment and selection statement options for security and privacy controls;

  • Descriptive names for security and privacy control enhancements;

  • Consolidated tables for security controls and control enhancements by family with baseline allocations;

  • Tables for security controls that support development, evaluation, and operational assurance; and

  • Mapping tables for international security standard ISO/IEC 15408 (Common Criteria).

The security and privacy controls in Special Publication 800-53, Revision 4, have been designed to be largely policy/technology-neutral to facilitate flexibility in implementation. The controls are well positioned to support the integration of information security and privacy into organizational processes including enterprise architecture, systems engineering, system development life cycle, and acquisition/procurement. Successful integration of security and privacy controls into ongoing organizational processes will demonstrate a greater maturity of security and privacy programs and provide a tighter coupling of security and privacy investments to core organizational missions and business functions.

The Joint Task Force

Errata



The following changes have been incorporated into Special Publication 800-53, Revision 4.

DATE

TYPE

CHANGE

PAGE

05-07-2013

Editorial

Changed CA-9 Priority Code from P1 to P2 in Table D-2.

D-3

05-07-2013

Editorial

Changed CM-10 Priority Code from P1 to P2 in Table D-2.

D-4

05-07-2013

Editorial

Changed MA-6 Priority Code from P1 to P2 in Table D-2.

D-5

05-07-2013

Editorial

Changed MP-3 Priority Code from P1 to P2 in Table D-2.

D-5

05-07-2013

Editorial

Changed PE-5 Priority Code from P1 to P2 in Table D-2.

D-5

05-07-2013

Editorial

Changed PE-16 Priority Code from P1 to P2 in Table D-2.

D-5

05-07-2013

Editorial

Changed PE-17 Priority Code from P1 to P2 in Table D-2.

D-5

05-07-2013

Editorial

Changed PE-18 Priority Code from P2 to P3 in Table D-2.

D-5

05-07-2013

Editorial

Changed PL-4 Priority Code from P1 to P2 in Table D-2.

D-6

05-07-2013

Editorial

Changed PS-4 Priority Code from P2 to P1 in Table D-2.

D-6

05-07-2013

Editorial

Changed SA-11 Priority Code from P2 to P1 in Table D-2.

D-6

05-07-2013

Editorial

Changed SC-18 Priority Code from P1 to P2 in Table D-2.

D-7

05-07-2013

Editorial

Changed SI-8 Priority Code from P1 to P2 in Table D-2.

D-8

05-07-2013

Editorial

Deleted reference to SA-5(6) in Table D-17.

D-32

05-07-2013

Editorial

Deleted CM-4(3) from Table E-2.

E-4

05-07-2013

Editorial

Deleted CM-4(3) from Table E-3.

E-5

05-07-2013

Editorial

Deleted reference to SA-5(6).

F-161

05-07-2013

Editorial

Changed SI-16 Priority Code from P0 to P1.

F-233

01-15-2014

Editorial

Deleted “(both intentional and unintentional)” in line 5 in Abstract.

iii

01-15-2014

Editorial

Deleted “security and privacy” in line 5 in Abstract.

iii

01-15-2014

Editorial

Changed “an initial set of baseline security controls” to “the applicable security control baseline” in Section 2.1, RMF Step 2.

9

01-15-2014

Editorial

Deleted the following paragraph: “The security control enhancements section provides…in Appendix F.”

11

01-15-2014

Editorial

Changed “baseline security controls” to “the security control baselines” in Section 2.3, 2nd paragraph, line 6.

13

01-15-2014

Editorial

Changed “an initial set of security controls” to “the applicable security control baseline” in Section 3.1, paragraph 2, line 4.

28

01-15-2014

Editorial

Changed “security control baselines” to “baselines identified in Appendix D” in Section 3.1, paragraph 2, line 5.

28

01-15-2014

Editorial

Changed “an appropriate set of baseline controls” to “the appropriate security control baseline” in Section 3.1, paragraph 3, line 3.

29

01-15-2014

Editorial

Deleted “initial” before “security control baseline” and added “FIPS 200” before “impact level” in Section 3.1, paragraph 3, line 4.

29

01-15-2014

Editorial

Changed “sets of baseline security controls” to “security control baselines” in Section 3.1, paragraph 3, line 6.

29

01-15-2014

Editorial

Changed “initial set of baseline security controls” to “applicable security control baseline” in Section 3.2, paragraph 1, line 1.

30

01-15-2014

Editorial

Changed “initial set of baseline security controls” to “applicable security control baseline” in Section 3.2, paragraph 3, line 5.

31

01-15-2014

Editorial

Deleted “set of” before “security controls” in Section 3.2, Applying Scoping Considerations, Mobility paragraph, line 1.

33

01-15-2014

Editorial

Deleted “initial” before “set of” in Section 3.2, Applying Scoping Considerations, Mobility paragraph, line 2.

33

01-15-2014

Editorial

Changed “the baselines” to “each baseline” in Section 3.2, Applying Scoping Considerations, Mobility paragraph, line 3.

33

01-15-2014

Editorial

Changed “initial set of security controls” to “security control baseline” in Section 3.2, Applying Scoping Considerations, Mobility paragraph, line 5.

33

01-15-2014

Editorial

Added “specific” before “locations” in Section 3.2, Applying Scoping Considerations, Mobility paragraph, line 6.

33

01-15-2014

Editorial

Changed “initial” to “three” in Section 3.2, Applying Scoping Considerations, Mobility paragraph, line 8.

33

01-15-2014

Editorial

Changed “initial set of baseline security controls” to “applicable security control baseline” in Section 3.2, Selecting Compensating Security Controls, line 10.

36

01-15-2014

Editorial

Changed “a set of initial baseline security controls” to “security control baselines” in Section 3.3, line 1.

40

01-15-2014

Editorial

Added “.” after “C.F.R” in #3, Policies, Directives, Instructions, Regulations, and Memoranda.

A-1

01-15-2014

Editorial

Added “Revision 1 (Draft)” to NIST Special Publication 800-52 in References.

A-7

01-15-2014

Editorial

Added “Configuration,” to title of NIST Special Publication 800-52, Revision 1.

A-7

01-15-2014

Editorial

Changed date for NIST Special Publication 800-52, Revision 1 to September 2013.

A-7

01-15-2014

Editorial

Moved definition for Information Security Risk after Information Security Program Plan in Glossary.

B-11

01-15-2014

Editorial

Added AC-2(11) to high baseline in Table D-2.

D-2

01-15-2014

Editorial

Changed AC-10 Priority Code from P2 to P3 in Table D-2.

D-2

01-15-2014

Editorial

Changed AC-14 Priority Code from P1 to P3 in Table D-2.

D-2

01-15-2014

Editorial

Changed AC-22 Priority Code from P2 to P3 in Table D-2.

D-2

01-15-2014

Editorial

Changed AU-10 Priority Code from P1 to P2 in Table D-2.

D-3

01-15-2014

Editorial

Changed CA-6 Priority Code from P3 to P2 in Table D-2.

D-3

01-15-2014

Editorial

Changed CA-7 Priority Code from P3 to P2 in Table D-2.

D-3

01-15-2014

Editorial

Changed CA-8 Priority Code from P1 to P2 in Table D-2.

D-3

01-15-2014

Editorial

Changed IA-6 Priority Code from P1 to P2 in Table D-2.

D-4

01-15-2014

Editorial

Changed IR-7 Priority Code from P3 to P2 in Table D-2.

D-5

01-15-2014

Editorial

Changed MA-3 Priority Code from P2 to P3 in Table D-2.

D-5

01-15-2014

Editorial

Changed MA-4 Priority Code from P1 to P2 in Table D-2.

D-5

01-15-2014

Editorial

Changed MA-5 Priority Code from P1 to P2 in Table D-2.

D-5

01-15-2014

Editorial

Deleted Program Management Controls from Table D-2.

D-8/9

01-15-2014

Editorial

Deleted the following sentence at end of paragraph:

“There is no summary table provided for the Program Management (PM) family since PM controls are not associated with any particular security control baseline.”



D-9

01-15-2014

Editorial

Added AC-2(12) and AC-2(13) to high baseline in Table D-3.

D-10

01-15-2014

Editorial

Changed AC-17(5) incorporated into reference from AC-17 to SI-4 in Table D-3.

D-12

01-15-2014

Editorial

Changed AC-17(7) incorporated into reference from AC-3 to AC-3(10) in Table D-3.

D-12

01-15-2014

Editorial

Changed AC-6 to AC-6(9) in AU-2(4) withdrawal notice in Table D-5.

D-15

01-15-2014

Editorial

Changed “Training” to “Scanning” in SA-19(4) title in Table D-17.

D-34

01-15-2014

Editorial

Deleted SC-9(1), SC-9(2), SC-9(3), and SC-9(4) from Table D-18.

D-37

01-15-2014

Editorial

Added AC-2 and AC-5 to SC-14 and deleted SI-9 from SC-14 in Table D-18.

D-37

01-15-2014

Editorial

Deleted CA-3(5) from Table E-2.

E-4

01-15-2014

Editorial

Added CM-3(2) to Table E-2.

E-4

01-15-2014

Editorial

Added RA-5(2) and RA-5(5) to Table E-2.

E-4

01-15-2014

Editorial

Deleted CA-3(5) from Table E-3.

E-5

01-15-2014

Editorial

Added CM-3(2) to Table E-3.

E-5

01-15-2014

Editorial

Deleted bold text from RA-5(2) and RA-5(5) in Table E-3.

E-5

01-15-2014

Editorial

Added CM-8(9) to Table E-4.

E-7

01-15-2014

Editorial

Added CP-4(4) to Table E-4.

E-7

01-15-2014

Editorial

Added IR-3(1) to Table E-4.

E-7

01-15-2014

Editorial

Added RA-5(3) to Table E-4.

E-7

01-15-2014

Editorial

Deleted SA-4(4) from Table E-4.

E-7

01-15-2014

Editorial

Changed SA-21(1) from “enhancements” to “enhancement” in Table E-4.

E-7

01-15-2014

Editorial

Deleted SI-4(8) from Table E-4.

E-7

01-15-2014

Editorial

Changed “risk management process” to “RMF” in Using the Catalog, line 4.

F-6

01-15-2014

Editorial

Changed “an appropriate set of security controls” to “the appropriate security control baselines” in Using the Catalog, line 5.

F-6

01-15-2014

Editorial

Deleted extraneous “,” from AC-2 g.

F-7

01-15-2014

Editorial

Added AC-2(11) to high baseline.

F-10

01-15-2014

Substantive

Added the following text to AC-3(2) Supplemental Guidance:

“Dual authorization may also be known as two-person control.”



F-11

01-15-2014

Editorial

Changed “ucdmo.gov” to “None” in AC-4 References.

F-18

01-15-2014

Editorial

Added “.” after “C.F.R” in AT-2 References.

F-38

01-15-2014

Editorial

Changed AC-6 to AC-6(9) in AU-2(4) withdrawal notice.

F-42

01-15-2014

Editorial

Deleted “csrc.nist.gov/pcig/cig.html” and added “http://” to URL in AU-2 References.

F-42

01-15-2014

Editorial

Changed “identify” to “identity” in AU-6(6) Supplemental Guidance.

F-46

01-15-2014

Substantive

Added the following text to AU-9(5) Supplemental Guidance:

“Dual authorization may also be known as two-person control.”



F-49

01-15-2014

Editorial

Added “Control Enhancements: None.” to AU-15.

F-53

01-15-2014

Editorial

Deleted extraneous “.” from CM-2(7) Supplemental Guidance.

F-66

01-15-2014

Editorial

Added “)” after “board” in CM-3 g.

F-66

01-15-2014

Substantive

Added CA-7 to related controls list in CM-3.

F-66

01-15-2014

Substantive

Added the following text to CM-5(4) Supplemental Guidance:

“Dual authorization may also be known as two-person control.”



F-69

01-15-2014

Editorial

Added “http://” to URLs in CM-6 References.

F-71

01-15-2014

Editorial

Added “component” before “inventories” in CM-8(5).

F-74

01-15-2014

Editorial

Changed “tsp.ncs.gov” to “http://www.dhs.gov/telecommunications-service-priority-tsp” in CP-8 References.

F-86

01-15-2014

Substantive

Added the following text to CP-9(7) Supplemental Guidance:

“Dual authorization may also be known as two-person control.”



F-87

01-15-2014

Editorial

Changed “HSPD 12” to “HSPD-12” and added “http://” to URL in IA-2 References.

F-93

01-15-2014

Editorial

Changed “encrypted representations of” to “cryptographically-protected” in IA-5(1) (c).

F-96

01-15-2014

Editorial

Changed “Encrypted representations of” to “Cryptographically-protected” in IA-5(1) Supplemental Guidance.

F-97

01-15-2014

Substantive

Added the following text to IA-5(1) Supplemental Guidance:

“To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords.”



F-97

01-15-2014

Editorial

Added “http://” to URL in IA-5 References.

F-99

01-15-2014

Editorial

Added “http://” to URL in IA-7 References.

F-99

01-15-2014

Editorial

Added “http://” to URL in IA-8 References.

F-101

01-15-2014

Editorial

Changed “:” to “;” after “800-61” and added “http://” to URL in IR-6 References.

F-108

01-15-2014

Substantive

Added the following text to MP-6(7) Supplemental Guidance:

“Dual authorization may also be known as two-person control.”



F-124

01-15-2014

Editorial

Added “http://” to URL in MP-6 References.

F-124

01-15-2014

Editorial

Changed “DoDI” to “DoD Instruction” and added “http://” to URLs in PE-3 References.

F-130

01-15-2014

Editorial

Deleted “and supplementation” after “tailoring” in PL-2 a. 8.

F-140

01-15-2014

Editorial

Added “Special” before “Publication” in PL-4 References.

F-141

01-15-2014

Editorial

Added “Control Enhancements: None.” to PL-7.

F-142

01-15-2014

Editorial

Deleted AT-5, AC-19(6), AC-19(8), and AC-19(9) from PL-9 Supplemental Guidance.

F-144

01-15-2014

Editorial

Added “Control Enhancements: None.” to PL-9.

F-144

01-15-2014

Editorial

Added “Special” before “Publication” in PL-9 References.

F-144

01-15-2014

Editorial

Changed “731.106(a)” to “731.106” in PS-2 References.

F-145

01-15-2014

Editorial

Changed “Publication” to “Publications” and added “http://” to URL in RA-3 References.

F-153

01-15-2014

Editorial

Added “http://” to URLs in RA-5 References.

F-155

01-15-2014

Editorial

Added “http://” to URLs in SA-4 References.

F-160

01-15-2014

Substantive

Added the following text to SA-11(8) Supplemental Guidance:

“To understand the scope of dynamic code analysis and hence the assurance provided, organizations may also consider conducting code coverage analysis (checking the degree to which the code has been tested using metrics such as percent of subroutines tested or percent of program statements called during execution of the test suite) and/or concordance analysis (checking for words that are out of place in software code such as non-English language words or derogatory terms).”



F-169

01-15-2014

Editorial

Added “http://” to URLs in SA-11 References.

F-169

01-15-2014

Editorial

Added “Control Enhancements: None.” to SA-16.

F-177

01-15-2014

Editorial

Changed “Training” to “Scanning” in SA-19(4) title.

F-181

01-15-2014

Editorial

Changed “physical” to “protected” in SC-8 Supplemental Guidance.

F-193

01-15-2014

Editorial

Changed “140-2” to “140” and added “http://” to URLs in SC-13 References.

F-196

01-15-2014

Editorial

Added “authentication” after “data origin” in SC-20, Part a.

F-199

01-15-2014

Editorial

Added “verification” after “integrity” in SC-20, Part a.

F-199

01-15-2014

Editorial

Added “Control Enhancements: None.” to SC-35.

F-209

01-15-2014

Editorial

Deleted extraneous “References: None” from SI-7.

F-228

01-15-2014

Substantive

Added the following text as new third paragraph in Appendix G::

“Table G-1 provides a summary of the security controls in the program management family from Appendix G. Organizations can use the recommended priority code designation associated with each program management control to assist in making sequencing decisions for implementation (i.e., a Priority Code 1 [P1] control has a higher priority for implementation than a Priority Code 2 [P2] control; and a Priority Code 2 [P2] control has a higher priority for implementation than a Priority Code 3 [P3] control.”



G-1/2

01-15-2014

Editorial

Added Table G-1 to Appendix G.

G-2

01-15-2014

Editorial

Added “http://” to URL in PM-5 References.

G-5

01-15-2014

Editorial

Deleted “Web: www.fsam.gov” from PM-7 References.

G-5

01-15-2014

Editorial

Added “http://” to URL in Footnote 124.

J-22

01-22-2015

Editorial

Changed security control enhancement naming convention (i.e., format) by deleting space between base security control and numbered enhancement designation.

Global

01-22-2015

Editorial

Changed “(iv) and” to “and (iv)” in Glossary definition for Developer.

B-6

01-22-2015

Editorial

Changed “an IR-2 (1) in the high baseline entry for the IR-2 security control” to “the IR-2 (1) (2) entry in the high baseline for IR-2” in Appendix D, paragraph 1, line 8.

D-1

01-22-2015

Editorial

Changed “enhancement (1)” to “enhancements (1) and (2)” in Appendix D, paragraph 1, line 10.

D-1

01-22-2015

Editorial

Deleted “in the security control catalog“ in Appendix D, paragraph 1, line 10.

D-1

01-22-2015

Editorial

Changed “SHARED GROUPS / ACCOUNTS“ to “SHARED / GROUP ACCOUNTS” in Table D-3, AC-2(9) title.

D-10

01-22-2015

Editorial

Added “ROLE-BASED“ before “SECURITY TRAINING” in Table D-4, AT-3(1) title.

D-14

01-22-2015

Editorial

Added “ROLE-BASED“ before “SECURITY TRAINING” in Table D-4, AT-3(2) title.

D-14

01-22-2015

Editorial

Added “ROLE-BASED“ before “SECURITY TRAINING” in Table D-4, AT-3(3) title.

D-14

01-22-2015

Editorial

Added “ROLE-BASED“ before “SECURITY TRAINING” in Table D-4, AT-3(4) title.

D-14

01-22-2015

Editorial

Added “-BASED“ to “BIOMETRIC” in Table D-9, IA-5(12) title.

D-23

01-22-2015

Editorial

Deleted “/ ANALYSIS“ after “PENETRATION TESTING” in Table D-17, SA-11(5) title.

D-33

01-22-2015

Editorial

Changed “(1)” from normal font to bold font in Table E-4, SI-4(1).

E-7

01-22-2015

Editorial

Changed “SHARED GROUPS / ACCOUNTS“ to “SHARED / GROUP ACCOUNTS” in AC-2(9) title.

F-10

01-22-2015

Editorial

Changed “use“ to “usage” in AC-2(12) part (a).

F-10

01-22-2015

Editorial

Changed “policies“ to “policy” in AC-3(3).

F-11

01-22-2015

Editorial

Deleted “specifies that” in AC-3(3).

F-11

01-22-2015

Editorial

Changed “The policy is“ to “Is” in AC-3(3) part (a).

F-11

01-22-2015

Editorial

Changed “A“ to “Specifies that a” in AC-3(3) part (b).

F-11

01-22-2015

Editorial

Added “Specifies that“ to AC-3(3) part (c).

F-11

01-22-2015

Editorial

Changed “Organized-defined“ to “organization-defined” in AC-3(3) part (c).

F-11

01-22-2015

Editorial

Changed “policies“ to “policy” in AC-3(4).

F-12

01-22-2015

Editorial

Added “information“ before “flows” in AC-4(7).

F-15

01-22-2015

Editorial

Added “ROLE-BASED“ before “SECURITY TRAINING” in AT-3(1) title.

F-39

01-22-2015

Editorial

Added “ROLE-BASED“ before “SECURITY TRAINING” in AT-3(2) title.

F-39

01-22-2015

Editorial

Added “ROLE-BASED“ before “SECURITY TRAINING” in AT-3(3) title.

F-39

01-22-2015

Editorial

Added “ROLE-BASED“ before “SECURITY TRAINING” in AT-3(4) title.

F-39

01-22-2015

Editorial

Added “the” before “relationship” in AU-12(1).

F-52

01-22-2015

Editorial

Moved “.” outside of closing bracket in Withdrawn section.

F-61

01-22-2015

Editorial

Changed “that“ to “those” in CP-7 part c.

F-84

01-22-2015

Editorial

Deleted “list of“ in IA-2(10).

F-92

01-22-2015

Editorial

Deleted “such as documentary evidence or a combination of documents and biometrics“ in IA-4(3).

F-95

01-22-2015

Editorial

Added “, such as documentary evidence or a combination of documents and biometrics,“ in IA-4(3) Supplemental Guidance.

F-95

01-22-2015

Editorial

Added “-BASED“ to “BIOMETRIC” in IA-5(12) title.

F-98

01-22-2015

Editorial

Changed “testing/exercises“ to “testing” in IR-4 part c.

F-105

01-22-2015

Editorial

Deleted “and“ before “prior” in MA-4(3) part (b).

F-115

01-22-2015

Editorial

Changed “Sanitation“ to “Sanitization” in MP-7(2) Supplemental Guidance (two instances).

F-125

01-22-2015

Editorial

Changed “resign“ to “re-sign” in PL-4 part d.

F-141

01-22-2015

Editorial

Deleted “security categorization decision is reviewed and approved by the“ before “authorizing” (first instance) in RA-2 part c.

F-151

01-22-2015

Editorial

Added “reviews and approves the security categorization decision“ after “representative” RA-2 part c.

F-151

01-22-2015

Editorial

Changed “;“ to “,” after IA-2 in SA-4(10) Supplemental Guidance.

F-160

01-22-2015

Editorial

Added “takes“ before assignment statement in SA-5 part c.

F-161

01-22-2015

Editorial

Changed “either is“ to “is either” in SA-11(3) part (b).

F-167

01-22-2015

Editorial

Deleted “has been“ before “granted” in SA-11(3) part (b).

F-167

01-22-2015

Editorial

Deleted “/ ANALYSIS“ after “PENETRATION TESTING” in SA-11(5) title.

F-168

01-22-2015

Editorial

Deleted “enhancement“ after “control” in SA-12 Supplemental Guidance.

F-169

01-22-2015

Editorial

Deleted “Related control: PE-21.” from SA-12(9) Supplemental Guidance.

F-171

01-22-2015

Editorial

Changed “reference to source“ to “references to sources” in SC-5.

F-187

01-22-2015

Editorial

Added “to be“ before “routed to” in SC-7(11).

F-190

01-22-2015

Editorial

Changed “i“ to “1” and “ii” to “2” in SI-4 part c.

F-219

01-22-2015

Editorial

Changed “USER“ to “USERS” in SI-4(20) title.

F-223

01-22-2015

Editorial

Deleted “for“ in SI-6(2).

F-225

01-22-2015

Editorial

Changed “interfaces” to “interactions” in SI-10(4) Supplemental Guidance.

F-229

01-22-2015

Editorial

Changed “-“ to “,” after AU-7 in PM-12 Supplemental Guidance.

G-8

01-22-2015

Substantive

Updated the introduction to Appendix H and Tables H-1 and H-2 in accordance with the 2013 version of ISO/IEC 27001 and revised security control mapping methodology.

H-1 through H-12

01-22-2015

Editorial

Deleted UL-3 from related controls list in SE-1.

J-20





chapter one

Directory: publications
publications -> Acm word Template for sig site
publications ->  Preparation of Papers for ieee transactions on medical imaging
publications -> Adjih, C., Georgiadis, L., Jacquet, P., & Szpankowski, W. (2006). Multicast tree structure and the power law
publications -> Swiss Federal Institute of Technology (eth) Zurich Computer Engineering and Networks Laboratory
publications -> Quantitative skills
publications -> Multi-core cpu and gpu implementation of Discrete Periodic Radon Transform and Its Inverse
publications -> List of Publications Department of Mechanical Engineering ucek, jntu kakinada
publications -> 1. 2 Authority 1 3 Planning Area 1
publications -> Sa michelson, 2011: Impact of Sea-Spray on the Atmospheric Surface Layer. Bound. Layer Meteor., 140 ( 3 ), 361-381, doi: 10. 1007/s10546-011-9617-1, issn: Jun-14, ids: 807TW, sep 2011 Bao, jw, cw fairall, sa michelson

Download 5.8 Mb.

Share with your friends:
1   2   3   4   5   6   7   8   9   ...   186




The database is protected by copyright ©ininet.org 2024
send message

    Main page