Joint task force transformation initiative

Download 5.8 Mb.

Page	2/186
Date	31.01.2017
Size	5.8 Mb.
	#13082

1 2 3 4 5 6 7 8 9 ... 186

P rolog ue
The Joint Task Force

Table of Contents

introduction 22

1.1 purpose and applicability 23

1.2 target audience 24

1.3 relationship to other security control publications 24

1.4 organizational responsibilities 25

1.5 organization of this special publication 27

the fundamentals 28

2.1 multitiered risk management 28

2.2 security control structure 32

2.4 security control designations 37

2.5 external service providers 41

2.6 assurance and trustworthiness 44

2.7 revisions and extensions 53

the process 55

3.1 selecting security control baselines 55

3.2 tailoring baseline security controls 58

3.3 creating overlays 68

3.4 documenting the control selection process 69

3.5 new development and legacy systems 73

references 76

glossary 87

acronyms 113

security control baselines – summary 115

assurance and trustworthiness 159

security control catalog 167

information security programs 415

international information security standards 425

overlay template 459

privacy control catalog 463

Prologue

“…Through the process of risk management, leaders must consider risk to US interests from adversaries using cyberspace to their advantage and from our own efforts to employ the global nature of cyberspace to achieve objectives in military, intelligence, and business operations… “

“…For operational plans development, the combination of threats, vulnerabilities, and impacts must be evaluated in order to identify important trends and decide where effort should be applied to eliminate or reduce threat capabilities; eliminate or reduce vulnerabilities; and assess, coordinate, and deconflict all cyberspace operations…”

“…Leaders at all levels are accountable for ensuring readiness and security to the same degree as in any other domain…"

-- The National Strategy for Cyberspace Operations

Office of the Chairman, Joint Chiefs of Staff, U.S. Department of Defense

Foreword

NIST Special Publication 800-53, Revision 4, represents the most comprehensive update to the security controls catalog since its inception in 2005. The publication was developed by NIST, the Department of Defense, the Intelligence Community, and the Committee on National Security Systems as part of the Joint Task Force, an interagency partnership formed in 2009. This update was motivated principally by the expanding threat space—characterized by the increasing sophistication of cyber attacks and the operations tempo of adversaries (i.e., the frequency of such attacks, the professionalism of the attackers, and the persistence of targeting by attackers). State-of-the-practice security controls and control enhancements have been developed and integrated into the catalog addressing such areas as: mobile and cloud computing; applications security; trustworthiness, assurance, and resiliency of information systems; insider threat; supply chain security; and the advanced persistent threat. In addition, Special Publication 800-53 has been expanded to include eight new families of privacy controls based on the internationally accepted Fair Information Practice Principles.

Special Publication 800-53, Revision 4, provides a more holistic approach to information security and risk management by providing organizations with the breadth and depth of security controls necessary to fundamentally strengthen their information systems and the environments in which those systems operate—contributing to systems that are more resilient in the face of cyber attacks and other threats. This “Build It Right” strategy is coupled with a variety of security controls for “Continuous Monitoring” to give organizations near real-time information that is essential for senior leaders making ongoing risk-based decisions affecting their critical missions and business functions.

To take advantage of the expanded set of security and privacy controls, and to give organizations greater flexibility and agility in defending their information systems, the concept of overlays was introduced in this revision. Overlays provide a structured approach to help organizations tailor security control baselines and develop specialized security plans that can be applied to specific missions/business functions, environments of operation, and/or technologies. This specialization approach is important as the number of threat-driven controls and control enhancements in the catalog increases and organizations develop risk management strategies to address their specific protection needs within defined risk tolerances.

Finally, there have been several new features added to this revision to facilitate ease of use by organizations. These include:

Assumptions relating to security control baseline development;
Expanded, updated, and streamlined tailoring guidance;
Additional assignment and selection statement options for security and privacy controls;
Descriptive names for security and privacy control enhancements;
Consolidated tables for security controls and control enhancements by family with baseline allocations;
Tables for security controls that support development, evaluation, and operational assurance; and
Mapping tables for international security standard ISO/IEC 15408 (Common Criteria).

The security and privacy controls in Special Publication 800-53, Revision 4, have been designed to be largely policy/technology-neutral to facilitate flexibility in implementation. The controls are well positioned to support the integration of information security and privacy into organizational processes including enterprise architecture, systems engineering, system development life cycle, and acquisition/procurement. Successful integration of security and privacy controls into ongoing organizational processes will demonstrate a greater maturity of security and privacy programs and provide a tighter coupling of security and privacy investments to core organizational missions and business functions.

The Joint Task Force

Errata

The following changes have been incorporated into Special Publication 800-53, Revision 4.

DATE	TYPE	CHANGE	PAGE
05-07-2013	Editorial	Changed CA-9 Priority Code from P1 to P2 in Table D-2.	D-3
05-07-2013	Editorial	Changed CM-10 Priority Code from P1 to P2 in Table D-2.	D-4
05-07-2013	Editorial	Changed MA-6 Priority Code from P1 to P2 in Table D-2.	D-5
05-07-2013	Editorial	Changed MP-3 Priority Code from P1 to P2 in Table D-2.	D-5
05-07-2013	Editorial	Changed PE-5 Priority Code from P1 to P2 in Table D-2.	D-5
05-07-2013	Editorial	Changed PE-16 Priority Code from P1 to P2 in Table D-2.	D-5
05-07-2013	Editorial	Changed PE-17 Priority Code from P1 to P2 in Table D-2.	D-5
05-07-2013	Editorial	Changed PE-18 Priority Code from P2 to P3 in Table D-2.	D-5
05-07-2013	Editorial	Changed PL-4 Priority Code from P1 to P2 in Table D-2.	D-6
05-07-2013	Editorial	Changed PS-4 Priority Code from P2 to P1 in Table D-2.	D-6
05-07-2013	Editorial	Changed SA-11 Priority Code from P2 to P1 in Table D-2.	D-6
05-07-2013	Editorial	Changed SC-18 Priority Code from P1 to P2 in Table D-2.	D-7
05-07-2013	Editorial	Changed SI-8 Priority Code from P1 to P2 in Table D-2.	D-8
05-07-2013	Editorial	Deleted reference to SA-5(6) in Table D-17.	D-32
05-07-2013	Editorial	Deleted CM-4(3) from Table E-2.	E-4
05-07-2013	Editorial	Deleted CM-4(3) from Table E-3.	E-5
05-07-2013	Editorial	Deleted reference to SA-5(6).	F-161
05-07-2013	Editorial	Changed SI-16 Priority Code from P0 to P1.	F-233
01-15-2014	Editorial	Deleted “(both intentional and unintentional)” in line 5 in Abstract.	iii
01-15-2014	Editorial	Deleted “security and privacy” in line 5 in Abstract.	iii
01-15-2014	Editorial	Changed “an initial set of baseline security controls” to “the applicable security control baseline” in Section 2.1, RMF Step 2.	9
01-15-2014	Editorial	Deleted the following paragraph: “The security control enhancements section provides…in Appendix F.”	11
01-15-2014	Editorial	Changed “baseline security controls” to “the security control baselines” in Section 2.3, 2^nd paragraph, line 6.	13
01-15-2014	Editorial	Changed “an initial set of security controls” to “the applicable security control baseline” in Section 3.1, paragraph 2, line 4.	28
01-15-2014	Editorial	Changed “security control baselines” to “baselines identified in Appendix D” in Section 3.1, paragraph 2, line 5.	28
01-15-2014	Editorial	Changed “an appropriate set of baseline controls” to “the appropriate security control baseline” in Section 3.1, paragraph 3, line 3.	29
01-15-2014	Editorial	Deleted “initial” before “security control baseline” and added “FIPS 200” before “impact level” in Section 3.1, paragraph 3, line 4.	29
01-15-2014	Editorial	Changed “sets of baseline security controls” to “security control baselines” in Section 3.1, paragraph 3, line 6.	29
01-15-2014	Editorial	Changed “initial set of baseline security controls” to “applicable security control baseline” in Section 3.2, paragraph 1, line 1.	30
01-15-2014	Editorial	Changed “initial set of baseline security controls” to “applicable security control baseline” in Section 3.2, paragraph 3, line 5.	31
01-15-2014	Editorial	Deleted “set of” before “security controls” in Section 3.2, Applying Scoping Considerations, Mobility paragraph, line 1.	33
01-15-2014	Editorial	Deleted “initial” before “set of” in Section 3.2, Applying Scoping Considerations, Mobility paragraph, line 2.	33
01-15-2014	Editorial	Changed “the baselines” to “each baseline” in Section 3.2, Applying Scoping Considerations, Mobility paragraph, line 3.	33
01-15-2014	Editorial	Changed “initial set of security controls” to “security control baseline” in Section 3.2, Applying Scoping Considerations, Mobility paragraph, line 5.	33
01-15-2014	Editorial	Added “specific” before “locations” in Section 3.2, Applying Scoping Considerations, Mobility paragraph, line 6.	33
01-15-2014	Editorial	Changed “initial” to “three” in Section 3.2, Applying Scoping Considerations, Mobility paragraph, line 8.	33
01-15-2014	Editorial	Changed “initial set of baseline security controls” to “applicable security control baseline” in Section 3.2, Selecting Compensating Security Controls, line 10.	36
01-15-2014	Editorial	Changed “a set of initial baseline security controls” to “security control baselines” in Section 3.3, line 1.	40
01-15-2014	Editorial	Added “.” after “C.F.R” in #3, Policies, Directives, Instructions, Regulations, and Memoranda.	A-1
01-15-2014	Editorial	Added “Revision 1 (Draft)” to NIST Special Publication 800-52 in References.	A-7
01-15-2014	Editorial	Added “Configuration,” to title of NIST Special Publication 800-52, Revision 1.	A-7
01-15-2014	Editorial	Changed date for NIST Special Publication 800-52, Revision 1 to September 2013.	A-7
01-15-2014	Editorial	Moved definition for Information Security Risk after Information Security Program Plan in Glossary.	B-11
01-15-2014	Editorial	Added AC-2(11) to high baseline in Table D-2.	D-2
01-15-2014	Editorial	Changed AC-10 Priority Code from P2 to P3 in Table D-2.	D-2
01-15-2014	Editorial	Changed AC-14 Priority Code from P1 to P3 in Table D-2.	D-2
01-15-2014	Editorial	Changed AC-22 Priority Code from P2 to P3 in Table D-2.	D-2
01-15-2014	Editorial	Changed AU-10 Priority Code from P1 to P2 in Table D-2.	D-3
01-15-2014	Editorial	Changed CA-6 Priority Code from P3 to P2 in Table D-2.	D-3
01-15-2014	Editorial	Changed CA-7 Priority Code from P3 to P2 in Table D-2.	D-3
01-15-2014	Editorial	Changed CA-8 Priority Code from P1 to P2 in Table D-2.	D-3
01-15-2014	Editorial	Changed IA-6 Priority Code from P1 to P2 in Table D-2.	D-4
01-15-2014	Editorial	Changed IR-7 Priority Code from P3 to P2 in Table D-2.	D-5
01-15-2014	Editorial	Changed MA-3 Priority Code from P2 to P3 in Table D-2.	D-5
01-15-2014	Editorial	Changed MA-4 Priority Code from P1 to P2 in Table D-2.	D-5
01-15-2014	Editorial	Changed MA-5 Priority Code from P1 to P2 in Table D-2.	D-5
01-15-2014	Editorial	Deleted Program Management Controls from Table D-2.	D-8/9
01-15-2014	Editorial	Deleted the following sentence at end of paragraph: “There is no summary table provided for the Program Management (PM) family since PM controls are not associated with any particular security control baseline.”	D-9
01-15-2014	Editorial	Added AC-2(12) and AC-2(13) to high baseline in Table D-3.	D-10
01-15-2014	Editorial	Changed AC-17(5) incorporated into reference from AC-17 to SI-4 in Table D-3.	D-12
01-15-2014	Editorial	Changed AC-17(7) incorporated into reference from AC-3 to AC-3(10) in Table D-3.	D-12
01-15-2014	Editorial	Changed AC-6 to AC-6(9) in AU-2(4) withdrawal notice in Table D-5.	D-15
01-15-2014	Editorial	Changed “Training” to “Scanning” in SA-19(4) title in Table D-17.	D-34
01-15-2014	Editorial	Deleted SC-9(1), SC-9(2), SC-9(3), and SC-9(4) from Table D-18.	D-37
01-15-2014	Editorial	Added AC-2 and AC-5 to SC-14 and deleted SI-9 from SC-14 in Table D-18.	D-37
01-15-2014	Editorial	Deleted CA-3(5) from Table E-2.	E-4
01-15-2014	Editorial	Added CM-3(2) to Table E-2.	E-4
01-15-2014	Editorial	Added RA-5(2) and RA-5(5) to Table E-2.	E-4
01-15-2014	Editorial	Deleted CA-3(5) from Table E-3.	E-5
01-15-2014	Editorial	Added CM-3(2) to Table E-3.	E-5
01-15-2014	Editorial	Deleted bold text from RA-5(2) and RA-5(5) in Table E-3.	E-5
01-15-2014	Editorial	Added CM-8(9) to Table E-4.	E-7
01-15-2014	Editorial	Added CP-4(4) to Table E-4.	E-7
01-15-2014	Editorial	Added IR-3(1) to Table E-4.	E-7
01-15-2014	Editorial	Added RA-5(3) to Table E-4.	E-7
01-15-2014	Editorial	Deleted SA-4(4) from Table E-4.	E-7
01-15-2014	Editorial	Changed SA-21(1) from “enhancements” to “enhancement” in Table E-4.	E-7
01-15-2014	Editorial	Deleted SI-4(8) from Table E-4.	E-7
01-15-2014	Editorial	Changed “risk management process” to “RMF” in Using the Catalog, line 4.	F-6
01-15-2014	Editorial	Changed “an appropriate set of security controls” to “the appropriate security control baselines” in Using the Catalog, line 5.	F-6
01-15-2014	Editorial	Deleted extraneous “,” from AC-2 g.	F-7
01-15-2014	Editorial	Added AC-2(11) to high baseline.	F-10
01-15-2014	Substantive	Added the following text to AC-3(2) Supplemental Guidance: “Dual authorization may also be known as two-person control.”	F-11
01-15-2014	Editorial	Changed “ucdmo.gov” to “None” in AC-4 References.	F-18
01-15-2014	Editorial	Added “.” after “C.F.R” in AT-2 References.	F-38
01-15-2014	Editorial	Changed AC-6 to AC-6(9) in AU-2(4) withdrawal notice.	F-42
01-15-2014	Editorial	Deleted “csrc.nist.gov/pcig/cig.html” and added “http://” to URL in AU-2 References.	F-42
01-15-2014	Editorial	Changed “identify” to “identity” in AU-6(6) Supplemental Guidance.	F-46
01-15-2014	Substantive	Added the following text to AU-9(5) Supplemental Guidance: “Dual authorization may also be known as two-person control.”	F-49
01-15-2014	Editorial	Added “Control Enhancements: None.” to AU-15.	F-53
01-15-2014	Editorial	Deleted extraneous “.” from CM-2(7) Supplemental Guidance.	F-66
01-15-2014	Editorial	Added “)” after “board” in CM-3 g.	F-66
01-15-2014	Substantive	Added CA-7 to related controls list in CM-3.	F-66
01-15-2014	Substantive	Added the following text to CM-5(4) Supplemental Guidance: “Dual authorization may also be known as two-person control.”	F-69
01-15-2014	Editorial	Added “http://” to URLs in CM-6 References.	F-71
01-15-2014	Editorial	Added “component” before “inventories” in CM-8(5).	F-74
01-15-2014	Editorial	Changed “tsp.ncs.gov” to “http://www.dhs.gov/telecommunications-service-priority-tsp” in CP-8 References.	F-86
01-15-2014	Substantive	Added the following text to CP-9(7) Supplemental Guidance: “Dual authorization may also be known as two-person control.”	F-87
01-15-2014	Editorial	Changed “HSPD 12” to “HSPD-12” and added “http://” to URL in IA-2 References.	F-93
01-15-2014	Editorial	Changed “encrypted representations of” to “cryptographically-protected” in IA-5(1) (c).	F-96
01-15-2014	Editorial	Changed “Encrypted representations of” to “Cryptographically-protected” in IA-5(1) Supplemental Guidance.	F-97
01-15-2014	Substantive	Added the following text to IA-5(1) Supplemental Guidance: “To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords.”	F-97
01-15-2014	Editorial	Added “http://” to URL in IA-5 References.	F-99
01-15-2014	Editorial	Added “http://” to URL in IA-7 References.	F-99
01-15-2014	Editorial	Added “http://” to URL in IA-8 References.	F-101
01-15-2014	Editorial	Changed “:” to “;” after “800-61” and added “http://” to URL in IR-6 References.	F-108
01-15-2014	Substantive	Added the following text to MP-6(7) Supplemental Guidance: “Dual authorization may also be known as two-person control.”	F-124
01-15-2014	Editorial	Added “http://” to URL in MP-6 References.	F-124
01-15-2014	Editorial	Changed “DoDI” to “DoD Instruction” and added “http://” to URLs in PE-3 References.	F-130
01-15-2014	Editorial	Deleted “and supplementation” after “tailoring” in PL-2 a. 8.	F-140
01-15-2014	Editorial	Added “Special” before “Publication” in PL-4 References.	F-141
01-15-2014	Editorial	Added “Control Enhancements: None.” to PL-7.	F-142
01-15-2014	Editorial	Deleted AT-5, AC-19(6), AC-19(8), and AC-19(9) from PL-9 Supplemental Guidance.	F-144
01-15-2014	Editorial	Added “Control Enhancements: None.” to PL-9.	F-144
01-15-2014	Editorial	Added “Special” before “Publication” in PL-9 References.	F-144
01-15-2014	Editorial	Changed “731.106(a)” to “731.106” in PS-2 References.	F-145
01-15-2014	Editorial	Changed “Publication” to “Publications” and added “http://” to URL in RA-3 References.	F-153
01-15-2014	Editorial	Added “http://” to URLs in RA-5 References.	F-155
01-15-2014	Editorial	Added “http://” to URLs in SA-4 References.	F-160
01-15-2014	Substantive	Added the following text to SA-11(8) Supplemental Guidance: “To understand the scope of dynamic code analysis and hence the assurance provided, organizations may also consider conducting code coverage analysis (checking the degree to which the code has been tested using metrics such as percent of subroutines tested or percent of program statements called during execution of the test suite) and/or concordance analysis (checking for words that are out of place in software code such as non-English language words or derogatory terms).”	F-169
01-15-2014	Editorial	Added “http://” to URLs in SA-11 References.	F-169
01-15-2014	Editorial	Added “Control Enhancements: None.” to SA-16.	F-177
01-15-2014	Editorial	Changed “Training” to “Scanning” in SA-19(4) title.	F-181
01-15-2014	Editorial	Changed “physical” to “protected” in SC-8 Supplemental Guidance.	F-193
01-15-2014	Editorial	Changed “140-2” to “140” and added “http://” to URLs in SC-13 References.	F-196
01-15-2014	Editorial	Added “authentication” after “data origin” in SC-20, Part a.	F-199
01-15-2014	Editorial	Added “verification” after “integrity” in SC-20, Part a.	F-199
01-15-2014	Editorial	Added “Control Enhancements: None.” to SC-35.	F-209
01-15-2014	Editorial	Deleted extraneous “References: None” from SI-7.	F-228
01-15-2014	Substantive	Added the following text as new third paragraph in Appendix G:: “Table G-1 provides a summary of the security controls in the program management family from Appendix G. Organizations can use the recommended priority code designation associated with each program management control to assist in making sequencing decisions for implementation (i.e., a Priority Code 1 [P1] control has a higher priority for implementation than a Priority Code 2 [P2] control; and a Priority Code 2 [P2] control has a higher priority for implementation than a Priority Code 3 [P3] control.”	G-1/2
01-15-2014	Editorial	Added Table G-1 to Appendix G.	G-2
01-15-2014	Editorial	Added “http://” to URL in PM-5 References.	G-5
01-15-2014	Editorial	Deleted “Web: www.fsam.gov” from PM-7 References.	G-5
01-15-2014	Editorial	Added “http://” to URL in Footnote 124.	J-22
01-22-2015	Editorial	Changed security control enhancement naming convention (i.e., format) by deleting space between base security control and numbered enhancement designation.	Global
01-22-2015	Editorial	Changed “(iv) and” to “and (iv)” in Glossary definition for Developer.	B-6
01-22-2015	Editorial	Changed “an IR-2 (1) in the high baseline entry for the IR-2 security control” to “the IR-2 (1) (2) entry in the high baseline for IR-2” in Appendix D, paragraph 1, line 8.	D-1
01-22-2015	Editorial	Changed “enhancement (1)” to “enhancements (1) and (2)” in Appendix D, paragraph 1, line 10.	D-1
01-22-2015	Editorial	Deleted “in the security control catalog“ in Appendix D, paragraph 1, line 10.	D-1
01-22-2015	Editorial	Changed “SHARED GROUPS / ACCOUNTS“ to “SHARED / GROUP ACCOUNTS” in Table D-3, AC-2(9) title.	D-10
01-22-2015	Editorial	Added “ROLE-BASED“ before “SECURITY TRAINING” in Table D-4, AT-3(1) title.	D-14
01-22-2015	Editorial	Added “ROLE-BASED“ before “SECURITY TRAINING” in Table D-4, AT-3(2) title.	D-14
01-22-2015	Editorial	Added “ROLE-BASED“ before “SECURITY TRAINING” in Table D-4, AT-3(3) title.	D-14
01-22-2015	Editorial	Added “ROLE-BASED“ before “SECURITY TRAINING” in Table D-4, AT-3(4) title.	D-14
01-22-2015	Editorial	Added “-BASED“ to “BIOMETRIC” in Table D-9, IA-5(12) title.	D-23
01-22-2015	Editorial	Deleted “/ ANALYSIS“ after “PENETRATION TESTING” in Table D-17, SA-11(5) title.	D-33
01-22-2015	Editorial	Changed “(1)” from normal font to bold font in Table E-4, SI-4(1).	E-7
01-22-2015	Editorial	Changed “SHARED GROUPS / ACCOUNTS“ to “SHARED / GROUP ACCOUNTS” in AC-2(9) title.	F-10
01-22-2015	Editorial	Changed “use“ to “usage” in AC-2(12) part (a).	F-10
01-22-2015	Editorial	Changed “policies“ to “policy” in AC-3(3).	F-11
01-22-2015	Editorial	Deleted “specifies that” in AC-3(3).	F-11
01-22-2015	Editorial	Changed “The policy is“ to “Is” in AC-3(3) part (a).	F-11
01-22-2015	Editorial	Changed “A“ to “Specifies that a” in AC-3(3) part (b).	F-11
01-22-2015	Editorial	Added “Specifies that“ to AC-3(3) part (c).	F-11
01-22-2015	Editorial	Changed “Organized-defined“ to “organization-defined” in AC-3(3) part (c).	F-11
01-22-2015	Editorial	Changed “policies“ to “policy” in AC-3(4).	F-12
01-22-2015	Editorial	Added “information“ before “flows” in AC-4(7).	F-15
01-22-2015	Editorial	Added “ROLE-BASED“ before “SECURITY TRAINING” in AT-3(1) title.	F-39
01-22-2015	Editorial	Added “ROLE-BASED“ before “SECURITY TRAINING” in AT-3(2) title.	F-39
01-22-2015	Editorial	Added “ROLE-BASED“ before “SECURITY TRAINING” in AT-3(3) title.	F-39
01-22-2015	Editorial	Added “ROLE-BASED“ before “SECURITY TRAINING” in AT-3(4) title.	F-39
01-22-2015	Editorial	Added “the” before “relationship” in AU-12(1).	F-52
01-22-2015	Editorial	Moved “.” outside of closing bracket in Withdrawn section.	F-61
01-22-2015	Editorial	Changed “that“ to “those” in CP-7 part c.	F-84
01-22-2015	Editorial	Deleted “list of“ in IA-2(10).	F-92
01-22-2015	Editorial	Deleted “such as documentary evidence or a combination of documents and biometrics“ in IA-4(3).	F-95
01-22-2015	Editorial	Added “, such as documentary evidence or a combination of documents and biometrics,“ in IA-4(3) Supplemental Guidance.	F-95
01-22-2015	Editorial	Added “-BASED“ to “BIOMETRIC” in IA-5(12) title.	F-98
01-22-2015	Editorial	Changed “testing/exercises“ to “testing” in IR-4 part c.	F-105
01-22-2015	Editorial	Deleted “and“ before “prior” in MA-4(3) part (b).	F-115
01-22-2015	Editorial	Changed “Sanitation“ to “Sanitization” in MP-7(2) Supplemental Guidance (two instances).	F-125
01-22-2015	Editorial	Changed “resign“ to “re-sign” in PL-4 part d.	F-141
01-22-2015	Editorial	Deleted “security categorization decision is reviewed and approved by the“ before “authorizing” (first instance) in RA-2 part c.	F-151
01-22-2015	Editorial	Added “reviews and approves the security categorization decision“ after “representative” RA-2 part c.	F-151
01-22-2015	Editorial	Changed “;“ to “,” after IA-2 in SA-4(10) Supplemental Guidance.	F-160
01-22-2015	Editorial	Added “takes“ before assignment statement in SA-5 part c.	F-161
01-22-2015	Editorial	Changed “either is“ to “is either” in SA-11(3) part (b).	F-167
01-22-2015	Editorial	Deleted “has been“ before “granted” in SA-11(3) part (b).	F-167
01-22-2015	Editorial	Deleted “/ ANALYSIS“ after “PENETRATION TESTING” in SA-11(5) title.	F-168
01-22-2015	Editorial	Deleted “enhancement“ after “control” in SA-12 Supplemental Guidance.	F-169
01-22-2015	Editorial	Deleted “Related control: PE-21.” from SA-12(9) Supplemental Guidance.	F-171
01-22-2015	Editorial	Changed “reference to source“ to “references to sources” in SC-5.	F-187
01-22-2015	Editorial	Added “to be“ before “routed to” in SC-7(11).	F-190
01-22-2015	Editorial	Changed “i“ to “1” and “ii” to “2” in SI-4 part c.	F-219
01-22-2015	Editorial	Changed “USER“ to “USERS” in SI-4(20) title.	F-223
01-22-2015	Editorial	Deleted “for“ in SI-6(2).	F-225
01-22-2015	Editorial	Changed “interfaces” to “interactions” in SI-10(4) Supplemental Guidance.	F-229
01-22-2015	Editorial	Changed “-“ to “,” after AU-7 in PM-12 Supplemental Guidance.	G-8
01-22-2015	Substantive	Updated the introduction to Appendix H and Tables H-1 and H-2 in accordance with the 2013 version of ISO/IEC 27001 and revised security control mapping methodology.	H-1 through H-12
01-22-2015	Editorial	Deleted UL-3 from related controls list in SE-1.	J-20

chapter one

Directory: publications
publications -> Acm word Template for sig site
publications ->  Preparation of Papers for ieee transactions on medical imaging
publications -> Adjih, C., Georgiadis, L., Jacquet, P., & Szpankowski, W. (2006). Multicast tree structure and the power law
publications -> Swiss Federal Institute of Technology (eth) Zurich Computer Engineering and Networks Laboratory
publications -> Quantitative skills
publications -> Multi-core cpu and gpu implementation of Discrete Periodic Radon Transform and Its Inverse
publications -> List of Publications Department of Mechanical Engineering ucek, jntu kakinada
publications -> 1. 2 Authority 1 3 Planning Area 1
publications -> Sa michelson, 2011: Impact of Sea-Spray on the Atmospheric Surface Layer. Bound. Layer Meteor., 140 ( 3 ), 361-381, doi: 10. 1007/s10546-011-9617-1, issn: Jun-14, ids: 807TW, sep 2011 Bao, jw, cw fairall, sa michelson

Download 5.8 Mb.

Share with your friends:

1 2 3 4 5 6 7 8 9 ... 186