CLASSIFICATION WAS NOT SELECTED

TEST_2015-01-15-1052[PROJECT ACRONYM NOT PROVIDED]

[ENTER SYSTEM NUMBER]

REQUIREMENTS TRACEABILITY MATRIX

(RTM)

Prepared forDepartment of Homeland Security

16 January 2015

CLASSIFICATION WAS NOT SELECTED

CLASSIFICATION WAS NOT SELECTED

1. Introduction

The Requirements Traceability Matrix (RTM) relates requirements from requirement source documents to the security certification process. It ensures that all security requirements are identified and investigated. Each row of the matrix identifies a specific requirement and provides the details of how it was tested or analyzed and the results.

The table is arranged to display the system security requirements from the applicable regulation documents, which are listed below:

NIST 800-53 w/ DHS 4300A - Department of Homeland Security Sensitive Systems Policy Directive 4300A Version 10

The columns of the RTM are defined as follows:

Control Ref. Refers to the name (short title) of the source document and the ID or paragraph number of the listed control or requirement.

Security Req./Control

Short title describing the security control or requirement (and the text of the control/requirement, which may be paraphrased for brevity).

Security Category

Category and class associated with the security control.

Control Type

Auto populated if the requirement is identified with two security control types: common and system-specific; i.e., a part of the requirement is identified as common type and another part of it is system-specific.

Common. Auto populated if the requirement is designated to one or more information systems.

Hybrid. Auto populated if the requirement is identified with two security control types: common and system-specific; i.e., a part of the requirement is identified as common type and another part of it is system-specific.

System-Specific. Auto populated if the requirement is assigned to a specific information system.

Inherited. Auto populated if the requirement is inherited from another system. Not Specified. Auto populated if the requirement does not require any security

control.

Planned Imp.

Auto populated if the requirement is identified with two security control types: common and system-specific; i.e., a part of the requirement is identified as common type and another part of it is system-specific.

Common. Auto populated if the requirement is designated to one or more information systems.

Hybrid. Auto populated if the requirement is identified with two security control types: common and system-specific; i.e., a part of the requirement is identified as common type and another part of it is system-specific.

System-Specific. Auto populated if the requirement is assigned to a specific information system.

Inherited. Auto populated if the requirement is inherited from another system. Not Specified. Auto populated if the requirement does not require any security

control.CLASSIFICATION WAS NOT SELECTED

i

CLASSIFICATION WAS NOT SELECTED

Actual Imp.

Identification whether the control is in place and how it has been implemented, or differences in how the control was implemented compared to what was planned.

As Planned. Auto populated if Implemented control status is selected and Planned Implementation column does not read Not Entered.

Pending Implementation. Auto populated if Planned control status is selected and Planned Implementation column does not read Not Entered.

Partially Implemented. Auto populated if Partial control status is selected and Planned Implementation column does not read Not Entered.

Not Entered. Auto populated if the Planned Implementation column reads Not Entered.

Not Assigned. Auto populated if the Control Type and/or Control Status were not selected.

Test #(s)The ID number of the specific test procedure(s) that is used to validate the requirement or control.

-. The control is not applicable.

Methods

The evaluation method (or methods) used to assess the requirement. I. Interview. E. Examine. T. Testing. -. The control is not applicable.

Tailored

The tailored control that modifies the control set. In. The control was tailored in. Out. The control was tailored out. - . The control was not affected from tailoring.

Overlays

The controls included or excluded from the controls already in the baseline. In. The control was added in to the controls in the baseline. Out. The control was removed from the controls in the baseline. - . The control was not affected from overlay(s).

Result

The summarized result for the test procedures that cover the requirement/control. Met - Requirement fully satisfied. Not Met - Requirement not satisfied. Not Applicable - Requirement not applicable.

Notes Identifies the factor, and the basis for; any tailoring of controls from the NIST 800-53 w/ DHS 4300A baseline or organizational overlay that was used for the system.

CLASSIFICATION WAS NOT SELECTEDii

CLASSIFICATION WAS NOT SELECTED

2. Requirements Traceability Matrix

Control Ref.

Security Req./

Control

Security Category

ControlType

PlannedImp.

ActualImp.

Test#(s)

Methods TailoredResult Notes

I E T IN OUT

NIST 800-53 w/ DHS 4300A AC-

1

Access Control

Policy and Procedures

Access Control

Policy and Procedures

(T)

Not Specified Not Entered Not Assigned AC-1.1, AC-1.2 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A AC-

1 (DHS-5.1.1.c)

Sharing of Personal

Passwords

Access Control

Policy and Procedures

(T)

Not Specified Not Entered Not AssignedAC-

1(DHS-5.1.1.c)

- X X - - Not Met None

NIST 800-53 w/ DHS 4300A AC-

2

Account Management

Account Management

(T)Not Specified Not Entered Not Assigned AC-2.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A AC-

2 (1)

Account Management

Account Management

(T)Not Specified Not Entered Not Assigned AC-2(1).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A AC-

2 (2)

Account Management

Account Management

(T)Not Specified Not Entered Not Assigned AC-2(2).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A AC-

2 (3)

Account Management

Account Management

(T)Not Specified Not Entered Not Assigned AC-2(3).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A AC-

2 (4)

Account Management

Account Management

(T)Not Specified Not Entered Not Assigned AC-2(4).1 X X - - - Not Met None

NIST 800- Account Account Not Specified Not Entered Not Assigned AC-2(5).1 X X - - - Not Met None

CLASSIFICATION WAS NOT SELECTED1

CLASSIFICATION WAS NOT SELECTED

Control Ref.

Security Req./

Control

Security Category

ControlType

PlannedImp.

ActualImp.

Test#(s)

Methods Tailored

Result Notes53 w/ DHS 4300A AC-

2 (5)Management Management

(T)

NIST 800-53 w/ DHS 4300A AC-

2 (11)

Account Management

Account Management

(T)Not Specified Not Entered Not Assigned AC-

2(11).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A AC-

3

Access Enforcement

Access Enforcement

(T)Not Specified Not Entered Not Assigned AC-3.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A AC-

3 (DHS-5.1.1.d)

Access Enforcement

Access Enforcement

(T)Not Specified Not Entered Not Assigned

AC-3(DHS-5.1.1.d)

- X X - - Not Met None

NIST 800-53 w/ DHS 4300A AC-

4

Information Flow

Enforcement

Information Flow

Enforcement (T)

Not Specified Not Entered Not Assigned AC-4.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A AC-

5

Separation of Duties

Separation of Duties (T) Not Specified Not Entered Not Assigned AC-5.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A AC-

6

Least Privilege

Least Privilege (T) Not Specified Not Entered Not Assigned AC-6.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A AC-

6 (1)

Least Privilege

Least Privilege (T) Not Specified Not Entered Not Assigned AC-6(1).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A AC-

6 (2)

Least Privilege

Least Privilege (T) Not Specified Not Entered Not Assigned AC-6(2).1 X X - - - Not Met None

NIST 800-53 w/ DHS

Least Privilege

Least Privilege (T)

Not Specified Not Entered Not Assigned AC-6(3).1 X X - - - Not Met None

CLASSIFICATION WAS NOT SELECTED2

CLASSIFICATION WAS NOT SELECTED

Control Ref.

Security Req./

Control

Security Category

ControlType

PlannedImp.

ActualImp.

Test#(s)

Methods TailoredResult Notes4300A AC-

6 (3)NIST 800-53 w/ DHS 4300A AC-

6 (5)

Least Privilege

Least Privilege (T) Not Specified Not Entered Not Assigned AC-6(5).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A AC-

6 (9)

Least Privilege

Least Privilege (T) Not Specified Not Entered Not Assigned AC-6(9).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A AC-

6 (10)

Least Privilege

Least Privilege (T) Not Specified Not Entered Not Assigned AC-

6(10).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A AC-

7

Unsuccessful Logon

Attempts

Unsuccessful Logon

Attempts (T)Not Specified Not Entered Not Assigned AC-7.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A AC-

8

System Use Notification

System Use Notification

(T)Not Specified Not Entered Not Assigned AC-8.1,

AC-8.2 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A AC-

8 (DHS-4.8.5.d)

System Use Notification

System Use Notification

(T)Not Specified Not Entered Not Assigned

AC-8(DHS-4.8.5.d)

- X X - - Not Met None

NIST 800-53 w/ DHS 4300A AC-

10

Concurrent Session Control

Concurrent Session

Control (T)Not Specified Not Entered Not Assigned AC-10.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A AC-

11

Session Lock Session Lock (T) Not Specified Not Entered Not Assigned AC-11.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A AC-

Session Lock Session Lock (T)

Not Specified Not Entered Not Assigned AC-11(1).1

X X - - - Not Met None

CLASSIFICATION WAS NOT SELECTED3

CLASSIFICATION WAS NOT SELECTED

Control Ref.

Security Req./

Control

Security Category

ControlType

PlannedImp.

ActualImp.

Test#(s)

Methods Tailored Result Notes11 (1)

NIST 800-53 w/ DHS 4300A AC-

12

Session Termination

Session Termination

(T)Not Specified Not Entered Not Assigned AC-12.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A AC-

14

Permitted Actions without

Identification or

Authentication

Permitted Actions without

Identification or

Authentication (T)

Not Specified Not Entered Not Assigned AC-14.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A AC-

17

Remote Access

Remote Access (T) Not Specified Not Entered Not Assigned AC-17.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A AC-

17 (1)

Remote Access

Remote Access (T) Not Specified Not Entered Not Assigned AC-

17(1).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A AC-

17 (2)

Remote Access

Remote Access (T) Not Specified Not Entered Not Assigned AC-

17(2).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A AC-

17 (3)

Remote Access

Remote Access (T) Not Specified Not Entered Not Assigned AC-

17(3).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A AC-

17 (4)

Remote Access

Remote Access (T) Not Specified Not Entered Not Assigned AC-

17(4).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A AC-17 (DHS-5.4.1.b)

Remote Access

Remote Access (T) Not Specified Not Entered Not Assigned

AC-17(DHS-5.4.1.b)

X X X - - Not Met None

NIST 800- Remote Remote Not Specified Not Entered Not Assigned AC- - X X - - Not Met None

CLASSIFICATION WAS NOT SELECTED4

CLASSIFICATION WAS NOT SELECTED

Control Ref.

Security Req./

Control

Security Category

ControlType

PlannedImp.

ActualImp.

Test#(s)

Methods Tailored

Result Notes53 w/ DHS 4300A AC-17 (DHS-5.4.1.c)

Access Access (T) 17(DHS-5.4.1.c)

NIST 800-53 w/ DHS 4300A AC-

18

Wireless Access

Wireless Access (T) Not Specified Not Entered Not Assigned AC-18.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A AC-

18 (1)

Wireless Access

Wireless Access (T) Not Specified Not Entered Not Assigned AC-

18(1).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A AC-

18 (4)

Wireless Access

Wireless Access (T) Not Specified Not Entered Not Assigned AC-

18(4).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A AC-

18 (5)

Wireless Access

Wireless Access (T) Not Specified Not Entered Not Assigned AC-

18(5).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A AC-

19

Access Control for

Mobile Devices

Access Control for

Mobile Devices (T)

Not Specified Not Entered Not Assigned AC-19.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A AC-

19 (5)

Access Control for

Mobile Devices

Access Control for

Mobile Devices (T)

Not Specified Not Entered Not Assigned AC-19(5).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A AC-

20

Use of External

Information Systems

Use of External

Information Systems (T)

Not Specified Not Entered Not Assigned AC-20.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A AC-

20 (1)

Use of External

Information Systems

Use of External

Information Systems (T)

Not Specified Not Entered Not Assigned AC-20(1).1 X X - - - Not Met None

NIST 800-53 w/ DHS

Use of External

Use of External

Not Specified Not Entered Not Assigned AC-20(2).1

X X - - - Not Met None

CLASSIFICATION WAS NOT SELECTED5

CLASSIFICATION WAS NOT SELECTED

Control Ref.

Security Req./

Control

Security Category

ControlType

PlannedImp.

ActualImp.

Test#(s)

Methods TailoredResult Notes4300A AC-

20 (2)Information

SystemsInformation Systems (T)

NIST 800-53 w/ DHS 4300A AC-

21

User-Based Collaboration

and Information

Sharing

Information Sharing (T) Not Specified Not Entered Not Assigned AC-21.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A AC-

22

Publicly Accessible

Content

Publicly Accessible Content (T)

Not Specified Not Entered Not Assigned AC-22.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A AT-

1

Security Awareness

and Training Policy and Procedures

Security Awareness

and Training Policy and Procedures

(O)

Not Specified Not Entered Not Assigned AT-1.1, AT-1.2 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A AT-

2

Security Awareness

Security Awareness

Training (O)Not Specified Not Entered Not Assigned AT-2.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A AT-

2 (2)

Security Awareness

Security Awareness

Training (O)Not Specified Not Entered Not Assigned

AT-2(2).1, AT-

2(2).1, AT-2(2).1

X X - - - Not Met None

NIST 800-53 w/ DHS 4300A AT-

3

Security Training

Role-Based Security

Training (O)Not Specified Not Entered Not Assigned AT-3.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A AT-

4

Security Training Records

Security Training

Records (O)Not Specified Not Entered Not Assigned AT-4.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A AU-

1

Audit and Accountability Policy and Procedures

Audit and Accountability Policy and Procedures

Not Specified Not Entered Not Assigned AU-1.1, AU-1.2

X X - - - Not Met None

CLASSIFICATION WAS NOT SELECTED6

CLASSIFICATION WAS NOT SELECTED

Control Ref.

Security Req./

Control

Security Category

ControlType

PlannedImp.

ActualImp.

Test#(s)

Methods Tailored Result Notes(T)

NIST 800-53 w/ DHS 4300A AU-

2

Audit Events Audit Events (T) Not Specified Not Entered Not Assigned AU-2.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A AU-

2 (3)

Auditable Events

Audit Events (T) Not Specified Not Entered Not Assigned AU-2(3).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A AU-

3

Content of Audit

Records

Content of Audit

Records (T)Not Specified Not Entered Not Assigned AU-3.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A AU-

3 (1)

Content of Audit

Records

Content of Audit

Records (T)Not Specified Not Entered Not Assigned AU-3(1).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A AU-

3 (2)

Content of Audit

Records

Content of Audit

Records (T)Not Specified Not Entered Not Assigned AU-3(2).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A AU-

4

Audit Storage Capacity

Audit Storage Capacity (T) Not Specified Not Entered Not Assigned AU-4.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A AU-

5

Response to Audit

Processing Failures

Response to Audit

Processing Failures (T)

Not Specified Not Entered Not Assigned AU-5.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A AU-

5 (1)

Response to Audit

Processing Failures

Response to Audit

Processing Failures (T)

Not Specified Not Entered Not Assigned AU-5(1).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A AU-

5 (2)

Response to Audit

Processing Failures

Response to Audit

Processing Failures (T)

Not Specified Not Entered Not Assigned AU-5(2).1 X X - - - Not Met None

NIST 800- Audit Audit Not Specified Not Entered Not Assigned AU-6.1, X X - - - Not Met None

CLASSIFICATION WAS NOT SELECTED7

CLASSIFICATION WAS NOT SELECTED

Control Ref.

Security Req./

Control

Security Category

ControlType

PlannedImp.

ActualImp.

Test#(s)

Methods Tailored

Result Notes53 w/ DHS 4300A AU-

6

Review, Analysis, and

Reporting

Review, Analysis, and Reporting (T)

AU-6.2

NIST 800-53 w/ DHS 4300A AU-

6 (1)

Audit Review,

Analysis, and Reporting

Audit Review,

Analysis, and Reporting (T)

Not Specified Not Entered Not Assigned AU-6(1).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A AU-

6 (3)

Audit Review,

Analysis, and Reporting

Audit Review,

Analysis, and Reporting (T)

Not Specified Not Entered Not Assigned AU-6(3).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A AU-

6 (5)

Audit Review,

Analysis, and Reporting

Audit Review,

Analysis, and Reporting (T)

Not Specified Not Entered Not Assigned AU-6(5).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A AU-

6 (6)

Audit Review,

Analysis, and Reporting

Audit Review,

Analysis, and Reporting (T)

Not Specified Not Entered Not Assigned AU-6(6).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A AU-

6 (DHS-5.3.b)

Audit Review,

Analysis, and Reporting

Audit Review,

Analysis, and Reporting (T)

Not Specified Not Entered Not AssignedAU-

6(DHS-5.3.b)

X X X - - Not Met None

NIST 800-53 w/ DHS 4300A AU-

6 (DHS-5.4.6.f)

Audit Review,

Analysis, and Reporting

Audit Review,

Analysis, and Reporting (T)

Not Specified Not Entered Not AssignedAU-

6(DHS-5.4.6.f)

X X X - - Not Met None

NIST 800-53 w/ DHS 4300A AU-

7

Audit Reduction and Report Generation

Audit Reduction and Report Generation

(T)

Not Specified Not Entered Not Assigned AU-7.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A AU-

7 (1)

Audit Reduction and Report Generation

Audit Reduction and Report Generation

Not Specified Not Entered Not Assigned AU-7(1).1 X X - - - Not Met None

CLASSIFICATION WAS NOT SELECTED8

CLASSIFICATION WAS NOT SELECTED

Control Ref.

Security Req./

Control

Security Category

ControlType

PlannedImp.

ActualImp.

Test#(s)

Methods Tailored Result Notes(T)

NIST 800-53 w/ DHS 4300A AU-

8

Time Stamps Time Stamps (T) Not Specified Not Entered Not Assigned AU-8.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A AU-

8 (1)

Time Stamps Time Stamps (T) Not Specified Not Entered Not Assigned AU-8(1).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A AU-

9

Protection of Audit

Information

Protection of Audit

Information (T)

Not Specified Not Entered Not Assigned AU-9.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A AU-

9 (2)

Protection of Audit

Information

Protection of Audit

Information (T)

Not Specified Not Entered Not Assigned AU-9(2).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A AU-

9 (3)

Protection of Audit

Information

Protection of Audit

Information (T)

Not Specified Not Entered Not Assigned AU-9(3).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A AU-

9 (4)

Protection of Audit

Information

Protection of Audit

Information (T)

Not Specified Not Entered Not Assigned AU-9(4).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A AU-

10

Non-repudiation

Non-repudiation

(T)Not Specified Not Entered Not Assigned AU-10.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A AU-

11

Audit Record Retention

Audit Record Retention (T) Not Specified Not Entered Not Assigned AU-11.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A AU-11 (DHS-

5.3.d)

Audit Record Retention

Audit Record Retention (T) Not Specified Not Entered Not Assigned

AU-11(DHS-

5.3.d)X X X - - Not Met None

CLASSIFICATION WAS NOT SELECTED9

CLASSIFICATION WAS NOT SELECTED

Control Ref.

Security Req./

Control

Security Category

ControlType

PlannedImp.

ActualImp.

Test#(s)

Methods Tailored

Result NotesNIST 800-53 w/ DHS 4300A AU-

12

Audit Generation

Audit Generation

(T)Not Specified Not Entered Not Assigned AU-12.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A AU-

12 (1)

Audit Generation

Audit Generation

(T)Not Specified Not Entered Not Assigned AU-

12(1).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A AU-

12 (3)

Audit Generation

Audit Generation

(T)Not Specified Not Entered Not Assigned AU-

12(3).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A CA-

1

Security Assessment

and Authorization Policies and Procedures

Security Assessment

and Authorization Policies and Procedures

(M)

Not Specified Not Entered Not Assigned CA-1.1, CA-1.2 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A CA-

1 (DHS-3.9.m)

Security Assessment

and Authorization Policies and Procedures

Security Assessment

and Authorization Policies and Procedures

(M)

Not Specified Not Entered Not AssignedCA-

1(DHS-3.9.m)

X X - - - Not Met None

NIST 800-53 w/ DHS 4300A CA-

1 (DHS-3.18.c)

Security Assessment

and Authorization Policies and Procedures

Security Assessment

and Authorization Policies and Procedures

(M)

Not Specified Not Entered Not AssignedCA-

1(DHS-3.18.c)

X X - - - Not Met None

NIST 800-53 w/ DHS 4300A CA-

1 (DHS-3.18.d)

Security Assessment

and Authorization Policies and

Security Assessment

and Authorization Policies and

Not Specified Not Entered Not Assigned CA-1(DHS-3.18.d)

X X - - - Not Met None

CLASSIFICATION WAS NOT SELECTED10

CLASSIFICATION WAS NOT SELECTED

Control Ref.

Security Req./

Control

Security Category

ControlType

PlannedImp.

ActualImp.

Test#(s)

Methods TailoredResult Notes

Procedures Procedures (M)

NIST 800-53 w/ DHS 4300A CA-

1 (DHS-3.18.e)

Security Assessment

and Authorization Policies and Procedures

Security Assessment

and Authorization Policies and Procedures

(M)

Not Specified Not Entered Not AssignedCA-

1(DHS-3.18.e)

X X - - - Not Met None

NIST 800-53 w/ DHS 4300A CA-

2

Security Assessments

Security Assessments

(M)Not Specified Not Entered Not Assigned CA-2.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A CA-

2 (1)

Security Assessments

Security Assessments

(M)Not Specified Not Entered Not Assigned CA-2(1).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A CA-

2 (2)

Security Assessments

Security Assessments

(M)Not Specified Not Entered Not Assigned

CA-2(2).1, CA-2.2

X X - - - Not Met None

NIST 800-53 w/ DHS 4300A CA-

2 (DHS-3.18.b)

Security Assessments

Security Assessments

(M)Not Specified Not Entered Not Assigned

CA-2(DHS-3.18.b)

X X - - - Not Met None

NIST 800-53 w/ DHS 4300A CA-

3

Information System

Connections

System Interconnecti

ons (M)Not Specified Not Entered Not Assigned CA-3.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A CA-

3 (5)

Information System

Connections

System Interconnecti

ons (M)Not Specified Not Entered Not Assigned CA-3(5).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A CA-

3 (DHS-

Information System

Connections

System Interconnecti

ons (M)

Not Specified Not Entered Not Assigned CA-3(DHS-5.4.3.b)

X X X - - Not Met None

CLASSIFICATION WAS NOT SELECTED11

CLASSIFICATION WAS NOT SELECTED

Control Ref.

Security Req./

Control

Security Category

ControlType

PlannedImp.

ActualImp.

Test#(s)

Methods Tailored Result Notes5.4.3.b)

NIST 800-53 w/ DHS 4300A CA-

3 (DHS-5.4.3.c)

Information System

Connections

System Interconnecti

ons (M)Not Specified Not Entered Not Assigned

CA-3(DHS-5.4.3.c)

X X X - - Not Met None

NIST 800-53 w/ DHS 4300A CA-

3 (DHS-5.4.3.d)

Information System

Connections

System Interconnecti

ons (M)Not Specified Not Entered Not Assigned

CA-3(DHS-5.4.3.d)

X X X - - Not Met None

NIST 800-53 w/ DHS 4300A CA-

3 (DHS-5.4.3.f)

Information System

Connections

System Interconnecti

ons (M)Not Specified Not Entered Not Assigned

CA-3(DHS-5.4.3.f)

X X X - - Not Met None

NIST 800-53 w/ DHS 4300A CA-

3 (DHS-5.4.3.m)

Information System

Connections

System Interconnecti

ons (M)Not Specified Not Entered Not Assigned

CA-3(DHS-5.4.3.m)

X X X - - Not Met None

NIST 800-53 w/ DHS 4300A CA-

3 (DHS-5.4.3.n)

Information System

Connections

System Interconnecti

ons (M)Not Specified Not Entered Not Assigned

CA-3(DHS-5.4.3.n)

X X X - - Not Met None

NIST 800-53 w/ DHS 4300A CA-

5

Plan of Action and Milestones

Plan of Action and Milestones

(M)

Not Specified Not Entered Not Assigned CA-5.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A CA-

5 (DHS-2.2.8.d)

Plan of Action and Milestones

Plan of Action and Milestones

(M)

Not Specified Not Entered Not AssignedCA-

5(DHS-2.2.8.d)

X X X - - Not Met None

NIST 800-53 w/ DHS 4300A CA-

Security Authorization

Security Authorization

(M)

Not Specified Not Entered Not Assigned CA-6.1 X X - - - Not Met None

CLASSIFICATION WAS NOT SELECTED12

CLASSIFICATION WAS NOT SELECTED

Control Ref.

Security Req./

Control

Security Category

ControlType

PlannedImp.

ActualImp.

Test#(s)

Methods Tailored Result Notes6

NIST 800-53 w/ DHS 4300A CA-

6 (DHS-3.9.h)

Security Authorization

Security Authorization

(M)Not Specified Not Entered Not Assigned

CA-6(DHS-3.9.h)

X X X - - Not Met None

NIST 800-53 w/ DHS 4300A CA-

7

Continuous Monitoring

Continuous Monitoring

(M)Not Specified Not Entered Not Assigned CA-7.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A CA-

7 (1)

Continuous Monitoring

Continuous Monitoring

(M)Not Specified Not Entered Not Assigned CA-7(1).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A CA-

7 (DHS-4.6.3.a)

Continuous Monitoring

Continuous Monitoring

(M)Not Specified Not Entered Not Assigned

CA-7(DHS-4.6.3.a)

X X - - - Not Met None

NIST 800-53 w/ DHS 4300A CA-

8

Penetration Testing

Penetration Testing (M) Not Specified Not Entered Not Assigned CA-8.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A CA-

9

Internal System

Connections

Internal System

Connections (M)

Not Specified Not Entered Not Assigned CA-9.1 X X - - - Not Met None

NIST 800-53 w/ DHS

4300A CM-1

Configuration Management Policy and Procedures

Configuration Management Policy and Procedures

(O)

Not Specified Not Entered Not Assigned CM-1.1, CM-1.2 X X - - - Not Met None

NIST 800-53 w/ DHS

4300A CM-2

Baseline Configuration

Baseline Configuration

(O)Not Specified Not Entered Not Assigned CM-2.1 X X - - - Not Met None

NIST 800-53 w/ DHS

Baseline Configuration

Baseline Configuration

Not Specified Not Entered Not Assigned CM-2(1).1 X X - - - Not Met None

CLASSIFICATION WAS NOT SELECTED13

CLASSIFICATION WAS NOT SELECTED

Control Ref.

Security Req./

Control

Security Category

ControlType

PlannedImp.

ActualImp.

Test#(s)

Methods TailoredResult Notes4300A

CM-2 (1) (O)

NIST 800-53 w/ DHS

4300A CM-2 (2)

Baseline Configuration

Baseline Configuration

(O)Not Specified Not Entered Not Assigned CM-2(2).1 X X - - - Not Met None

NIST 800-53 w/ DHS

4300A CM-2 (3)

Baseline Configuration

Baseline Configuration

(O)Not Specified Not Entered Not Assigned CM-2(3).1 X X - - - Not Met None

NIST 800-53 w/ DHS

4300A CM-2 (7)

Baseline Configuration

Baseline Configuration

(O)Not Specified Not Entered Not Assigned CM-2(7).1 X X - - - Not Met None

NIST 800-53 w/ DHS

4300A CM-2 (DHS-3.9.b)

Baseline Configuration

Baseline Configuration

(O)Not Specified Not Entered Not Assigned

CM-2(DHS-3.9.b)

- X X - - Not Met None

NIST 800-53 w/ DHS

4300A CM-2 (DHS-4.12.b)

Baseline Configuration

Baseline Configuration

(O)Not Specified Not Entered Not Assigned

CM-2(DHS-4.12.b)

X X X - - Not Met None

NIST 800-53 w/ DHS

4300A CM-3

Configuration Change Control

Configuration Change

Control (O)Not Specified Not Entered Not Assigned CM-3.1 X X - - - Not Met None

NIST 800-53 w/ DHS

4300A CM-3 (1)

Configuration Change Control

Configuration Change

Control (O)Not Specified Not Entered Not Assigned CM-3(1).1 X X - - - Not Met None

NIST 800-53 w/ DHS

4300A CM-3 (2)

Configuration Change Control

Configuration Change

Control (O)Not Specified Not Entered Not Assigned CM-3(2).1 X X - - - Not Met None

CLASSIFICATION WAS NOT SELECTED14

CLASSIFICATION WAS NOT SELECTED

Control Ref.

Security Req./

Control

Security Category

ControlType

PlannedImp.

ActualImp.

Test#(s)

Methods Tailored

Result Notes

NIST 800-53 w/ DHS

4300A CM-3 (DHS-2.1.8.g)

Configuration Change Control

Configuration Change

Control (O)Not Specified Not Entered Not Assigned

CM-3(DHS-2.1.8.g)

X X - - - Not Met None

NIST 800-53 w/ DHS

4300A CM-3 (DHS-5.4.3.l)

Configuration Change Control

Configuration Change

Control (O)Not Specified Not Entered Not Assigned

CM-3(DHS-5.4.3.l)

X X X - - Not Met None

NIST 800-53 w/ DHS

4300A CM-4

Security Impact

Analysis

Security Impact

Analysis (O)Not Specified Not Entered Not Assigned CM-4.1 X X - - - Not Met None

NIST 800-53 w/ DHS

4300A CM-4 (1)

Security Impact

Analysis

Security Impact

Analysis (O)Not Specified Not Entered Not Assigned CM-4(1).1 X X - - - Not Met None

NIST 800-53 w/ DHS

4300A CM-5

Access Restrictions for Change

Access Restrictions for Change

(O)

Not Specified Not Entered Not Assigned CM-5.1 X X - - - Not Met None

NIST 800-53 w/ DHS

4300A CM-5 (1)

Access Restrictions for Change

Access Restrictions for Change

(O)

Not Specified Not Entered Not Assigned CM-5(1).1 X X - - - Not Met None

NIST 800-53 w/ DHS

4300A CM-5 (2)

Access Restrictions for Change

Access Restrictions for Change

(O)

Not Specified Not Entered Not Assigned CM-5(2).1 X X - - - Not Met None

NIST 800-53 w/ DHS

4300A CM-5 (3)

Access Restrictions for Change

Access Restrictions for Change

(O)

Not Specified Not Entered Not Assigned CM-5(3).1 X X - - - Not Met None

NIST 800-53 w/ DHS

Configuration Settings

Configuration Settings (O)

Not Specified Not Entered Not Assigned CM-6.1 X X - - - Not Met None

CLASSIFICATION WAS NOT SELECTED15

CLASSIFICATION WAS NOT SELECTED

Control Ref.

Security Req./

Control

Security Category

ControlType

PlannedImp.

ActualImp.

Test#(s)

Methods TailoredResult Notes4300A

CM-6NIST 800-53 w/ DHS

4300A CM-6 (1)

Configuration Settings

Configuration Settings (O) Not Specified Not Entered Not Assigned CM-6(1).1 X X - - - Not Met None

NIST 800-53 w/ DHS

4300A CM-6 (2)

Configuration Settings

Configuration Settings (O) Not Specified Not Entered Not Assigned CM-6(2).1 X X - - - Not Met None

NIST 800-53 w/ DHS

4300A CM-6 (DHS-3.7.e)

Configuration Settings

Configuration Settings (O) Not Specified Not Entered Not Assigned

CM-6(DHS-3.7.e)

X X X - - Not Met None

NIST 800-53 w/ DHS

4300A CM-6 (DHS-3.7.f)

Configuration Settings

Configuration Settings (O) Not Specified Not Entered Not Assigned

CM-6(DHS-3.7.f)

X X X - - Not Met None

NIST 800-53 w/ DHS

4300A CM-6 (DHS-3.7.g)

Configuration Settings

Configuration Settings (O) Not Specified Not Entered Not Assigned

CM-6(DHS-3.7.g)

X X X - - Not Met None

NIST 800-53 w/ DHS

4300A CM-6 (DHS-4.5.2.b)

Configuration Settings

Configuration Settings (O) Not Specified Not Entered Not Assigned

CM-6(DHS-4.5.2.b)

X X X - - Not Met None

NIST 800-53 w/ DHS

4300A CM-6

Configuration Settings

Configuration Settings (O)

Not Specified Not Entered Not Assigned CM-6(DHS-4.8.4.a)

X X X - - Not Met None

CLASSIFICATION WAS NOT SELECTED16

CLASSIFICATION WAS NOT SELECTED

Control Ref.

Security Req./

Control

Security Category

ControlType

PlannedImp.

ActualImp.

Test#(s)

Methods TailoredResult Notes(DHS-

4.8.4.a)NIST 800-53 w/ DHS

4300A CM-6 (DHS-4.12.f)

Configuration Settings

Configuration Settings (O) Not Specified Not Entered Not Assigned

CM-6(DHS-4.12.f)

X X X - - Not Met None

NIST 800-53 w/ DHS

4300A CM-6 (DHS-4.12.j)

Configuration Settings

Configuration Settings (O) Not Specified Not Entered Not Assigned

CM-6(DHS-4.12.j)

X X X - - Not Met None

NIST 800-53 w/ DHS

4300A CM-6 (DHS-5.4.5.d)

Configuration Settings

Configuration Settings (O) Not Specified Not Entered Not Assigned

CM-6(DHS-5.4.5.d)

X X X - - Not Met None

NIST 800-53 w/ DHS

4300A CM-6 (DHS-5.4.5.e)

Configuration Settings

Configuration Settings (O) Not Specified Not Entered Not Assigned

CM-6(DHS-5.4.5.e)

X X X - - Not Met None

NIST 800-53 w/ DHS

4300A CM-7

Least Functionality

Least Functionality

(O)Not Specified Not Entered Not Assigned CM-7.1 X X - - - Not Met None

NIST 800-53 w/ DHS

4300A CM-7 (1)

Least Functionality

Least Functionality

(O)Not Specified Not Entered Not Assigned CM-7(1).1 X X - - - Not Met None

NIST 800-53 w/ DHS

4300A CM-7 (2)

Least Functionality

Least Functionality

(O)Not Specified Not Entered Not Assigned CM-7(2).1 X X - - - Not Met None

CLASSIFICATION WAS NOT SELECTED17

CLASSIFICATION WAS NOT SELECTED

Control Ref.

Security Req./

Control

Security Category

ControlType

PlannedImp.

ActualImp.

Test#(s)

Methods Tailored

Result NotesNIST 800-53 w/ DHS

4300A CM-7 (5)

Least Functionality

Least Functionality

(O)Not Specified Not Entered Not Assigned CM-7(5).1 X X - - - Not Met None

NIST 800-53 w/ DHS

4300A CM-7 (DHS-4.8.6.a)

Least Functionality

Least Functionality

(O)Not Specified Not Entered Not Assigned

CM-7(DHS-4.8.6.a)

- X X - - Not Met None

NIST 800-53 w/ DHS

4300A CM-7 (DHS-5.4.5.f)

Least Functionality

Least Functionality

(O)Not Specified Not Entered Not Assigned

CM-7(DHS-5.4.5.f)

X X X - - Not Met None

NIST 800-53 w/ DHS

4300A CM-8

Information System

Component Inventory

Information System

Component Inventory (O)

Not Specified Not Entered Not Assigned CM-8.1 X X - - - Not Met None

NIST 800-53 w/ DHS

4300A CM-8 (1)

Information System

Component Inventory

Information System

Component Inventory (O)

Not Specified Not Entered Not Assigned CM-8(1).1 X X - - - Not Met None

NIST 800-53 w/ DHS

4300A CM-8 (2)

Information System

Component Inventory

Information System

Component Inventory (O)

Not Specified Not Entered Not Assigned CM-8(2).1 X X - - - Not Met None

NIST 800-53 w/ DHS

4300A CM-8 (3)

Information System

Component Inventory

Information System

Component Inventory (O)

Not Specified Not Entered Not Assigned CM-8(3).1 X X - - - Not Met None

NIST 800-53 w/ DHS

4300A CM-8 (4)

Information System

Component Inventory

Information System

Component Inventory (O)

Not Specified Not Entered Not Assigned CM-8(4).1 X X - - - Not Met None

NIST 800-53 w/ DHS

Information System

Information System

Not Specified Not Entered Not Assigned CM-8(5).1 X X - - - Not Met None

CLASSIFICATION WAS NOT SELECTED18

CLASSIFICATION WAS NOT SELECTED

Control Ref.

Security Req./

Control

Security Category

ControlType

PlannedImp.

ActualImp.

Test#(s)

Methods TailoredResult Notes4300A

CM-8 (5)Component Inventory

Component Inventory (O)

NIST 800-53 w/ DHS

4300A CM-9

Configuration Management

Plan

Configuration Management

Plan (O)Not Specified Not Entered Not Assigned CM-9.1 X X - - - Not Met None

NIST 800-53 w/ DHS

4300A CM-10

Software Usage

Restrictions

SW Usage Restrictions

(O)Not Specified Not Entered Not Assigned CM-10.1 X X - - - Not Met None

NIST 800-53 w/ DHS

4300A CM-11

User-Installed Software

User-Installed SW (O) Not Specified Not Entered Not Assigned CM-11.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A CP-

1

Contingency Planning

Policy and Procedures

Contingency Planning

Policy and Procedures

(O)

Not Specified Not Entered Not Assigned CP-1.1, CP-1.2 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A CP-

1 (DHS-3.5.1.a)

Contingency Planning

Policy and Procedures

Contingency Planning

Policy and Procedures

(O)

Not Specified Not Entered Not AssignedCP-

1(DHS-3.5.1.a)

X X X - - Not Met None

NIST 800-53 w/ DHS 4300A CP-

1 (DHS-3.5.2.d)

Contingency Planning

Policy and Procedures

Contingency Planning

Policy and Procedures

(O)

Not Specified Not Entered Not AssignedCP-

1(DHS-3.5.2.d)

X X X - - Not Met None

NIST 800-53 w/ DHS 4300A CP-

2

Contingency Plan

Contingency Plan (O) Not Specified Not Entered Not Assigned CP-2.1,

CP-2.2 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A CP-

2 (1)

Contingency Plan

Contingency Plan (O) Not Specified Not Entered Not Assigned CP-2(1).1 X X - - - Not Met None

NIST 800- Contingency Contingency Not Specified Not Entered Not Assigned CP-2(2).1 X X - - - Not Met None

CLASSIFICATION WAS NOT SELECTED19

CLASSIFICATION WAS NOT SELECTED

Control Ref.

Security Req./

Control

Security Category

ControlType

PlannedImp.

ActualImp.

Test#(s)

Methods Tailored

Result Notes53 w/ DHS 4300A CP-

2 (2)Plan Plan (O)

NIST 800-53 w/ DHS 4300A CP-

2 (3)

Contingency Plan

Contingency Plan (O) Not Specified Not Entered Not Assigned CP-2(3).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A CP-

2 (4)

Contingency Plan

Contingency Plan (O) Not Specified Not Entered Not Assigned CP-2(4).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A CP-

2 (5)

Contingency Plan

Contingency Plan (O) Not Specified Not Entered Not Assigned CP-2(5).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A CP-

2 (8)

Contingency Plan

Contingency Plan (O) Not Specified Not Entered Not Assigned CP-2(8).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A CP-

2 (DHS-3.5.2.e)

Contingency Plan

Contingency Plan (O) Not Specified Not Entered Not Assigned

CP-2(DHS-3.5.2.e)

X X X - - Not Met None

NIST 800-53 w/ DHS 4300A CP-

3

Contingency Training

Contingency Training (O) Not Specified Not Entered Not Assigned CP-3.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A CP-

3 (1)

Contingency Training

Contingency Training (O) Not Specified Not Entered Not Assigned CP-3(1).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A CP-

4

Contingency Plan Testing and Exercises

Contingency Plan Testing

(O)Not Specified Not Entered Not Assigned CP-4.1 X X - - - Not Met None

NIST 800-53 w/ DHS

Contingency Plan Testing

Contingency Plan Testing

Not Specified Not Entered Not Assigned CP-4(1).1 X X - - - Not Met None

CLASSIFICATION WAS NOT SELECTED20

CLASSIFICATION WAS NOT SELECTED

Control Ref.

Security Req./

Control

Security Category

ControlType

PlannedImp.

ActualImp.

Test#(s)

Methods TailoredResult Notes4300A CP-

4 (1) and Exercises (O)

NIST 800-53 w/ DHS 4300A CP-

4 (2)

Contingency Plan Testing and Exercises

Contingency Plan Testing

(O)Not Specified Not Entered Not Assigned CP-4(2).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A CP-

4 (DHS-3.5.2.f)

Contingency Plan Testing and Exercises

Contingency Plan Testing

(O)Not Specified Not Entered Not Assigned

CP-4(DHS-3.5.2.f)

X X X - - Not Met None

NIST 800-53 w/ DHS 4300A CP-

6

Alternate Storage Site

Alternate Storage Site

(O)Not Specified Not Entered Not Assigned CP-6.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A CP-

6 (1)

Alternate Storage Site

Alternate Storage Site

(O)Not Specified Not Entered Not Assigned CP-6(1).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A CP-

6 (2)

Alternate Storage Site

Alternate Storage Site

(O)Not Specified Not Entered Not Assigned CP-6(2).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A CP-

6 (3)

Alternate Storage Site

Alternate Storage Site

(O)Not Specified Not Entered Not Assigned CP-6(3).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A CP-

7

Alternate Processing

Site

Alternate Processing

Site (O)Not Specified Not Entered Not Assigned CP-7.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A CP-

7 (1)

Alternate Processing

Site

Alternate Processing

Site (O)Not Specified Not Entered Not Assigned CP-7(1).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A CP-

Alternate Processing

Site

Alternate Processing

Site (O)

Not Specified Not Entered Not Assigned CP-7(2).1 X X - - - Not Met None

CLASSIFICATION WAS NOT SELECTED21

CLASSIFICATION WAS NOT SELECTED

Control Ref.

Security Req./

Control

Security Category

ControlType

PlannedImp.

ActualImp.

Test#(s)

Methods Tailored Result Notes7 (2)

NIST 800-53 w/ DHS 4300A CP-

7 (3)

Alternate Processing

Site

Alternate Processing

Site (O)Not Specified Not Entered Not Assigned CP-7(3).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A CP-

7 (4)

Alternate Processing

Site

Alternate Processing

Site (O)Not Specified Not Entered Not Assigned CP-7(4).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A CP-

8

Telecommunications

Services

Telecommunications

Services (O)Not Specified Not Entered Not Assigned CP-8.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A CP-

8 (1)

Telecommunications

Services

Telecommunications

Services (O)Not Specified Not Entered Not Assigned CP-8(1).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A CP-

8 (2)

Telecommunications

Services

Telecommunications

Services (O)Not Specified Not Entered Not Assigned CP-8(2).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A CP-

8 (3)

Telecommunications

Services

Telecommunications

Services (O)Not Specified Not Entered Not Assigned CP-8(3).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A CP-

8 (4)

Telecommunications

Services

Telecommunications

Services (O)Not Specified Not Entered Not Assigned CP-8(4).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A CP-

9

Information System Backup

Information System

Backup (O)Not Specified Not Entered Not Assigned CP-9.1,

CP-9.2 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A CP-

9 (1)

Information System Backup

Information System

Backup (O)Not Specified Not Entered Not Assigned CP-9(1).1 X X - - - Not Met None

NIST 800- Information Information Not Specified Not Entered Not Assigned CP-9(2).1 X X - - - Not Met None

CLASSIFICATION WAS NOT SELECTED22

CLASSIFICATION WAS NOT SELECTED

Control Ref.

Security Req./

Control

Security Category

ControlType

PlannedImp.

ActualImp.

Test#(s)

Methods Tailored

Result Notes53 w/ DHS 4300A CP-

9 (2)

System Backup

System Backup (O)

NIST 800-53 w/ DHS 4300A CP-

9 (3)

Information System Backup

Information System

Backup (O)Not Specified Not Entered Not Assigned CP-9(3).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A CP-

9 (5)

Information System Backup

Information System

Backup (O)Not Specified Not Entered Not Assigned CP-9(5).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A CP-

10

Information System

Recovery and Reconstitutio

n

Information System

Recovery and Reconstitutio

n (O)

Not Specified Not Entered Not Assigned CP-10.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A CP-

10 (2)

Information System

Recovery and Reconstitutio

n

Information System

Recovery and Reconstitutio

n (O)

Not Specified Not Entered Not Assigned CP-10(2).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A CP-

10 (4)

Information System

Recovery and Reconstitutio

n

Information System

Recovery and Reconstitutio

n (O)

Not Specified Not Entered Not Assigned CP-10(4).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A IA-

1

Identification and

Authentication Policy and Procedures

Identification and

Authentication Policy and Procedures

(T)

Not Specified Not Entered Not Assigned IA-1.1, IA-1.2 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A IA-1 (DHS-

1.6.d)

Identification and

Authentication Policy and Procedures

Identification and

Authentication Policy and Procedures

(T)

Not Specified Not Entered Not AssignedIA-

1(DHS-1.6.d)

X X X - - Not Met None

CLASSIFICATION WAS NOT SELECTED23

CLASSIFICATION WAS NOT SELECTED

Control Ref.

Security Req./

Control

Security Category

ControlType

PlannedImp.

ActualImp.

Test#(s)

Methods Tailored

Result NotesNIST 800-53 w/ DHS 4300A IA-1 (DHS-3.14.7.a)

Identification and

Authentication Policy and Procedures

Identification and

Authentication Policy and Procedures

(T)

Not Specified Not Entered Not AssignedIA-

1(DHS-3.14.7.a)

X X X - - Not Met None

NIST 800-53 w/ DHS 4300A IA-1 (DHS-3.14.7.c)

Identification and

Authentication Policy and Procedures

Identification and

Authentication Policy and Procedures

(T)

Not Specified Not Entered Not AssignedIA-

1(DHS-3.14.7.c)

X X X - - Not Met None

NIST 800-53 w/ DHS 4300A IA-1 (DHS-3.14.7.f)

Identification and

Authentication Policy and Procedures

Identification and

Authentication Policy and Procedures

(T)

Not Specified Not Entered Not AssignedIA-

1(DHS-3.14.7.f)

X X X - - Not Met None

NIST 800-53 w/ DHS 4300A IA-

2

Identification and

Authentication

(Organizational Users)

Identification and

Authentication

(Organizational Users) (T)

Not Specified Not Entered Not Assigned IA-2.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A IA-

2 (1)

Identification and

Authentication

(Organizational Users)

Identification and

Authentication

(Organizational Users) (T)

Not Specified Not Entered Not Assigned IA-2(1).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A IA-

2 (2)

Identification and

Authentication

(Organizational Users)

Identification and

Authentication

(Organizational Users) (T)

Not Specified Not Entered Not Assigned IA-2(2).1 X X - - - Not Met None

NIST 800-53 w/ DHS

Identification and

Identification and

Not Specified Not Entered Not Assigned IA-2(3).1 X X - - - Not Met None

CLASSIFICATION WAS NOT SELECTED24

CLASSIFICATION WAS NOT SELECTED

Control Ref.

Security Req./

Control

Security Category

ControlType

PlannedImp.

ActualImp.

Test#(s)

Methods Tailored

Result Notes4300A IA-2 (3)

Authentication

(Organizational Users)

Authentication

(Organizational Users) (T)

NIST 800-53 w/ DHS 4300A IA-

2 (4)

Identification and

Authentication

(Organizational Users)

Identification and

Authentication

(Organizational Users) (T)

Not Specified Not Entered Not Assigned IA-2(4).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A IA-

2 (8)

Identification and

Authentication

(Organizational Users)

Identification and

Authentication

(Organizational Users) (T)

Not Specified Not Entered Not Assigned IA-2(8).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A IA-

2 (9)

Identification and

Authentication

(Organizational Users)

Identification and

Authentication

(Organizational Users) (T)

Not Specified Not Entered Not Assigned IA-2(9).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A IA-

2 (11)

Identification and

Authentication

(Organizational Users)

Identification and

Authentication

(Organizational Users) (T)

Not Specified Not Entered Not Assigned IA-2(11).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A IA-

2 (12)

Identification and

Authentication

(Organizational Users)

Identification and

Authentication

(Organizational Users) (T)

Not Specified Not Entered Not Assigned IA-2(12).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A IA-2 (DHS-

Identification and

Authentication

Identification and

Authentication

Not Specified Not Entered Not Assigned IA-2(DHS-5.1.d)

X X - - - Not Met None

CLASSIFICATION WAS NOT SELECTED25

CLASSIFICATION WAS NOT SELECTED

Control Ref.

Security Req./

Control

Security Category

ControlType

PlannedImp.

ActualImp.

Test#(s)

Methods TailoredResult Notes

5.1.d) (Organizational Users)

(Organizational Users) (T)

NIST 800-53 w/ DHS 4300A IA-

3

Device Identification

and Authenticatio

n

Device Identification

and Authenticatio

n (T)

Not Specified Not Entered Not Assigned IA-3.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A IA-

4

Identifier Management

Identifier Management

(T)Not Specified Not Entered Not Assigned IA-4.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A IA-

5

Authenticator Management

Authenticator Management

(T)Not Specified Not Entered Not Assigned IA-5.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A IA-

5 (1)

Authenticator Management

Authenticator Management

(T)Not Specified Not Entered Not Assigned IA-5(1).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A IA-

5 (2)

Authenticator Management

Authenticator Management

(T)Not Specified Not Entered Not Assigned IA-5(2).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A IA-

5 (3)

Authenticator Management

Authenticator Management

(T)Not Specified Not Entered Not Assigned IA-5(3).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A IA-

5 (11)

Authenticator Management

Authenticator Management

(T)Not Specified Not Entered Not Assigned IA-5(11).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A IA-5 (DHS-

5.1.e)

Authenticator Management

Authenticator Management

(T)Not Specified Not Entered Not Assigned

IA-5(DHS-5.1.e)

X X - - - Not Met None

NIST 800-53 w/ DHS

Authenticator Feedback

Authenticator Feedback (T)

Not Specified Not Entered Not Assigned IA-6.1 X X - - - Not Met None

CLASSIFICATION WAS NOT SELECTED26

CLASSIFICATION WAS NOT SELECTED

Control Ref.

Security Req./

Control

Security Category

ControlType

PlannedImp.

ActualImp.

Test#(s)

Methods TailoredResult Notes4300A IA-

6NIST 800-53 w/ DHS 4300A IA-

7

Cryptographic Module

Authentication

Cryptographic Module

Authentication (T)

Not Specified Not Entered Not Assigned IA-7.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A IA-

8

Identification and

Authentication (Non-

Organizational Users)

Identification and

Authentication (Non-

Organizational Users) (T)

Not Specified Not Entered Not Assigned IA-8.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A IA-

8 (1)

Identification and

Authentication (Non-

Organizational Users)

Identification and

Authentication (Non-

Organizational Users) (T)

Not Specified Not Entered Not Assigned IA-8(1).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A IA-

8 (2)

Identification and

Authentication (Non-

Organizational Users)

Identification and

Authentication (Non-

Organizational Users) (T)

Not Specified Not Entered Not Assigned IA-8(2).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A IA-

8 (3)

Identification and

Authentication (Non-

Organizational Users)

Identification and

Authentication (Non-

Organizational Users) (T)

Not Specified Not Entered Not Assigned IA-8(3).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A IA-

8 (4)

Identification and

Authentication (Non-

Organizational Users)

Identification and

Authentication (Non-

Organizational Users) (T)

Not Specified Not Entered Not Assigned IA-8(4).1 X X - - - Not Met None

NIST 800-53 w/ DHS

Identification and

Identification and

Not Specified Not Entered Not Assigned IA-8(DHS-

X X X - - Not Met None

CLASSIFICATION WAS NOT SELECTED27

CLASSIFICATION WAS NOT SELECTED

Control Ref.

Security Req./

Control

Security Category

ControlType

PlannedImp.

ActualImp.

Test#(s)

Methods Tailored

Result Notes4300A IA-8 (DHS-1.5.4.c)

Authentication (Non-

Organizational Users)

Authentication (Non-

Organizational Users) (T)

1.5.4.c)

NIST 800-53 w/ DHS 4300A IR-

1

Incident Response Policy and Procedures

Incident Response Policy and Procedures

(O)

Not Specified Not Entered Not Assigned IR-1.1, IR-1.2 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A IR-

2

Incident Response Training

Incident Response

Training (O)Not Specified Not Entered Not Assigned IR-2.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A IR-

2 (1)

Incident Response Training

Incident Response

Training (O)Not Specified Not Entered Not Assigned IR-2(1).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A IR-

2 (2)

Incident Response Training

Incident Response

Training (O)Not Specified Not Entered Not Assigned IR-2(2).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A IR-

3

Incident Response

Testing and Exercises

Incident Response

Testing (O)Not Specified Not Entered Not Assigned IR-3.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A IR-

3 (2)

Incident Response

Testing and Exercises

Incident Response

Testing (O)Not Specified Not Entered Not Assigned IR-3(2).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A IR-

4

Incident Handling

Incident Handling (O) Not Specified Not Entered Not Assigned IR-4.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A IR-

4 (1)

Incident Handling

Incident Handling (O) Not Specified Not Entered Not Assigned IR-4(1).1 X X - - - Not Met None

NIST 800- Incident Incident Not Specified Not Entered Not Assigned IR-4(4).1 X X - - - Not Met None

CLASSIFICATION WAS NOT SELECTED28

CLASSIFICATION WAS NOT SELECTED

Control Ref.

Security Req./

Control

Security Category

ControlType

PlannedImp.

ActualImp.

Test#(s)

Methods Tailored

Result Notes53 w/ DHS 4300A IR-

4 (4)Handling Handling (O)

NIST 800-53 w/ DHS 4300A IR-

5

Incident Monitoring

Incident Monitoring

(O)Not Specified Not Entered Not Assigned IR-5.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A IR-

5 (1)

Incident Monitoring

Incident Monitoring

(O)Not Specified Not Entered Not Assigned IR-5(1).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A IR-

6

Incident Reporting

Incident Reporting (O) Not Specified Not Entered Not Assigned IR-6.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A IR-

6 (1)

Incident Reporting

Incident Reporting (O) Not Specified Not Entered Not Assigned IR-6(1).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A IR-

7

Incident Response Assistance

Incident Response Assistance

(O)

Not Specified Not Entered Not Assigned IR-7.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A IR-

7 (1)

Incident Response Assistance

Incident Response Assistance

(O)

Not Specified Not Entered Not Assigned IR-7(1).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A IR-

8

Incident Response

Plan

Incident Response Plan (O)

Not Specified Not Entered Not Assigned IR-8.1, IR-8.2 X X - - - Not Met None

NIST 800-53 w/ DHS

4300A MA-1

System Maintenance Policy and Procedures

System Maintenance Policy and Procedures

(O)

Not Specified Not Entered Not Assigned MA-1.1, MA-1.2 X X - - - Not Met None

NIST 800-53 w/ DHS

Controlled Maintenance

Controlled Maintenance

Not Specified Not Entered Not Assigned MA-2.1 X X - - - Not Met None

CLASSIFICATION WAS NOT SELECTED29

CLASSIFICATION WAS NOT SELECTED

Control Ref.

Security Req./

Control

Security Category

ControlType

PlannedImp.

ActualImp.

Test#(s)

Methods TailoredResult Notes4300A

MA-2 (O)

NIST 800-53 w/ DHS

4300A MA-2 (2)

Controlled Maintenance

Controlled Maintenance

(O)Not Specified Not Entered Not Assigned MA-

2(2).1 X X - - - Not Met None

NIST 800-53 w/ DHS

4300A MA-3

Maintenance Tools

Maintenance Tools (O) Not Specified Not Entered Not Assigned MA-3.1 X X - - - Not Met None

NIST 800-53 w/ DHS

4300A MA-3 (1)

Maintenance Tools

Maintenance Tools (O) Not Specified Not Entered Not Assigned MA-

3(1).1 X X - - - Not Met None

NIST 800-53 w/ DHS

4300A MA-3 (2)

Maintenance Tools

Maintenance Tools (O) Not Specified Not Entered Not Assigned MA-

3(2).1 X X - - - Not Met None

NIST 800-53 w/ DHS

4300A MA-3 (3)

Maintenance Tools

Maintenance Tools (O) Not Specified Not Entered Not Assigned MA-

3(3).1 X X - - - Not Met None

NIST 800-53 w/ DHS

4300A MA-4

Non-Local Maintenance

Nonlocal Maintenance

(O)Not Specified Not Entered Not Assigned MA-4.1 X X - - - Not Met None

NIST 800-53 w/ DHS

4300A MA-4 (2)

Non-Local Maintenance

Nonlocal Maintenance

(O)Not Specified Not Entered Not Assigned MA-

4(2).1 X X - - - Not Met None

NIST 800-53 w/ DHS

4300A MA-4 (3)

Non-Local Maintenance

Nonlocal Maintenance

(O)Not Specified Not Entered Not Assigned MA-

4(3).1 X X - - - Not Met None

NIST 800-53 w/ DHS

4300A MA-4

Non-Local Maintenance

Nonlocal Maintenance

(O)

Not Specified Not Entered Not Assigned MA-4(DHS-5.4.4.c)

X X X - - Not Met None

CLASSIFICATION WAS NOT SELECTED30

CLASSIFICATION WAS NOT SELECTED

Control Ref.

Security Req./

Control

Security Category

ControlType

PlannedImp.

ActualImp.

Test#(s)

Methods TailoredResult Notes(DHS-

5.4.4.c)NIST 800-53 w/ DHS

4300A MA-5

Maintenance Personnel

Maintenance Personnel (O) Not Specified Not Entered Not Assigned MA-5.1 X X - - - Not Met None

NIST 800-53 w/ DHS

4300A MA-5 (1)

Maintenance Personnel

Maintenance Personnel (O) Not Specified Not Entered Not Assigned MA-

5(1).1 X X - - - Not Met None

NIST 800-53 w/ DHS

4300A MA-6

Timely Maintenance

Timely Maintenance

(O)Not Specified Not Entered Not Assigned MA-6.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A MP-

1

Media Protection Policy and Procedures

Media Protection Policy and Procedures

(O)

Not Specified Not Entered Not Assigned MP-1.1, MP-1.2 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A MP-

1 (DHS-3.14.5.b)

Media Protection Policy and Procedures

Media Protection Policy and Procedures

(O)

Not Specified Not Entered Not AssignedMP-

1(DHS-3.14.5.b)

X X - - - Not Met None

NIST 800-53 w/ DHS 4300A MP-

1 (DHS-4.3.1.g)

Media Protection Policy and Procedures

Media Protection Policy and Procedures

(O)

Not Specified Not Entered Not AssignedMP-

1(DHS-4.3.1.g)

X X - - - Not Met None

NIST 800-53 w/ DHS 4300A MP-

1 (DHS-5.4.1.d)

Media Protection Policy and Procedures

Media Protection Policy and Procedures

(O)

Not Specified Not Entered Not AssignedMP-

1(DHS-5.4.1.d)

X X - - - Not Met None

NIST 800-53 w/ DHS 4300A MP-

1 (DHS-

Media Protection Policy and Procedures

Media Protection Policy and Procedures

Not Specified Not Entered Not Assigned MP-1(DHS-5.6.c)

X X - - - Not Met None

CLASSIFICATION WAS NOT SELECTED31

CLASSIFICATION WAS NOT SELECTED

Control Ref.

Security Req./

Control

Security Category

ControlType

PlannedImp.

ActualImp.

Test#(s)

Methods Tailored Result Notes5.6.c) (O)

NIST 800-53 w/ DHS 4300A MP-

2

Media Access Media Access (O) Not Specified Not Entered Not Assigned MP-2.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A MP-

3

Media Marking

Media Marking (O) Not Specified Not Entered Not Assigned MP-3.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A MP-

4

Media Storage

Media Storage (O) Not Specified Not Entered Not Assigned MP-4.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A MP-

4 (DHS-3.14.5.f)

Media Storage

Media Protection Policy and Procedures

(O)

Not Specified Not Entered Not AssignedMP-

4(DHS-3.14.5.f)

X X - - - Not Met None

NIST 800-53 w/ DHS 4300A MP-

5

Media Transport

Media Transport (O) Not Specified Not Entered Not Assigned MP-5.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A MP-

5 (4)

Media Transport

Media Transport (O) Not Specified Not Entered Not Assigned MP-5(4).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A MP-

5 (DHS-4.11.f)

Media Transport

Media Transport (O) Not Specified Not Entered Not Assigned

MP-5(DHS-4.11.f)

X X - - - Not Met None

NIST 800-53 w/ DHS 4300A MP-

6

Media Sanitization

Media Sanitization

(O)Not Specified Not Entered Not Assigned MP-6.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A MP-

Media Sanitization

Media Sanitization

(O)

Not Specified Not Entered Not Assigned MP-6(1).1 X X - - - Not Met None

CLASSIFICATION WAS NOT SELECTED32

CLASSIFICATION WAS NOT SELECTED

Control Ref.

Security Req./

Control

Security Category

ControlType

PlannedImp.

ActualImp.

Test#(s)

Methods Tailored Result Notes6 (1)

NIST 800-53 w/ DHS 4300A MP-

6 (2)

Media Sanitization

Media Sanitization

(O)Not Specified Not Entered Not Assigned MP-6(2).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A MP-

6 (3)

Media Sanitization

Media Sanitization

(O)Not Specified Not Entered Not Assigned MP-6(3).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A MP-

7

Media Use Media Use (O) Not Specified Not Entered Not Assigned MP-7.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A MP-

7 (1)

Prohibit Use Without Owner

Media Use (O) Not Specified Not Entered Not Assigned MP-7(1).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A MP-

7 (DHS-4.3.1.d)

USB Drive encryption

Media Use (O) Not Specified Not Entered Not Assigned

MP-7(DHS-4.3.1.d)

X X - - - Not Met None

NIST 800-53 w/ DHS 4300A MP-

7 (DHS-4.3.1.e)

DHS owned Removable

Media

Media Use (O) Not Specified Not Entered Not Assigned

MP-7(DHS-4.3.1.e)

X X - - - Not Met None

NIST 800-53 w/ DHS 4300A MP-

7 (DHS-4.3.1.f)

Protection of Sensitive Paper and Electronic Outputs

Media Use (O) Not Specified Not Entered Not Assigned

MP-7(DHS-4.3.1.f)

X X - - - Not Met None

NIST 800-53 w/ DHS 4300A PE-

1

Physical and Environmenta

l Protection Policy and Procedures

Physical and Environmenta

l Protection Policy and Procedures

(O)

Not Specified Not Entered Not Assigned PE-1.1, PE-1.2 X X - - - Not Met None

CLASSIFICATION WAS NOT SELECTED33

CLASSIFICATION WAS NOT SELECTED

Control Ref.

Security Req./

Control

Security Category

ControlType

PlannedImp.

ActualImp.

Test#(s)

Methods Tailored

Result NotesNIST 800-53 w/ DHS 4300A PE-

1 (DHS-3.3.c)

Physical and Environmenta

l Protection Policy and Procedures

Physical and Environmenta

l Protection Policy and Procedures

(O)

Not Specified Not Entered Not AssignedPE-

1(DHS-3.3.c)

X X - - - Not Met None

NIST 800-53 w/ DHS 4300A PE-

1 (DHS-4.6.2.3.b)

Physical and Environmenta

l Protection Policy and Procedures

Physical and Environmenta

l Protection Policy and Procedures

(O)

Not Specified Not Entered Not AssignedPE-

1(DHS-4.6.2.3.b)

X X - - - Not Met None

NIST 800-53 w/ DHS 4300A PE-

2

Physical Access

Authorizations

Physical Access

Authorizations (O)

Not Specified Not Entered Not Assigned PE-2.1, PE-2.2 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A PE-

3

Physical Access Control

Physical Access

Control (O)Not Specified Not Entered Not Assigned PE-3.1,

PE-3.2 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A PE-

3 (1)

Physical Access Control

Physical Access

Control (O)Not Specified Not Entered Not Assigned PE-3(1).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A PE-

4

Access Control for

Transmission Medium

Access Control for

Transmission Medium (O)

Not Specified Not Entered Not Assigned PE-4.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A PE-

5

Access Control for

Output Devices

Access Control for

Output Devices (O)

Not Specified Not Entered Not Assigned PE-5.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A PE-

6

Monitoring Physical Access

Monitoring Physical

Access (O)Not Specified Not Entered Not Assigned PE-6.1 X X - - - Not Met None

NIST 800-53 w/ DHS

Monitoring Physical

Monitoring Physical

Not Specified Not Entered Not Assigned PE-6(1).1 X X - - - Not Met None

CLASSIFICATION WAS NOT SELECTED34

CLASSIFICATION WAS NOT SELECTED

Control Ref.

Security Req./

Control

Security Category

ControlType

PlannedImp.

ActualImp.

Test#(s)

Methods TailoredResult Notes4300A PE-

6 (1) Access Access (O)

NIST 800-53 w/ DHS 4300A PE-

6 (4)

Monitoring Physical Access

Monitoring Physical

Access (O)Not Specified Not Entered Not Assigned PE-6(4).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A PE-

8

Access Records

Visitor Access

Records (O)Not Specified Not Entered Not Assigned PE-8.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A PE-

8 (1)

Access Records

Visitor Access

Records (O)Not Specified Not Entered Not Assigned PE-8(1).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A PE-

9

Power Equipment and Power

Cabling

Power Equipment and Cabling

(O)

Not Specified Not Entered Not Assigned PE-9.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A PE-

10

Emergency Shutoff

Emergency Shutoff (O) Not Specified Not Entered Not Assigned PE-10.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A PE-

11

Emergency Power

Emergency Power (O) Not Specified Not Entered Not Assigned PE-11.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A PE-

11 (1)

Emergency Power

Emergency Power (O) Not Specified Not Entered Not Assigned PE-

11(1).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A PE-

12

Emergency Lighting

Emergency Lighting (O) Not Specified Not Entered Not Assigned PE-12.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A PE-

13

Fire Protection

Fire Protection

(O)Not Specified Not Entered Not Assigned PE-13.1 X X - - - Not Met None

CLASSIFICATION WAS NOT SELECTED35

CLASSIFICATION WAS NOT SELECTED

Control Ref.

Security Req./

Control

Security Category

ControlType

PlannedImp.

ActualImp.

Test#(s)

Methods Tailored

Result NotesNIST 800-53 w/ DHS 4300A PE-

13 (1)

Fire Protection

Fire Protection

(O)Not Specified Not Entered Not Assigned PE-

13(1).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A PE-

13 (2)

Fire Protection

Fire Protection

(O)Not Specified Not Entered Not Assigned PE-

13(2).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A PE-

13 (3)

Fire Protection

Fire Protection

(O)Not Specified Not Entered Not Assigned PE-

13(3).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A PE-

14

Temperature and Humidity

Controls

Temperature and Humidity Controls (O)

Not Specified Not Entered Not Assigned PE-14.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A PE-

15

Water Damage

Protection

Water Damage

Protection (O)

Not Specified Not Entered Not Assigned PE-15.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A PE-

15 (1)

Water Damage

Protection

Water Damage

Protection (O)

Not Specified Not Entered Not Assigned PE-15(1).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A PE-

16

Delivery and Removal

Delivery and Removal (O) Not Specified Not Entered Not Assigned PE-16.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A PE-

17

Alternate Work Site

Alternate Work Site

(O)Not Specified Not Entered Not Assigned PE-17.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A PE-

18

Location of Information

System Components

Location of Information

System Components

(O)

Not Specified Not Entered Not Assigned PE-18.1 X X - - - Not Met None

NIST 800- Security Security Not Specified Not Entered Not Assigned PL-1.1, X X - - - Not Met None

CLASSIFICATION WAS NOT SELECTED36

CLASSIFICATION WAS NOT SELECTED

Control Ref.

Security Req./

Control

Security Category

ControlType

PlannedImp.

ActualImp.

Test#(s)

Methods Tailored

Result Notes53 w/ DHS 4300A PL-

1

Planning Policy and Procedures

Planning Policy and Procedures

(M)

PL-1.2

NIST 800-53 w/ DHS 4300A PL-

1 (DHS-3.14.5.c)

Security Planning

Policy and Procedures

Security Planning

Policy and Procedures

(M)

Not Specified Not Entered Not AssignedPL-

1(DHS-3.14.5.c)

X X - - - Not Met None

NIST 800-53 w/ DHS 4300A PL-

1 (DHS-3.14.7.d)

Security Planning

Policy and Procedures

Security Planning

Policy and Procedures

(M)

Not Specified Not Entered Not AssignedPL-

1(DHS-3.14.7.d)

X X - - - Not Met None

NIST 800-53 w/ DHS 4300A PL-

2

System Security Plan

System Security Plan

(M)Not Specified Not Entered Not Assigned PL-2.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A PL-

2 (3)

System Security Plan

System Security Plan

(M)Not Specified Not Entered Not Assigned PL-2(3).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A PL-

4

Rules of Behavior

Rules of Behavior (M) Not Specified Not Entered Not Assigned PL-4.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A PL-

4 (1)

Rules of Behavior

Rules of Behavior (M) Not Specified Not Entered Not Assigned PL-4(1).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A PL-

4 (DHS-4.1.2.a)

Rules of Behavior

Rules of Behavior (M) Not Specified Not Entered Not Assigned

PL-4(DHS-4.1.2.a)

X X - - - Not Met None

NIST 800-53 w/ DHS 4300A PL-

Rules of Behavior

Rules of Behavior (M)

Not Specified Not Entered Not Assigned PL-4(DHS-4.8.2.a)

X X - - - Not Met None

CLASSIFICATION WAS NOT SELECTED37

CLASSIFICATION WAS NOT SELECTED

Control Ref.

Security Req./

Control

Security Category

ControlType

PlannedImp.

ActualImp.

Test#(s)

Methods TailoredResult Notes4 (DHS-

4.8.2.a)NIST 800-53 w/ DHS 4300A PL-

4 (DHS-4.8.2.b)

Rules of Behavior

Rules of Behavior (M) Not Specified Not Entered Not Assigned

PL-4(DHS-4.8.2.b)

X X - - - Not Met None

NIST 800-53 w/ DHS 4300A PL-

4 (DHS-4.8.3.a)

Rules of Behavior

Rules of Behavior (M) Not Specified Not Entered Not Assigned

PL-4(DHS-4.8.3.a)

X X - - - Not Met None

NIST 800-53 w/ DHS 4300A PL-

4 (DHS-4.8.5.e)

Rules of Behavior

Rules of Behavior (M) Not Specified Not Entered Not Assigned

PL-4(DHS-4.8.5.e)

X X - - - Not Met None

NIST 800-53 w/ DHS 4300A PL-

8

Information Security

Architecture

Information Security

Architecture (M)

Not Specified Not Entered Not Assigned PL-8.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A PM-

1

Information Security

Program Plan

Information Security

Program Plan (M)

Not Specified Not Entered Not Assigned PM-1.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A PM-

2

Senior Information

Security Officer

Senior Information

Security Officer (M)

Not Specified Not Entered Not Assigned PM-2.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A PM-

3

Information Security

Resources

Information Security

Resources (M)

Not Specified Not Entered Not Assigned PM-3.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A PM-

4

Plan of Action and Milestones

Process

Plan of Action and Milestones Process (M)

Not Specified Not Entered Not Assigned PM-4.1 X X - - - Not Met None

NIST 800- Information Information Not Specified Not Entered Not Assigned PM-5.1 X X - - - Not Met None

CLASSIFICATION WAS NOT SELECTED38

CLASSIFICATION WAS NOT SELECTED

Control Ref.

Security Req./

Control

Security Category

ControlType

PlannedImp.

ActualImp.

Test#(s)

Methods Tailored

Result Notes53 w/ DHS 4300A PM-

5

System Inventory

System Inventory

(M)

NIST 800-53 w/ DHS 4300A PM-

6

Information Security

Measures of Performance

Information Security

Measures of Performance

(M)

Not Specified Not Entered Not Assigned PM-6.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A PM-

7

Enterprise Architecture

Enterprise Architecture

(M)Not Specified Not Entered Not Assigned PM-7.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A PM-

8

Critical Infrastructure

Plan

Critical Infrastructure

Plan (M)Not Specified Not Entered Not Assigned PM-8.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A PM-

9

Risk Management

Strategy

Risk Management Strategy (M)

Not Specified Not Entered Not Assigned PM-9.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A PM-

10

Security Authorization

Process

Security Authorization Process (M)

Not Specified Not Entered Not Assigned PM-10.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A PM-

11

Mission/Business Process

Definition

Mission/Business Process

Definition (M)

Not Specified Not Entered Not Assigned PM-11.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A PM-

12

Insider Threat Program

Insider Threat Program (M) Not Specified Not Entered Not Assigned PM-12.1 X - - - - Not Met None

NIST 800-53 w/ DHS 4300A PM-

13

Information Security

Workforce

Information Security

Workforce (M)

Not Specified Not Entered Not Assigned PM-13.1 X X - - - Not Met None

NIST 800- Testing, Testing, Not Specified Not Entered Not Assigned PM-14.1 X X - - - Not Met None

CLASSIFICATION WAS NOT SELECTED39

CLASSIFICATION WAS NOT SELECTED

Control Ref.

Security Req./

Control

Security Category

ControlType

PlannedImp.

ActualImp.

Test#(s)

Methods Tailored

Result Notes53 w/ DHS 4300A PM-

14

Training, and Monitoring

Training, and Monitoring

(M)NIST 800-53 w/ DHS 4300A PM-

15

Contacts with Security

Groups and Associations

Contacts with Security and Associations

(M)

Not Specified Not Entered Not Assigned PM-15.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A PM-

16

Threat Awareness Program

Threat Awareness

Program (M)Not Specified Not Entered Not Assigned PM-16.1 X X - - - Not Met None

NIST 800-53 w/ DHS

4300A PRIV-AP-1

Authority to Collect

Authority to Collect () Not Specified Not Entered Not Assigned AP-1.1 X X - - - Not Met None

NIST 800-53 w/ DHS

4300A PRIV-AP-2

Purpose Specification

Purpose Specification

()Not Specified Not Entered Not Assigned AP-2.1 X X - - - Not Met None

NIST 800-53 w/ DHS

4300A PRIV-AR-

1

Governance and Privacy

Program

Governance and Privacy Program ()

Not Specified Not Entered Not Assigned AR-1.1 X X - - - Not Met None

NIST 800-53 w/ DHS

4300A PRIV-AR-

2

Privacy Impact and

Risk Assessment

Privacy Impact and

Risk Assessment ()

Not Specified Not Entered Not Assigned AR-2.1 X X - - - Not Met None

NIST 800-53 w/ DHS

4300A PRIV-AR-

3

Privacy Requirements

for Contractors and Service Providers

Privacy Requirements

for Contractors and Service Providers ()

Not Specified Not Entered Not Assigned AR-3.1 X X - - - Not Met None

NIST 800-53 w/ DHS

4300A

Privacy Monitoring

and Auditing

Privacy Monitoring

and Auditing

Not Specified Not Entered Not Assigned AR-4.1 X X - - - Not Met None

CLASSIFICATION WAS NOT SELECTED40

CLASSIFICATION WAS NOT SELECTED

Control Ref.

Security Req./

Control

Security Category

ControlType

PlannedImp.

ActualImp.

Test#(s)

Methods TailoredResult NotesPRIV-AR-

4 ()

NIST 800-53 w/ DHS

4300A PRIV-AR-

5

Privacy Awareness

and Training

Privacy Awareness

and Training ()

Not Specified Not Entered Not Assigned AR-5.1 X X - - - Not Met None

NIST 800-53 w/ DHS

4300A PRIV-AR-

6

Privacy Reporting

Privacy Reporting () Not Specified Not Entered Not Assigned AR-6.1 X X - - - Not Met None

NIST 800-53 w/ DHS

4300A PRIV-AR-

7

Privacy-Enhanced System

Design and Development

Privacy-Enhanced System

Design and Development

()

Not Specified Not Entered Not Assigned AR-7.1 X X - - - Not Met None

NIST 800-53 w/ DHS

4300A PRIV-AR-

8

Accounting of

Disclosures

Accounting of

Disclosures ()Not Specified Not Entered Not Assigned AR-8.1 X X - - - Not Met None

NIST 800-53 w/ DHS

4300A PRIV-DI-1

Data Quality Data Quality () Not Specified Not Entered Not Assigned DI-1.1 X X - - - Not Met None

NIST 800-53 w/ DHS

4300A PRIV-DI-2

Data Integrity and Data Integrity Board

Data Integrity and Data Integrity Board ()

Not Specified Not Entered Not Assigned DI-2.1 X X - - - Not Met None

NIST 800-53 w/ DHS

4300A PRIV-DM-

1

Minimization of Personally Identifiable Information

Minimization of Personally Identifiable Information

()

Not Specified Not Entered Not Assigned DM-1.1 X X - - - Not Met None

NIST 800-53 w/ DHS

Data Retention and

Data Retention and

Not Specified Not Entered Not Assigned DM-2.1 X X - - - Not Met None

CLASSIFICATION WAS NOT SELECTED41

CLASSIFICATION WAS NOT SELECTED

Control Ref.

Security Req./

Control

Security Category

ControlType

PlannedImp.

ActualImp.

Test#(s)

Methods Tailored

Result Notes4300A PRIV-DM-

2Disposal Disposal ()

NIST 800-53 w/ DHS

4300A PRIV-DM-

3

Minimization of PII Used in

Testing, Training, and

Research

Minimization of PII Used in

Testing, Training, and Research ()

Not Specified Not Entered Not Assigned DM-3.1 X X - - - Not Met None

NIST 800-53 w/ DHS

4300A PRIV-IP-1

Consent Consent () Not Specified Not Entered Not Assigned IP-1.1 X X - - - Not Met None

NIST 800-53 w/ DHS

4300A PRIV-IP-2

Individual Access

Individual Access () Not Specified Not Entered Not Assigned IP-2.1 X X - - - Not Met None

NIST 800-53 w/ DHS

4300A PRIV-IP-3

Redress Redress () Not Specified Not Entered Not Assigned IP-3.1 X X - - - Not Met None

NIST 800-53 w/ DHS

4300A PRIV-IP-4

Complaint Management

Complaint Management

()Not Specified Not Entered Not Assigned IP-4.1 X X - - - Not Met None

NIST 800-53 w/ DHS

4300A PRIV-SE-1

Inventory of Personally Identifiable Information

Inventory of Personally Identifiable Information

()

Not Specified Not Entered Not Assigned SE-1.1 X X - - - Not Met None

NIST 800-53 w/ DHS

4300A PRIV-SE-2

Privacy Incident

Response

Privacy Incident

Response ()Not Specified Not Entered Not Assigned SE-2.1 X X - - - Not Met None

NIST 800-53 w/ DHS

4300A PRIV-TR-1

Privacy Notice

Privacy Notice () Not Specified Not Entered Not Assigned TR-1.1 X X - - - Not Met None

NIST 800- System of System of Not Specified Not Entered Not Assigned TR-2.1 X X - - - Not Met None

CLASSIFICATION WAS NOT SELECTED42

CLASSIFICATION WAS NOT SELECTED

Control Ref.

Security Req./

Control

Security Category

ControlType

PlannedImp.

ActualImp.

Test#(s)

Methods Tailored

Result Notes53 w/ DHS 4300A

PRIV-TR-2

Records Notices and Privacy Act Statements

Records Notices and Privacy Act

Statements ()

NIST 800-53 w/ DHS

4300A PRIV-TR-3

Dissemination of Privacy

Program Information

Dissemination of Privacy

Program Information

()

Not Specified Not Entered Not Assigned TR-3.1 X X - - - Not Met None

NIST 800-53 w/ DHS

4300A PRIV-UL-

1

Internal Use Internal Use () Not Specified Not Entered Not Assigned UL-1.1 X X - - - Not Met None

NIST 800-53 w/ DHS

4300A PRIV-UL-

2

Information Sharing with Third Parties

Information Sharing with Third Parties

()

Not Specified Not Entered Not Assigned UL-2.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A PS-

1

Personnel Security

Policy and Procedures

Personnel Security

Policy and Procedures

(O)

Not Specified Not Entered Not Assigned PS-1.1, PS-1.2 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A PS-

2

Position Categorizatio

n

Position Risk Designation

(O)Not Specified Not Entered Not Assigned PS-2.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A PS-

3

Personnel Screening

Personnel Screening (O) Not Specified Not Entered Not Assigned PS-3.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A PS-

4

Personnel Termination

Personnel Termination

(O)Not Specified Not Entered Not Assigned PS-4.1 X X - - - Not Met None

NIST 800-53 w/ DHS

Automated Notification

Personnel Termination

Not Specified Not Entered Not Assigned PS-4(2).1 X X - - - Not Met None

CLASSIFICATION WAS NOT SELECTED43

CLASSIFICATION WAS NOT SELECTED

Control Ref.

Security Req./

Control

Security Category

ControlType

PlannedImp.

ActualImp.

Test#(s)

Methods TailoredResult Notes4300A PS-

4 (2) (O)

NIST 800-53 w/ DHS 4300A PS-

5

Personnel Transfer

Personnel Transfer (O) Not Specified Not Entered Not Assigned PS-5.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A PS-

6

Access Agreements

Access Agreements

(O)Not Specified Not Entered Not Assigned PS-6.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A PS-

7

Third-Party Personnel Security

Third-Party Personnel

Security (O)Not Specified Not Entered Not Assigned PS-7.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A PS-

8

Personnel Sanctions

Personnel Sanctions (O) Not Specified Not Entered Not Assigned PS-8.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A RA-

1

Risk Assessment Policy and Procedures

Risk Assessment Policy and Procedures

(M)

Not Specified Not Entered Not Assigned RA-1.1, RA-1.2 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A RA-

2

Security Categorizatio

n

Security Categorizatio

n (M)Not Specified Not Entered Not Assigned RA-2.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A RA-

2 (DHS-3.9.a)

Security Categorizatio

n

Security Categorizatio

n (M)Not Specified Not Entered Not Assigned

RA-2(DHS-3.9.a)

X X - - - Not Met None

NIST 800-53 w/ DHS 4300A RA-

2 (DHS-3.14.2.e)

Security Categorizatio

n

Security Categorizatio

n (M)Not Specified Not Entered Not Assigned

RA-2(DHS-3.14.2.e)

X X - - - Not Met None

NIST 800- Risk Risk Not Specified Not Entered Not Assigned RA-3.1 X X - - - Not Met None

CLASSIFICATION WAS NOT SELECTED44

CLASSIFICATION WAS NOT SELECTED

Control Ref.

Security Req./

Control

Security Category

ControlType

PlannedImp.

ActualImp.

Test#(s)

Methods Tailored

Result Notes53 w/ DHS 4300A RA-

3Assessment Assessment

(M)

NIST 800-53 w/ DHS 4300A RA-

5

Vulnerability Scanning

Vulnerability Scanning (M) Not Specified Not Entered Not Assigned RA-5.1,

RA-5.2 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A RA-

5 (1)

Vulnerability Scanning

Vulnerability Scanning (M) Not Specified Not Entered Not Assigned RA-5(1).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A RA-

5 (2)

Vulnerability Scanning

Vulnerability Scanning (M) Not Specified Not Entered Not Assigned RA-5(2).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A RA-

5 (4)

Vulnerability Scanning

Vulnerability Scanning (M) Not Specified Not Entered Not Assigned RA-5(4).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A RA-

5 (5)

Vulnerability Scanning

Vulnerability Scanning (M) Not Specified Not Entered Not Assigned RA-5(5).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A RA-

5 (DHS-4.8.4.d)

Vulnerability Scanning

Vulnerability Scanning (M) Not Specified Not Entered Not Assigned

RA-5(DHS-4.8.4.d)

X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SA-

1

System and Services

Acquisition Policy and Procedures

System and Services

Acquisition Policy and Procedures

(M)

Not Specified Not Entered Not Assigned SA-1.1, SA-1.2 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SA-

1 (DHS-

System and Services

Acquisition Policy and

System and Services

Acquisition Policy and

Not Specified Not Entered Not Assigned SA-1(DHS-3.1.g)

X X - - - Not Met None

CLASSIFICATION WAS NOT SELECTED45

CLASSIFICATION WAS NOT SELECTED

Control Ref.

Security Req./

Control

Security Category

ControlType

PlannedImp.

ActualImp.

Test#(s)

Methods TailoredResult Notes

3.1.g) Procedures Procedures (M)

NIST 800-53 w/ DHS 4300A SA-

1 (DHS-3.2.g)

System and Services

Acquisition Policy and Procedures

System and Services

Acquisition Policy and Procedures

(M)

Not Specified Not Entered Not AssignedSA-

1(DHS-3.2.g)

X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SA-

1 (DHS-3.3.a)

System and Services

Acquisition Policy and Procedures

System and Services

Acquisition Policy and Procedures

(M)

Not Specified Not Entered Not AssignedSA-

1(DHS-3.3.a)

X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SA-

1 (DHS-3.3.b)

System and Services

Acquisition Policy and Procedures

System and Services

Acquisition Policy and Procedures

(M)

Not Specified Not Entered Not AssignedSA-

1(DHS-3.3.b)

X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SA-

2

Allocation of Resources

Allocation of Resources

(M)Not Specified Not Entered Not Assigned SA-2.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SA-

3

Life Cycle Support

System Development

Life Cycle (M)

Not Specified Not Entered Not Assigned SA-3.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SA-

3 (DHS-3.6.c)

Life Cycle Support

System Development

Life Cycle (M)

Not Specified Not Entered Not AssignedSA-

3(DHS-3.6.c)

X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SA-

4

Acquisitions Acquisition Process (M) Not Specified Not Entered Not Assigned SA-4.1 X X - - - Not Met None

NIST 800- Acquisitions Acquisition Not Specified Not Entered Not Assigned SA-4(1).1 X X - - - Not Met None

CLASSIFICATION WAS NOT SELECTED46

CLASSIFICATION WAS NOT SELECTED

Control Ref.

Security Req./

Control

Security Category

ControlType

PlannedImp.

ActualImp.

Test#(s)

Methods Tailored

Result Notes53 w/ DHS 4300A SA-

4 (1)Process (M)

NIST 800-53 w/ DHS 4300A SA-

4 (2)

Acquisitions Acquisition Process (M) Not Specified Not Entered Not Assigned SA-4(2).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SA-

4 (9)

Acquisitions Acquisition Process (M) Not Specified Not Entered Not Assigned SA-4(9).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SA-

4 (10)

Acquisitions Acquisition Process (M) Not Specified Not Entered Not Assigned SA-

4(10).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SA-

4 (DHS-3.14.7.g)

Acquisitions Acquisition Process (M) Not Specified Not Entered Not Assigned

SA-4(DHS-3.14.7.g)

X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SA-

4 (DHS-5.7.b)

Acquisitions Acquisition Process (M) Not Specified Not Entered Not Assigned

SA-4(DHS-5.7.b)

X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SA-

5

Information System

Documentation

Information System

Documentation (M)

Not Specified Not Entered Not Assigned SA-5.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SA-

8

Security Engineering Principles

Security Engineering Principles

(M)

Not Specified Not Entered Not Assigned SA-8.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SA-

9

External Information

System Services

External Information

System Services (M)

Not Specified Not Entered Not Assigned SA-9.1 X X - - - Not Met None

NIST 800- External External Not Specified Not Entered Not Assigned SA-9(2).1 X X - - - Not Met None

CLASSIFICATION WAS NOT SELECTED47

CLASSIFICATION WAS NOT SELECTED

Control Ref.

Security Req./

Control

Security Category

ControlType

PlannedImp.

ActualImp.

Test#(s)

Methods Tailored

Result Notes53 w/ DHS 4300A SA-

9 (2)

Information System Services

Information System

Services (M)NIST 800-53 w/ DHS 4300A SA-

10

Developer Configuration Management

Developer Configuration Management

(M)

Not Specified Not Entered Not Assigned SA-10.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SA-

11

Developer Security

Testing and Evaluation

Developer Security

Testing and Evaluation

(M)

Not Specified Not Entered Not Assigned SA-11.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SA-

12

Supply Chain Protection

Supply Chain Protection

(M)Not Specified Not Entered Not Assigned SA-12.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SA-12 (DHS-

5.8.a)

Supply Chain Protection

Supply Chain Protection

(M)Not Specified Not Entered Not Assigned

SA-12(DHS-

5.8.a)X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SA-12 (DHS-

5.8.b)

Supply Chain Protection

Supply Chain Protection

(M)Not Specified Not Entered Not Assigned

SA-12(DHS-

5.8.b)X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SA-

15

Development Process,

Standards, and Tools

Development Process,

Standards, and Tools

(M)

Not Specified Not Entered Not Assigned SA-15.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SA-

16

Developer-Provided Training

Developer-Provided

Training (M)Not Specified Not Entered Not Assigned SA-16.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SA-

Developer Security

Architecture

Developer Security

Architecture

Not Specified Not Entered Not Assigned SA-17.1 X X - - - Not Met None

CLASSIFICATION WAS NOT SELECTED48

CLASSIFICATION WAS NOT SELECTED

Control Ref.

Security Req./

Control

Security Category

ControlType

PlannedImp.

ActualImp.

Test#(s)

Methods TailoredResult Notes

17 and Design and Design (M)

NIST 800-53 w/ DHS 4300A SC-

1

System and Communicati

ons Protection Policy and Procedures

System and Communicati

ons Protection Policy and Procedures

(T)

Not Specified Not Entered Not Assigned SC-1.1, SC-1.2 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SC-

1 (DHS-3.17.a)

System and Communicati

ons Protection Policy and Procedures

System and Communicati

ons Protection Policy and Procedures

(T)

Not Specified Not Entered Not AssignedSC-

1(DHS-3.17.a)

X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SC-

1 (DHS-4.4.1.a)

System and Communicati

ons Protection Policy and Procedures

System and Communicati

ons Protection Policy and Procedures

(T)

Not Specified Not Entered Not AssignedSC-

1(DHS-4.4.1.a)

X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SC-

1 (DHS-4.5.2.a)

System and Communicati

ons Protection Policy and Procedures

System and Communicati

ons Protection Policy and Procedures

(T)

Not Specified Not Entered Not AssignedSC-

1(DHS-4.5.2.a)

X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SC-

1 (DHS-4.5.3.b)

System and Communicati

ons Protection Policy and Procedures

System and Communicati

ons Protection Policy and Procedures

(T)

Not Specified Not Entered Not AssignedSC-

1(DHS-4.5.3.b)

X X - - - Not Met None

NIST 800- System and System and Not Specified Not Entered Not Assigned SC- X X - - - Not Met None

CLASSIFICATION WAS NOT SELECTED49

CLASSIFICATION WAS NOT SELECTED

Control Ref.

Security Req./

Control

Security Category

ControlType

PlannedImp.

ActualImp.

Test#(s)

Methods Tailored

Result Notes53 w/ DHS 4300A SC-

1 (DHS-5.5.2.t)

Communications

Protection Policy and Procedures

Communications

Protection Policy and Procedures

(T)

1(DHS-5.5.2.t)

NIST 800-53 w/ DHS 4300A SC-

1 (DHS-5.5.3.j)

System and Communicati

ons Protection Policy and Procedures

System and Communicati

ons Protection Policy and Procedures

(T)

Not Specified Not Entered Not AssignedSC-

1(DHS-5.5.3.j)

X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SC-

1 (DHS-5.7.a)

System and Communicati

ons Protection Policy and Procedures

System and Communicati

ons Protection Policy and Procedures

(T)

Not Specified Not Entered Not AssignedSC-

1(DHS-5.7.a)

X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SC-

2

Application Partitioning

Application Partitioning

(T)Not Specified Not Entered Not Assigned SC-2.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SC-

3

Security Function Isolation

Security Function

Isolation (T)Not Specified Not Entered Not Assigned SC-3.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SC-

4

Information in Shared Resources

Information in Shared

Resources (T)Not Specified Not Entered Not Assigned SC-4.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SC-

5

Denial-of-Service

Protection

Denial of Service

Protection (T)Not Specified Not Entered Not Assigned SC-5.1 X X - - - Not Met None

NIST 800-53 w/ DHS

Denial-of-Service

Denial of Service

Not Specified Not Entered Not Assigned SC-5(DHS-

X X - - - Not Met None

CLASSIFICATION WAS NOT SELECTED50

CLASSIFICATION WAS NOT SELECTED

Control Ref.

Security Req./

Control

Security Category

ControlType

PlannedImp.

ActualImp.

Test#(s)

Methods Tailored

Result Notes4300A SC-5 (DHS-4.6.1.c)

Protection Protection (T) 4.6.1.c)

NIST 800-53 w/ DHS 4300A SC-

7

Boundary Protection

Boundary Protection (T) Not Specified Not Entered Not Assigned SC-7.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SC-

7 (3)

Boundary Protection

Boundary Protection (T) Not Specified Not Entered Not Assigned SC-7(3).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SC-

7 (4)

Boundary Protection

Boundary Protection (T) Not Specified Not Entered Not Assigned SC-7(4).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SC-

7 (5)

Boundary Protection

Boundary Protection (T) Not Specified Not Entered Not Assigned SC-7(5).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SC-

7 (7)

Boundary Protection

Boundary Protection (T) Not Specified Not Entered Not Assigned SC-7(7).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SC-

7 (8)

Boundary Protection

Boundary Protection (T) Not Specified Not Entered Not Assigned SC-7(8).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SC-

7 (18)

Boundary Protection

Boundary Protection (T) Not Specified Not Entered Not Assigned SC-

7(18).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SC-

7 (21)

Boundary Protection

Boundary Protection (T) Not Specified Not Entered Not Assigned SC-

7(21).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SC-

Boundary Protection

Boundary Protection (T)

Not Specified Not Entered Not Assigned SC-7(DHS-5.4.4.h)

X X - - - Not Met None

CLASSIFICATION WAS NOT SELECTED51

CLASSIFICATION WAS NOT SELECTED

Control Ref.

Security Req./

Control

Security Category

ControlType

PlannedImp.

ActualImp.

Test#(s)

Methods TailoredResult Notes7 (DHS-

5.4.4.h)NIST 800-53 w/ DHS 4300A SC-

7 (DHS-5.4.5.a)

Boundary Protection

Boundary Protection (T) Not Specified Not Entered Not Assigned

SC-7(DHS-5.4.5.a)

X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SC-

7 (DHS-5.4.5.b)

Boundary Protection

Boundary Protection (T) Not Specified Not Entered Not Assigned

SC-7(DHS-5.4.5.b)

X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SC-

8

Transmission Integrity

Transmission Confidentialit

y and Integrity (T)

Not Specified Not Entered Not Assigned SC-8.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SC-

8 (1)

Transmission Integrity

Transmission Confidentialit

y and Integrity (T)

Not Specified Not Entered Not Assigned SC-8(1).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SC-

10

Network Disconnect

Network Disconnect

(T)Not Specified Not Entered Not Assigned SC-10.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SC-

12

Cryptographic Key

Establishment and

Management

Cryptographic Key

Establishment and

Management (T)

Not Specified Not Entered Not Assigned SC-12.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SC-

12 (1)

Cryptographic Key

Establishment and

Management

Cryptographic Key

Establishment and

Management (T)

Not Specified Not Entered Not Assigned SC-12(1).1 X X - - - Not Met None

NIST 800-53 w/ DHS

Cryptographic Key

Cryptographic Key

Not Specified Not Entered Not Assigned SC-12(DHS-

X X - - - Not Met None

CLASSIFICATION WAS NOT SELECTED52

CLASSIFICATION WAS NOT SELECTED

Control Ref.

Security Req./

Control

Security Category

ControlType

PlannedImp.

ActualImp.

Test#(s)

Methods Tailored

Result Notes4300A SC-12 (DHS-

4.6.b)

Establishment and

Management

Establishment and

Management (T)

4.6.b)

NIST 800-53 w/ DHS 4300A SC-12 (DHS-5.5.3.a)

Cryptographic Key

Establishment and

Management

Cryptographic Key

Establishment and

Management (T)

Not Specified Not Entered Not AssignedSC-

12(DHS-5.5.3.a)

X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SC-12 (DHS-5.5.3.b)

Cryptographic Key

Establishment and

Management

Cryptographic Key

Establishment and

Management (T)

Not Specified Not Entered Not AssignedSC-

12(DHS-5.5.3.b)

X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SC-12 (DHS-5.5.3.c)

Cryptographic Key

Establishment and

Management

Cryptographic Key

Establishment and

Management (T)

Not Specified Not Entered Not AssignedSC-

12(DHS-5.5.3.c)

X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SC-12 (DHS-

5.5.3.i)

Cryptographic Key

Establishment and

Management

Cryptographic Key

Establishment and

Management (T)

Not Specified Not Entered Not AssignedSC-

12(DHS-5.5.3.i)

X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SC-

13

Use of Cryptography

Cryptographic Protection

(T)Not Specified Not Entered Not Assigned SC-13.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SC-13 (DHS-5.4.6.k)

Use of Cryptography

Cryptographic Protection

(T)Not Specified Not Entered Not Assigned

SC-13(DHS-5.4.6.k)

X X - - - Not Met None

NIST 800- Use of Cryptographi Not Specified Not Entered Not Assigned SC- X X - - - Not Met None

CLASSIFICATION WAS NOT SELECTED53

CLASSIFICATION WAS NOT SELECTED

Control Ref.

Security Req./

Control

Security Category

ControlType

PlannedImp.

ActualImp.

Test#(s)

Methods Tailored

Result Notes53 w/ DHS 4300A SC-13 (DHS-5.5.1.a)

Cryptography c Protection (T)

13(DHS-5.5.1.a)

NIST 800-53 w/ DHS 4300A SC-13 (DHS-5.5.1.c)

Use of Cryptography

Cryptographic Protection

(T)Not Specified Not Entered Not Assigned

SC-13(DHS-5.5.1.c)

X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SC-13 (DHS-5.5.2.v)

Use of Cryptography

Cryptographic Protection

(T)Not Specified Not Entered Not Assigned

SC-13(DHS-5.5.2.v)

X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SC-13 (DHS-

5.7.d)

Use of Cryptography

Cryptographic Protection

(T)Not Specified Not Entered Not Assigned

SC-13(DHS-

5.7.d)X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SC-

15

Collaborative Computing

Devices

Collaborative Computing Devices (T)

Not Specified Not Entered Not Assigned SC-15.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SC-15 (DHS-4.5.3.a)

Collaborative Computing

Devices

Collaborative Computing Devices (T)

Not Specified Not Entered Not AssignedSC-

15(DHS-4.5.3.a)

X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SC-15 (DHS-4.5.3.b)

Collaborative Computing

Devices

Collaborative Computing Devices (T)

Not Specified Not Entered Not AssignedSC-

15(DHS-4.5.3.b)

X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SC-15 (DHS-4.5.3.c)

Collaborative Computing

Devices

Collaborative Computing Devices (T)

Not Specified Not Entered Not AssignedSC-

15(DHS-4.5.3.c)

X X - - - Not Met None

CLASSIFICATION WAS NOT SELECTED54

CLASSIFICATION WAS NOT SELECTED

Control Ref.

Security Req./

Control

Security Category

ControlType

PlannedImp.

ActualImp.

Test#(s)

Methods Tailored

Result NotesNIST 800-53 w/ DHS 4300A SC-

17

Public Key Infrastructure Certificates

Public Key Infrastructure Certificates

(T)

Not Specified Not Entered Not Assigned SC-17.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SC-

18

Mobile Code Mobile Code (T) Not Specified Not Entered Not Assigned SC-18.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SC-

19

Voice Over Internet Protocol

Voice Over Internet

Protocol (T)Not Specified Not Entered Not Assigned SC-19.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SC-

20

Secure Name/Address Resolution

Service (Authoritative

Source)

Secure Name / Address

Resolution Service

(Authoritative Source) (T)

Not Specified Not Entered Not Assigned SC-20.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SC-20 (DHS-5.4.3.k)

Secure Name/Address Resolution

Service (Authoritative

Source)

Secure Name / Address

Resolution Service

(Authoritative Source) (T)

Not Specified Not Entered Not AssignedSC-

20(DHS-5.4.3.k)

X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SC-

21

Secure Name/Address Resolution

Service (Recursive or

Caching Resolver)

Secure Name / Address

Resolution Service

(Recursive or Caching

Resolver) (T)

Not Specified Not Entered Not Assigned SC-21.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SC-

22

Architecture and

Provisioning for

Architecture and

Provisioning for

Not Specified Not Entered Not Assigned SC-22.1 X X - - - Not Met None

CLASSIFICATION WAS NOT SELECTED55

CLASSIFICATION WAS NOT SELECTED

Control Ref.

Security Req./

Control

Security Category

ControlType

PlannedImp.

ActualImp.

Test#(s)

Methods Tailored

Result NotesName/Address Resolution

Service

Name/Address Resolution Service (T)

NIST 800-53 w/ DHS 4300A SC-

23

Session Authenticity

Session Authenticity

(T)Not Specified Not Entered Not Assigned SC-23.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SC-

24

Fail in Known State

Fail in Known State

(T)Not Specified Not Entered Not Assigned SC-24.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SC-

28

Protection of Information

at Rest

Protection of Information at Rest (T)

Not Specified Not Entered Not Assigned SC-28.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SC-28 (DHS-

5.2.g)

Protection of Information

at Rest

Protection of Information at Rest (T)

Not Specified Not Entered Not AssignedSC-

28(DHS-5.2.g)

X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SC-

39

Process Isolation

Process Isolation (T) Not Specified Not Entered Not Assigned SC-39.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SI-1

System and Information

Integrity Policy and Procedures

System and Information

Integrity Policy and Procedures

(O)

Not Specified Not Entered Not Assigned SI-1.1, SI-1.2 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SI-1

(DHS-5.4.2.a)

System and Information

Integrity Policy and Procedures

System and Information

Integrity Policy and Procedures

(O)

Not Specified Not Entered Not AssignedSI-

1(DHS-5.4.2.a)

X X - - - Not Met None

NIST 800-53 w/ DHS

System and Information

System and Information

Not Specified Not Entered Not Assigned SI-1(DHS-

X X - - - Not Met None

CLASSIFICATION WAS NOT SELECTED56

CLASSIFICATION WAS NOT SELECTED

Control Ref.

Security Req./

Control

Security Category

ControlType

PlannedImp.

ActualImp.

Test#(s)

Methods Tailored

Result Notes4300A SI-1 (DHS-5.4.5.c)

Integrity Policy and Procedures

Integrity Policy and Procedures

(O)

5.4.5.c)

NIST 800-53 w/ DHS 4300A SI-1

(DHS-5.4.6.h)

System and Information

Integrity Policy and Procedures

System and Information

Integrity Policy and Procedures

(O)

Not Specified Not Entered Not AssignedSI-

1(DHS-5.4.6.h)

X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SI-2

Flaw Remediation

Flaw Remediation

(O)Not Specified Not Entered Not Assigned SI-2.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SI-2

(1)

Flaw Remediation

Flaw Remediation

(O)Not Specified Not Entered Not Assigned SI-2(1).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SI-2

(2)

Flaw Remediation

Flaw Remediation

(O)Not Specified Not Entered Not Assigned SI-2(2).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SI-3

Malicious Code

Protection

Malicious Code

Protection (O)

Not Specified Not Entered Not Assigned SI-3.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SI-3

(1)

Malicious Code

Protection

Malicious Code

Protection (O)

Not Specified Not Entered Not Assigned SI-3(1).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SI-3

(2)

Malicious Code

Protection

Malicious Code

Protection (O)

Not Specified Not Entered Not Assigned SI-3(2).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SI-3

(10)

Malicious Code

Protection

Malicious Code

Protection (O)

Not Specified Not Entered Not Assigned SI-3(10).1 X X - - - Not Met None

NIST 800- Malicious Malicious Not Specified Not Entered Not Assigned SI- X X - - - Not Met None

CLASSIFICATION WAS NOT SELECTED57

CLASSIFICATION WAS NOT SELECTED

Control Ref.

Security Req./

Control

Security Category

ControlType

PlannedImp.

ActualImp.

Test#(s)

Methods Tailored

Result Notes53 w/ DHS 4300A SI-3

(DHS-5.4.6.g)

Code Protection

Code Protection

(O)

3(DHS-5.4.6.g)

NIST 800-53 w/ DHS 4300A SI-4

Information System

Monitoring

Information System

Monitoring (O)

Not Specified Not Entered Not Assigned SI-4.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SI-4

(2)

Information System

Monitoring

Information System

Monitoring (O)

Not Specified Not Entered Not Assigned SI-4(2).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SI-4

(4)

Information System

Monitoring

Information System

Monitoring (O)

Not Specified Not Entered Not Assigned SI-4(4).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SI-4

(5)

Information System

Monitoring

Information System

Monitoring (O)

Not Specified Not Entered Not Assigned SI-4(5).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SI-5

Security Alerts,

Advisories, and

Directives

Security Alerts,

Advisories, and

Directives (O)

Not Specified Not Entered Not Assigned SI-5.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SI-5

(1)

Security Alerts,

Advisories, and

Directives

Security Alerts,

Advisories, and

Directives (O)

Not Specified Not Entered Not Assigned SI-5(1).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SI-6

Security Functionality Verification

Security Function

Verification (O)

Not Specified Not Entered Not Assigned SI-6.1 X X - - - Not Met None

NIST 800-53 w/ DHS

Software and Information

Software, Firmware,

Not Specified Not Entered Not Assigned SI-7.1 X X - - - Not Met None

CLASSIFICATION WAS NOT SELECTED58

CLASSIFICATION WAS NOT SELECTED

Control Ref.

Security Req./

Control

Security Category

ControlType

PlannedImp.

ActualImp.

Test#(s)

Methods Tailored

Result Notes4300A SI-7 Integrity

and Information Integrity (O)

NIST 800-53 w/ DHS 4300A SI-7

(1)

Software and Information

Integrity

Software, Firmware,

and Information Integrity (O)

Not Specified Not Entered Not Assigned SI-7(1).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SI-7

(2)

Software and Information

Integrity

Software, Firmware,

and Information Integrity (O)

Not Specified Not Entered Not Assigned SI-7(2).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SI-7

(5)

Software and Information

Integrity

Software, Firmware,

and Information Integrity (O)

Not Specified Not Entered Not Assigned SI-7(5).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SI-7

(7)

Software and Information

Integrity

Software, Firmware,

and Information Integrity (O)

Not Specified Not Entered Not Assigned SI-7(7).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SI-7

(14)

Software and Information

Integrity

Software, Firmware,

and Information Integrity (O)

Not Specified Not Entered Not Assigned SI-7(14).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SI-7

(DHS-5.1.1.e)

Software and Information

Integrity

Software, Firmware,

and Information Integrity (O)

Not Specified Not Entered Not AssignedSI-

7(DHS-5.1.1.e)

X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SI-8

Spam Protection

Spam Protection

(O)Not Specified Not Entered Not Assigned SI-8.1 X X - - - Not Met None

NIST 800-53 w/ DHS

Spam Protection

Spam Protection

Not Specified Not Entered Not Assigned SI-8(1).1 X X - - - Not Met None

CLASSIFICATION WAS NOT SELECTED59

CLASSIFICATION WAS NOT SELECTED

Control Ref.

Security Req./

Control

Security Category

ControlType

PlannedImp.

ActualImp.

Test#(s)

Methods TailoredResult Notes4300A SI-8

(1) (O)

NIST 800-53 w/ DHS 4300A SI-8

(2)

Spam Protection

Spam Protection

(O)Not Specified Not Entered Not Assigned SI-8(2).1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SI-

10

Information Input

Validation

Information Input

Validation (O)

Not Specified Not Entered Not Assigned SI-10.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SI-

11

Error Handling

Error Handling (O) Not Specified Not Entered Not Assigned SI-11.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SI-

12

Information Output

Handling and Retention

Information Handling and Retention (O)

Not Specified Not Entered Not Assigned SI-12.1 X X - - - Not Met None

NIST 800-53 w/ DHS 4300A SI-

16

Memory Protection

Memory Protection

(O)Not Specified Not Entered Not Assigned SI-16.1 X X - - - Not Met None

CLASSIFICATION WAS NOT SELECTED60