RIST RMF Controls Flashcards
1
Q
AC-1
A
Access Control - Policy and Procedures
2
Q
AC-2
A
Access Control - Account Management
3
Q
AC-3
A
Access Control - Access Enforcement
4
Q
AC-4
A
Access Control - Information Flow Enforcement
5
Q
AC-5
A
Access Control - Separation of Duties
6
Q
AC-6
A
Access Control - Least Privilege
7
Q
AC-7
A
Access Control - Unsuccessful Logon Attempts
8
Q
AC-8
A
Access Control - System Use Notification
9
Q
AC-9
A
Access Control - Previous Logon Notification
10
Q
AC-10
A
Access Control - Concurrent Session Control
11
Q
AC-11
A
Access Control - Device Lock
12
Q
AC-12
A
Access Control - Session Termination
13
Q
AC-13
A
Access Control - Supervision and Review
14
Q
AC-14
A
Access Control - Permitted Actions Without Identification or Authentication
15
Q
AC-15
A
Access Control - Automated Marking
16
Q
AC-16
A
Access Control - Security and Privacy Attributes
17
Q
AC-17
A
Access Control - Remote Access
18
Q
AC-18
A
Access Control - Wireless Access
19
Q
AC-19
A
Access Control - Access Control for Mobile Devices
20
Q
AC-20
A
Access Control - Use of External Systems
21
Q
AC-21
A
Access Control - Information Sharing
22
Q
AC-22
A
Access Control - Publicly Accessible Content
23
Q
AC-23
A
Access Control - Data Mining Protection
24
Q
AC-24
A
Access Control - Access Control Decisions
25
AC-25
Access Control - Reference Monitor
26
AT-1
Awareness and Training - Policy and Procedures
27
AT-2
Awareness and Training - Literacy Training and Awareness
28
AT-3
Awareness and Training - Role-based Training
29
AT-4
Awareness and Training - Training Records
30
AT-5
Awareness and Training - Contacts with Security Groups and Associations
31
AT-6
Awareness and Training - Training Feedback
32
AU-1
Audit and Accountability - Policy and Procedures
33
AU-2
Audit and Accountability - Event Logging
34
AU-3
Audit and Accountability - Content of Audit Records
35
AU-4
Audit and Accountability - Audit Log Storage Capacity
36
AU-5
Audit and Accountability - Response to Audit Logging Process Failures
37
AU-6
Audit and Accountability - Audit Record Review, Analysis, and Reporting
38
AU-7
Audit and Accountability - Audit Record Reduction and Report Generation
39
AU-8
Audit and Accountability - Time Stamps
40
AU-9
Audit and Accountability - Protection of Audit Information
41
AU-10
Audit and Accountability - Non-repudiation
42
AU-11
Audit and Accountability - Audit Record Retention
43
AU-12
Audit and Accountability - Audit Record Generation
44
AU-13
Audit and Accountability - Monitoring for Information Disclosure
45
AU-14
Audit and Accountability - Session Audit
46
AU-15
Audit and Accountability - Alternate Audit Logging Capability
47
AU-16
Audit and Accountability - Cross-organizational Audit Logging
48
CA-1
Assessment, Authorization, and Monitoring - Policy and Procedures
49
CA-2
Assessment, Authorization, and Monitoring - Control Assessments
50
CA-3
Assessment, Authorization, and Monitoring - Information Exchange
51
CA-4
Assessment, Authorization, and Monitoring - Security Certification
52
CA-5
Assessment, Authorization, and Monitoring - Plan of Action and Milestones
53
CA-6
Assessment, Authorization, and Monitoring - Authorization
54
CA-7
Assessment, Authorization, and Monitoring - Continuous Monitoring
55
CA-8
Assessment, Authorization, and Monitoring - Penetration Testing
56
CA-9
Assessment, Authorization, and Monitoring - Internal System Connections
57
CM-1
Configuration Management - Policy and Procedures
58
CM-2
Configuration Management - Baseline Configuration
59
CM-3
Configuration Management - Configuration Change Control
60
CM-4
Configuration Management - Impact Analyses
61
CM-5
Configuration Management - Access Restrictions for Change
62
CM-6
Configuration Management - Configuration Settings
63
CM-7
Configuration Management - Least Functionality
64
CM-8
Configuration Management - System Component Inventory
65
CM-9
Configuration Management - Configuration Management Plan
66
CM-10
Configuration Management - Software Usage Restrictions
67
CM-11
Configuration Management - User-installed Software
68
CM-12
Configuration Management - Information Location
69
CM-13
Configuration Management - Data Action Mapping
70
CM-14
Configuration Management - Signed Components
71
CP-1
Contingency Planning - Policy and Procedures
72
CP-2
Contingency Planning - Contingency Plan
73
CP-3
Contingency Planning - Contingency Training
74
CP-4
Contingency Planning - Contingency Plan Testing
75
CP-5
Contingency Planning - Contingency Plan Update
76
CP-6
Contingency Planning - Alternate Storage Site
77
CP-7
Contingency Planning - Alternate Processing Site
78
CP-8
Contingency Planning - Telecommunications Services
79
CP-9
Contingency Planning - System Backup
80
CP-10
Contingency Planning - System Recovery and Reconstitution
81
CP-11
Contingency Planning - Alternate Communications Protocols
82
CP-12
Contingency Planning - Safe Mode
83
CP-13
Contingency Planning - Alternative Security Mechanisms
84
IA-1
Identification and Authentication - Policy and Procedures
85
IA-2
Identification and Authentication - Identification and Authentication (Organizational Users)
86
IA-3
Identification and Authentication - Device Identification and Authentication
87
IA-4
Identification and Authentication - Identifier Management
88
IA-5
Identification and Authentication - Authenticator Management
89
IA-6
Identification and Authentication - Authentication Feedback
90
IA-7
Identification and Authentication - Cryptographic Module Authentication
91
IA-8
Identification and Authentication - Identification and Authentication (Non-organizational Users)
92
IA-9
Identification and Authentication - Service Identification and Authentication
93
IA-10
Identification and Authentication - Adaptive Authentication
94
IA-11
Identification and Authentication - Re-authentication
95
IA-12
Identification and Authentication - Identity Proofing
96
IR-1
Incident Response - Policy and Procedures
97
IR-2
Incident Response - Incident Response Training
98
IR-3
Incident Response - Incident Response Testing
99
IR-4
Incident Response - Incident Handling
100
IR-5
Incident Response - Incident Monitoring
101
IR-6
Incident Response - Incident Reporting
102
IR-7
Incident Response - Incident Response Assistance
103
IR-8
Incident Response - Incident Response Plan
104
IR-9
Incident Response - Information Spillage Response
105
IR-10
Incident Response - Integrated Information Security Analysis Team
106
MA-1
Maintenance - Policy and Procedures
107
MA-2
Maintenance - Controlled Maintenance
108
MA-3
Maintenance - Maintenance Tools
109
MA-4
Maintenance - Nonlocal Maintenance
110
MA-5
Maintenance - Maintenance Personnel
111
MA-6
Maintenance - Timely Maintenance
112
MA-7
Maintenance - Field Maintenance
113
MP-1
Media Protection - Policy and Procedures
114
MP-2
Media Protection - Media Access
115
MP-3
Media Protection - Media Marking
116
MP-4
Media Protection - Media Storage
117
MP-5
Media Protection - Media Transport
118
MP-6
Media Protection - Media Sanitization
119
MP-7
Media Protection - Media Use
120
MP-8
Media Protection - Media Downgrading
121
PE-1
Physical and Environmental Protection - Policy and Procedures
122
PE-2
Physical and Environmental Protection - Physical Access Authorizations
123
PE-3
Physical and Environmental Protection - Physical Access Control
124
PE-4
Physical and Environmental Protection - Access Control for Transmission
125
PE-5
Physical and Environmental Protection - Access Control for Output Devices
126
PE-6
Physical and Environmental Protection - Monitoring Physical Access
127
PE-7
Physical and Environmental Protection - Visitor Control
128
PE-8
Physical and Environmental Protection - Visitor Access Records
129
PE-9
Physical and Environmental Protection - Power Equipment and Cabling
130
PE-10
Physical and Environmental Protection - Emergency Shutoff
131
PE-11
Physical and Environmental Protection - Emergency Power
132
PE-12
Physical and Environmental Protection - Emergency Lighting
133
PE-13
Physical and Environmental Protection - Fire Protection
134
PE-14
Physical and Environmental Protection - Environmental Controls
135
PE-15
Physical and Environmental Protection - Water Damage Protection
136
PE-16
Physical and Environmental Protection - Delivery and Removal
137
PE-17
Physical and Environmental Protection - Alternate Work Site
138
PE-18
Physical and Environmental Protection - Location of System Components
139
PE-19
Physical and Environmental Protection - Information Leakage
140
PE-20
Physical and Environmental Protection - Asset Monitoring and Tracking
141
PE-21
Physical and Environmental Protection - Electromagnetic Pulse Protection
142
PE-22
Physical and Environmental Protection - Component Marking
143
PE-23
Physical and Environmental Protection - Facility Location
144
PL-1
Planning - Policy and Procedures
145
PL-2
Planning - System Security and Privacy Plans
146
PL-3
Planning - System Security Plan Update
147
PL-4
Planning - Rules of Behavior
148
PL-5
Planning - Privacy Impact Assessment
149
PL-6
Planning - Security Related Activity Planning
150
PL-7
Planning - Concept of Operation
151
PL-8
Planning - Security and Privacy Architectures
152
PL-9
Planning - Central Management
153
PL-10
Planning - Baseline Selection
154
PL-11
Planning - Baseline Tailoring
155
PM-1
Program Management - Information Security Program Plan
156
PM-2
Program Management - Information Security Program Leadership Role
157
PM-3
Program Management - Information Security and Privacy Resources
158
PM-4
Program Management - Plan of Action and Milestones Process
159
PM-5
Program Management - System Inventory
160
PM-6
Program Management - Measures of Performance
161
PM-7
Program Management - Enterprise Architecture
162
PM-8
Program Management - Critical Infrastructure Plan
163
PM-9
Program Management - Critical Infrastructure Plan
164
PM-10
Program Management - Authorization Process
165
PM-11
Program Management - Mission and Business Process Definition
166
PM-12
Program Management - Insider Threat Program
167
PM-13
Program Management - Security and Privacy Workforce
168
PM-14
Program Management - Testing, Training, and Monitoring
169
PM-15
Program Management - Security and Privacy Groups and Associations
170
PM-16
Program Management - Threat Awareness Program
171
PM-17
Program Management - Protecting Controlled Unclassified Information on External Systems
172
PM-18
Program Management - Privacy Program Plan
173
PM-19
Program Management - Privacy Program Leadership Role
174
PM-20
Program Management - Dissemination of Privacy Program Information
175
PM-21
Program Management - Accounting of Disclosures
176
PM-22
Program Management - Personally Identifiable Information Quality Management
177
PM-23
Program Management - Data Governance Body
178
PM-24
Program Management - Data Integrity Board
179
PM-25
Program Management - Minimization of Personally Identifiable Information Used in Testing, Training, and Research
180
PM-26
Program Management - Compliant Management
181
PM-27
Program Management - Privacy Reporting
182
PM-28
Program Management - Risk Framing
183
PM-29
Program Management - Risk Management Program Leadership Roles
184
PM-30
Program Management - Supply Chain Risk Management Strategy
185
PM-31
Program Management - Continuous Monitoring Strategy
186
PM-32
Program Management - Purposing
187
PS-1
Personnel Security - Policy and Procedures
188
PS-2
Personnel Security - Position Risk Designation
189
PS-3
Personnel Security - Personnel Screening
190
PS-4
Personnel Security - Personnel Termination
191
PS-5
Personnel Security - Personnel Transfer
192
PS-6
Personnel Security - Access Agreements
193
PS-7
Personnel Security - External Personnel Security
194
PS-8
Personnel Security - Personnel Sanctions
195
PS-9
Personnel Security - Position Descriptions
196
PT-1
Personally Identifiable Information Processing and Transparency - Policy and Procedures
197
PT-2
Personally Identifiable Information Processing and Transparency - Authority to Process Personally Identifiable Information
198
PT-3
Personally Identifiable Information Processing and Transparency - Personally Identifiable Information Processing Purposes
199
PT-4
Personally Identifiable Information Processing and Transparency - Consent
200
PT-5
Personally Identifiable Information Processing and Transparency - Privacy Notice
201
PT-6
Personally Identifiable Information Processing and Transparency - System of Records Notice
202
PT-7
Personally Identifiable Information Processing and Transparency - Specific Categories of Personally Identifiable Information
203
PT-8
Personally Identifiable Information Processing and Transparency - Computer Matching Requirements
204
RA-1
Risk Assessment - Policy and Procedures
205
RA-2
Risk Assessment - Security Categorization
206
RA-3
Risk Assessment - Risk Assessment
207
RA-4
Risk Assessment - Risk Assessment Update
208
RA-5
Risk Assessment - Vulnerability Monitoring and Scanning
209
RA-6
Risk Assessment - Technical Surveillance Countermeasures Survey
210
RA-7
Risk Assessment - Risk Response
211
RA-8
Risk Assessment - Privacy Impact Assessments
212
RA-9
Risk Assessment - Criticality Analysis
213
RA-10
Risk Assessment - Threat Hunting
214
SA-1
System and Services Acquisition - Policy and Procedures
215
SA-2
System and Services Acquisition - Allocation of Resources
216
SA-3
System and Services Acquisition - System Development Life Cycle
217
SA-4
System and Services Acquisition - Acquisition Process
218
SA-5
System and Services Acquisition - System Documentation
219
SA-6
System and Services Acquisition - Software Usage Restrictions
220
SA-7
System and Services Acquisition - User-installed Software
221
SA-8
System and Services Acquisition - Security and Privacy Engineering Principles
222
SA-9
System and Services Acquisition - External System Services
223
SA-10
System and Services Acquisition - Developer Configuration Management
224
SA-11
System and Services Acquisition - Developer Testing and Evaluation
225
SA-12
System and Services Acquisition - Supply Chain Protection
226
SA-13
System and Services Acquisition - Trustworthiness
227
SA-14
System and Services Acquisition - Criticality Analysis
228
SA-15
System and Services Acquisition - Development Process, Standards, and Tools
229
SA-16
System and Services Acquisition - Developer-provided Training
230
SA-17
System and Services Acquisition - Developer Security and Privacy Architecture and Design
231
SA-18
System and Services Acquisition - Tamper Resistance and Detection
232
SA-19
System and Services Acquisition - Component Authenticity
233
SA-20
System and Services Acquisition - Customized Development of Critical Components
234
SA-21
System and Services Acquisition - Developer Screening
235
SA-22
System and Services Acquisition - Unsupported System Components
236
SA-23
System and Services Acquisition - Specialization
237
SC-1
System and Communications Protection - Policy and Procedures
238
SC-2
System and Communications Protection - Separation of System and User Functionality
239
SC-3
System and Communications Protection - Security Function Isolation
240
SC-4
System and Communications Protection - Information in Shared System Resources
241
SC-5
System and Communications Protection - Denial-of-service Protection
242
SC-6
System and Communications Protection - Resource Availability
243
SC-7
System and Communications Protection - Boundry Protection
244
SC-8
System and Communications Protection - Transmission Confidentiality and Integrity
245
SC-9
System and Communications Protection - Transmission Confidentiality
246
SC-10
System and Communications Protection - Network Disconnect
247
SC-11
System and Communications Protection - Trusted Path
248
SC-12
System and Communications Protection - Cryptographic Key Establishment and Management
249
SC-13
System and Communications Protection - Cryptographic Protection
250
SC-14
System and Communications Protection - Public Access Protections
251
SC-15
System and Communications Protection - Collaborative Computing Devices and Applications
252
SC-16
System and Communications Protection - Transmission of Security and Privacy Attributes
253
SC-17
System and Communications Protection - Public Key Infrastructure Certificates
254
SC-18
System and Communications Protection - Mobile Code
255
SC-19
System and Communications Protection - Voice over Internet Protocol
256
SC-20
System and Communications Protection - Secure Name/Address Resolution Service (Authoritative Source)
257
SC-21
System and Communications Protection - Secure Name/Address Resolution Service (Recursive or Caching Resolver)
258
SC-22
System and Communications Protection - Architecture and Provisioning for Name/Address Resolution Service
259
SC-23
System and Communications Protection - Session Authenticity
260
SC-24
System and Communications Protection - Fail in Known State
261
SC-25
System and Communications Protection - Thin Nodes
262
SC-26
System and Communications Protection - Decoys
263
SC-27
System and Communications Protection - Platform-independent Applications
264
SC-28
System and Communications Protection - Protection of Information at Rest
265
SC-29
System and Communications Protection - Heterogeneity
266
SC-30
System and Communications Protection - Concealment and Misdirection
267
SC-31
System and Communications Protection - Covert Channel Analysis
268
SC-32
System and Communications Protection - System Partitioning
269
SC-33
System and Communications Protection - Transmission Preparation Integrity
270
SC-34
System and Communications Protection - Non-modifiable Executable Programs
271
SC-35
System and Communications Protection - External Malicious Mode Identification
272
SC-36
System and Communications Protection - Distributed Processing and Storage
273
SC-37
System and Communications Protection - Out-of-band Channels
274
SC-38
System and Communications Protection - Operations Security
275
SC-39
System and Communications Protection - Process Isolation
276
SC-40
System and Communications Protection - Wireless Link Protection
277
SC-41
System and Communications Protection - Port and I/O Device Access
278
SC-42
System and Communications Protection - Sensor Capability and Data
279
SC-43
System and Communications Protection - Usage Restrictions
280
SC-44
System and Communications Protection - Detonation Chambers
281
SC-45
System and Communications Protection - System Time Synchronization
282
SC-46
System and Communications Protection - Cross Domain Policy Enforcements
283
SC-47
System and Communications Protection - Alternate Communications Paths
284
SC-48
System and Communications Protection - Sensor Relocation
285
SC-49
System and Communications Protection - Hardware-enforced Separation and Policy Enforcement
286
SC-50
System and Communications Protection - Software-enforced Separation and Policy Enforcement
287
SC-51
System and Communications Protection - Hardware-based Protection
288
SI-1
System and Information Integrity - Policy and Procedures
289
SI-2
System and Information Integrity - Flaw Remediation
290
SI-3
System and Information Integrity - Malicious Code Protection
291
SI-4
System and Information Integrity - System Monitoring
292
SI-5
System and Information Integrity - Security Alerts, Advisories, and Directives
293
SI-6
System and Information Integrity - Security and Privacy Function Verification
294
SI-7
System and Information Integrity - Software, Firmware, and Information Integrity
295
SI-8
System and Information Integrity - Spam Protection
296
SI-9
System and Information Integrity - Information Input Restrictions
297
SI-10
System and Information Integrity - Information Input Validation
298
SI-11
System and Information Integrity - Error Handling
299
SI-12
System and Information Integrity - Information Management and Retention
300
SI-13
System and Information Integrity - Predictable Failure Prevention
301
SI-14
System and Information Integrity - Non-persistence
302
SI-15
System and Information Integrity - Information Output Filtering
303
SI-16
System and Information Integrity - Memory Protection
304
SI-17
System and Information Integrity - Fail-safe Procedures
304
SI-20
System and Information Integrity - Tainting
304
SI-18
System and Information Integrity - Personally Indentifiable Information Quality Operations
305
SI-19
System and Information Integrity - De-identification
306
SI-21
System and Information Integrity - Information Refresh
307
SI-22
System and Information Integrity - Information Diversity
308
SI-23
System and Information Integrity - Information Fragmentation
309
SR-1
Supply Chain Risk Management - Policy and Procedures
310
SR-2
Supply Chain Risk Management - Supply Chain Risk Management Plan
311
SR-3
Supply Chain Risk Management - Supply Chain Controls and Processes
312
SR-4
Supply Chain Risk Management - Provenance
313
SR-5
Supply Chain Risk Management - Acquisition Strategies, Tools and Methods
314
SR-6
Supply Chain Risk Management - Supplier Assessments and Reviews
315
SR-7
Supply Chain Risk Management - Supply Chain Operations Security
316
SR-8
Supply Chain Risk Management - Notification Agreements
317
SR-9
Supply Chain Risk Management - Tamper Resistance and Detection
318
SR-10
Supply Chain Risk Management - Inspection of Systems or Components
319
SR-11
Supply Chain Risk Management - Component Authenticity
320
SR-12
Supply Chain Risk Management - Component Disposal
