CIS Logo
tagline: Confidence in the Connected World

CIS Controls Navigator

Help
  • The following page shows a dynamic list of CIS Sub-Controls that can be filtered according to Implementation Groups and specific Mappings.
  • To filter by Implementation Group, simply select the checkbox for the Implementation Group. The filter will be automatically applied.
  • To filter by specific mappings, select from the dropdown the mapping you'd like to filter by, then check   individual values or click "Check All" to select all mapping values. Finally click "Apply {Mapping} Filter". More than one mapping can be applied concurrently.
  • Additional Sub-Controls can be added to or deselected from filtered results. To add more, scroll to the bottom of results and click "View Hidden Sub-Controls", then select. To remove, deselect the checkboxes of those you wish to remove, then hit "Remove Unchecked CIS Sub-Controls". This functionality will only become visible after an initial filter has been applied.
  • Filters for Mappings and Implementation Groups can be applied concurrently. However, once "Filter by Checked CIS Sub-Controls" is clicked, the results become dependent upon whether or not each Sub-Control is individually checked. To clear this, click "Reset Filters".
  • All Sub-Controls within IG (Implementation Group) 1 will also be a part of IG 2 and IG 3. All Sub-Controls within IG 2 will also be within IG 3. The IG's for each Sub-Control are signified by one or more colored dots.
  • Download a copy of the CIS Sub-Controls and learn more about Implementation Groups.
CIS Control CIS
Sub-Control
Title Asset Type Implementation Groups
  • Please select the mappings you'd like to apply, then hit the 'Apply...' button.
  • Scroll down to view the filtered Sub-Controls.
   
DE.AE-1 - A baseline of network operations and expected data flows for users and systems is established and managed
   
DE.AE-2 - Detected events are analyzed to understand attack targets and methods
   
DE.AE-3 - Event data are collected and correlated from multiple sources and sensors
   
DE.AE-5 - Incident alert thresholds are established
   
DE.CM-1 - The network is monitored to detect potential cybersecurity events
   
DE.CM-3 - Personnel activity is monitored to detect potential cybersecurity events
   
DE.CM-4 - Malicious code is detected
   
DE.CM-7 - Monitoring for unauthorized personnel, connections, devices, and software is performed
   
DE.CM-8 - Vulnerability scans are performed
   
DE.DP-1 - Roles and responsibilities for detection are well defined to ensure accountability
   
DE.DP-4 - Event detection information is communicated
   
ID.AM-1 - Physical devices and systems within the organization are inventoried
   
ID.AM-2 - Software platforms and applications within the organization are inventoried
   
ID.AM-3 - Organizational communication and data flows are mapped
   
ID.AM-4 - External information systems are catalogued
   
ID.AM-5 - Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value
   
ID.AM-6 - Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established
   
ID.GV-2 - Cybersecurity roles and responsibilities are coordinated and aligned with internal roles and external partners
   
ID.RA-1 - Asset vulnerabilities are identified and documented
   
ID.RA-5 - Threats, vulnerabilities, likelihoods, and impacts are used to determine risk
   
ID.SC-5 - Response and recovery planning and testing are conducted with suppliers and third-party providers
   
PR.AC-1 - Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes
   
PR.AC-3 - Remote access is managed
   
PR.AC-4 - Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties
   
PR.AC-5 - Network integrity is protected (e.g., network segregation, network segmentation)
   
PR.AC-6 - Identities are proofed and bound to credentials and asserted in interactions
   
PR.AC-7 - Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks)
   
PR.AT-1 - All users are informed and trained
   
PR.AT-2 - Privileged users understand their roles and responsibilities
   
PR.AT-3 - Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and responsibilities
   
PR.AT-4 - Senior executives understand their roles and responsibilities
   
PR.AT-5 - Physical and cybersecurity personnel understand their roles and responsibilities
   
PR.DS-1 - Data-at-rest is protected
   
PR.DS-2 - Data-in-transit is protected
   
PR.DS-3 - Assets are formally managed throughout removal, transfers, and disposition
   
PR.DS-4 - Adequate capacity to ensure availability is maintained
   
PR.DS-5 - Protections against data leaks are implemented
   
PR.DS-6 - Integrity checking mechanisms are used to verify software, firmware, and information integrity
   
PR.DS-7 - The development and testing environment(s) are separate from the production environment
   
PR.IP-1 - A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality)
   
PR.IP-10 - Response and recovery plans are tested
   
PR.IP-11 - Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening)
   
PR.IP-12 - A vulnerability management plan is developed and implemented
   
PR.IP-3 - Configuration change control processes are in place
   
PR.IP-4 - Backups of information are conducted, maintained, and tested
   
PR.IP-9 - Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed
   
PR.MA-2 - Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access
   
PR.PT-1 - Audit/log records are determined, documented, implemented, and reviewed in accordance with policy
   
PR.PT-2 - Removable media is protected and its use restricted according to policy
   
PR.PT-3 - The principle of least functionality is incorporated by configuring systems to provide only essential capabilities
   
PR.PT-5 - Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations
   
RS.AN-1 - Notifications from detection systems are investigated 
   
RS.AN-4 - Incidents are categorized consistent with response plans
   
RS.AN-5 - Processes are established to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources (e.g. internal testing, security bulletins, or security researchers)
   
RS.CO-1 - Personnel know their roles and order of operations when a response is needed
   
RS.CO-2 - Incidents are reported consistent with established criteria
   
RS.CO-4 - Coordination with stakeholders occurs consistent with response plans
   
RS.MI-3 - Newly identified vulnerabilities are mitigated or documented as accepted risks
  • Please select the mappings you'd like to apply, then hit the 'Apply...' button.
  • Scroll down to view the filtered Sub-Controls.
   
A.6.1.3 - Contact with authorities
   
A.6.2.1 - Mobile device policy
   
A.7.2.2 - Information security awareness, education and training
   
A.8.1.1 - Inventory of assets
   
A.8.1.3 - Acceptable use of assets
   
A.8.2.1 - Classification of information
   
A.8.3.1 - Management of removable media
   
A.9.1.1 - Access control policy
   
A.9.1.2 - Access to networks and network services
   
A.9.2.1 - User registration and deregistration
   
A.9.2.3 - Management of privileged access rights
   
A.9.2.6 - Removal or adjustment of access rights
   
A.9.3.1 - Use of secret authentication information
   
A.9.4.2 - Secure log-on procedures
   
A.9.4.3 - Password management system
   
A.10.1.1 - Policy on the use of cryptographic controls
   
A.11.2.5 - Removal of assets
   
A.12.1.2 - Change management
   
A.12.1.4 - Separation of development, test and operational environments
   
A.12.2.1 - Controls against malware
   
A.12.3.1 - Information backup
   
A.12.4.1 - Event logging
   
A.12.4.3 - Administrator and operator logs
   
A.12.4.4 - Clock synchronization
   
A.12.5.1 - Installation of software on operational systems
   
A.12.6.1 - Management of technical vulnerabilities
   
A.12.6.2 - Restrictions on software installation
   
A.12.14.1 - Event logging
   
A.13.1.1 - Network Controls
   
A.13.1.2 - Security of network services
   
A.13.1.3 - Segregation in networks
   
A.13.2.3 - Electronic messaging
   
A.14.2.1 - Secure development policy
   
A.14.2.5 - Secure system engineering principles
   
A.16.1.1 - Responsibilities and procedures
   
A.16.1.3 - Reporting information security events
  • Please select the mappings you'd like to apply, then hit the 'Apply...' button.
  • Scroll down to view the filtered Sub-Controls.
   
3.1.1 - Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).
   
3.1.2 - Limit system access to the types of transactions and functions that authorized users are permitted to execute.
   
3.1.2e - Restrict access to systems and system components to only those information resources that are owned, provisioned, or issued by the organization.
   
3.1.3 - Control the flow of CUI in accordance with approved authorizations.
   
3.1.3e - Employ secure information transfer solutions to control information flows between security domains on connected systems.
   
3.1.5 - Employ the principle of least privilege, including for specific security functions and privileged accounts.
   
3.1.7 - Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.
   
3.1.8 - Limit unsuccessful logon attempts.
   
3.1.10 - Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.
   
3.1.11 - Terminate (automatically) a user session after a defined condition.
   
3.1.12 - Monitor and control remote access sessions.
   
3.1.13 - Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
   
3.1.14 - Route remote access via managed access control points.
   
3.1.16 - Authorize wireless access prior to allowing such connections.
   
3.1.17 - Protect wireless access using authentication and encryption.
   
3.1.18 - Control connection of mobile devices.
   
3.1.19 - Encrypt CUI on mobile devices and mobile computing platforms.
   
3.1.20 - Verify and control/limit connections to and use of external systems.
   
3.2.1 - Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.
   
3.2.1e - Provide awareness training focused on recognizing and responding to threats from social engineering, advanced persistent threat actors, breaches, and suspicious behaviors; update the training at least annually or when there are significant changes to the threat.
   
3.2.2 - Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.
   
3.2.2e - Include practical exercises in awareness training that are aligned with current threat scenarios and provide feedback to individuals involved in the training and their supervisors.
   
3.2.3 - Provide security awareness training on recognizing and reporting potential indicators of insider threat.
   
3.3.1 - Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
   
3.3.2 - Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions.
   
3.3.3 - Review and update logged events.
   
3.3.5 - Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity.
   
3.3.7 - Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.
   
3.3.9 - Limit management of audit logging functionality to a subset of privileged users.
   
3.4.1 - Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.
   
3.4.1e - Establish and maintain an authoritative source and repository to provide a trusted source and accountability for approved and implemented system components.
   
3.4.2 - Establish and enforce security configuration settings for information technology products employed in organizational systems.
   
3.4.3 - Track, review, approve or disapprove, and log changes to organizational systems.
   
3.4.5 - Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.
   
3.4.7 - Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.
   
3.4.8 - Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.
   
3.4.9 - Control and monitor user-installed software.
   
3.5.1 - Identify system users, processes acting on behalf of users, and devices.
   
3.5.2 - Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems.
   
3.5.3 - Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
   
3.5.6 - Disable identifiers after a defined period of inactivity.
   
3.5.7 - Enforce a minimum password complexity and change of characters when new passwords are created.
   
3.5.8 - Prohibit password reuse for a specified number of generations.
   
3.5.10 - Store and transmit only cryptographically-protected passwords.
   
3.6.1 - Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.
   
3.6.2 - Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization.
   
3.6.3 - Test the organizational incident response capability.
   
3.7.3 - Ensure equipment removed for off-site maintenance is sanitized of any CUI.
   
3.7.4 - Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems.
   
3.7.5 - Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.
   
3.8.1 - Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.
   
3.8.2 - Limit access to CUI on system media to authorized users.
   
3.8.5 - Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.
   
3.8.6 - Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.
   
3.8.7 - Control the use of removable media on system components.
   
3.8.9 - Protect the confidentiality of backup CUI at storage locations.
   
3.9.2 - Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.
   
3.10.2 - Protect and monitor the physical facility and support infrastructure for organizational systems.
   
3.11.2 - Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
   
3.11.3 - Remediate vulnerabilities in accordance with risk assessments.
   
3.12.1 - Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.
   
3.12.2 - Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.
   
3.12.3 - Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.
   
3.12.4 - Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
   
3.13.1 - Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.
   
3.13.3 - Separate user functionality from system management functionality.
   
3.13.4 - Prevent unauthorized and unintended information transfer via shared system resources.
   
3.13.5 - Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
   
3.13.6 - Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).
   
3.13.8 - Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.
   
3.13.11 - Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.
   
3.13.12 - Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device.
   
3.13.13 - Control and monitor the use of mobile code.
   
3.13.15 - Protect the authenticity of communications sessions.
   
3.13.16 - Protect the confidentiality of CUI at rest.
   
3.14.1 - Identify, report, and correct system flaws in a timely manner.
   
3.14.2 - Provide protection from malicious code at designated locations within organizational systems.
   
3.14.4 - Update malicious code protection mechanisms when new releases are available.
   
3.14.5 - Perform periodic scans of organizational systems and real-time scans of files from external sources as files are downloaded, opened, or executed.
   
3.14.7 - Identify unauthorized use of organizational systems.
  • Please select the mappings you'd like to apply, then hit the 'Apply...' button.
  • Scroll down to view the filtered Sub-Controls.
   
AC-2 - Account Management
   
AC-3 - Access Enforcement
   
AC-17 - Remote Access
   
AC-18 - Wireless Access
   
AC-20 - Use of External Information Systems
   
AT-1 - Security Awareness and Training Policy and Procedures
   
AT-2 - Security Awareness Training
   
AU-2 - Audit Events
   
AU-3 - Content of Audit Records
   
AU-4 - Audit Storage Capacity
   
AU-6 - Audit Review, Analysis, and Reporting
   
AU-8 - Time Stamps
   
AU-12 - Audit Generation
   
CA-3 - System Interconnections
   
CA-7 - Continuous Monitoring
   
CA-9 - Internal System Connections
   
CM-1 - Configuration Management Policy and Procedures
   
CM-2 - Baseline Configurations
   
CM-6 - Configuration Settings
   
CM-7 - Least Functionality
   
CM-8 - Information System Component Inventory
   
CM-10 - Software Usage Restrictions
   
CM-11 - User-Installed Software
   
CP-9 - Information system Backup
   
IA-02 (1) - Identification and Authentication (Organizational Users)
   
IA-4 - Identifier Management
   
IA-5 - Authenticator Management
   
IA-5 (1) - Authenticator Management
   
IA-6 - Authenticator Feedback
   
IR-1 - Incident Response Policy and Procedures
   
IR-2 - Incident Response Training
   
IR-6 - Incident Reporting
   
IR-8 - Incident Response Plan
   
MP-2 - Media Access
   
MP-7 - Media Use
   
RA-5 - Vulnerability Scanning
   
SA-9 - External Information System Services
   
SC-7 - Boundary Protection
   
SC-20 - Secure Name / Address Resolution Service (Authoritative Source)
   
SC-21 - Secure Name / Address Resolution Service (Recursive or Caching Resolver)
   
SC-39 - Process Isolation
   
SI-3 - Malicious Code Protection
   
SI-4 - Information System Monitoring
   
SI-5 - Security Alerts, Advisories, and Directives
   
SI-16 - Memory Protection
  • Please select the mappings you'd like to apply, then hit the 'Apply...' button.
  • Scroll down to view the filtered Sub-Controls.
   
AC.1.001 - Limit information system access to authorized users, processes acting on behalf of authorized users or devices (including other information systems).
   
AC.1.002 - Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
   
AC.1.003 - Verify and control/limit connections to and use of external information systems.
   
AC.2.006 - Limit use of portable storage devices on external systems.
   
AC.2.007 - Employ the principle of least privilege, including for specific security functions and privileged accounts.
   
AC.2.008 - Use non-privileged accounts or roles when accessing nonsecurity functions.
   
AC.2.010 - Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.
   
AC.2.011 - Authorize wireless access prior to allowing such connections.
   
AC.2.013 - Monitor and control remote access sessions.
   
AC.2.015 - Route remote access via managed access control points.
   
AC.2.016 - Control the flow of CUI in accordance with approved authorizations.
   
AC.3.012 - Protect wireless access using authentication and encryption.
   
AC.3.014 - Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
   
AC.3.018 - Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.
   
AC.3.019 - Terminate (automatically) user sessions after a defined condition.
   
AC.3.020 - Control connection of mobile devices.
   
AC.3.021 - Authorize remote execution of privileged commands and remote access to security-relevant information.
   
AC.3.022 - Encrypt CUI on mobile devices and mobile computing platforms.
   
AC.4.023 - Control information flows between security domains on connected systems.
   
AC.4.025 - Periodically review and update CUI program access permissions.
   
AC.4.032 - Restrict remote network access based on organizational defined risk factors such as time of day, location of access, physical location, network connection state and measured properties of the current user and role.
   
AC.5.024 - Identify and mitigate risk associated with unidentified wireless access points connected to the network.
   
AM.3.036 - Define procedures for the handling of CUI data.
   
AM.4.226 - Employ automated capability to discover and identify systems with specific component attributes (e.g., firmware level, OS type) within your inventory.
   
AT.2.056 - Ensure that managers, system administrators and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards and procedures related to the security of those systems.
   
AT.2.057 - Ensure that personnel are trained to carry out their assigned information security- related duties and responsibilities.
   
AT.3.058 - Provide security awareness training on recognizing and reporting potential indicators of insider threat.
   
AT.4.059 - Provide awareness training focused on recognizing and responding to threats from social engineering, advanced persistent threat actors, breaches and suspicious behaviors; update the training at least annually or when there are significant changes to the threat.
   
AT.4.060 - Include practical exercises in awareness training that are aligned with current threat scenarios and provide feedback to individuals involved in the training.
   
AU.2.041 - Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.
   
AU.2.042 - Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation and reporting of unlawful or unauthorized system activity.
   
AU.2.043 - Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.
   
AU.2.044 - Review audit logs.
   
AU.3.045 - Review and update logged events.
   
AU.3.046 - Alert in the event of an audit logging process failure.
   
AU.3.048 - Collect audit information (e.g., logs) into one or more central repositories.
   
AU.3.050 - Limit management of audit logging functionality to a subset of privileged users.
   
AU.3.051 - Correlate audit record review, analysis and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious or unusual activity.
   
AU.3.052 - Provide audit record reduction and report generation to support on-demand analysis and reporting.
   
AU.4.053 - Automate analysis of audit logs to identify and act on critical indicators (TTPs) and/or organizationally-defined suspicious activity.
   
AU.5.055 - Identify assets not reporting audit logs and assure appropriate organizationally defined systems are logging.
   
CA.2.157 - Develop, document and periodically update System Security Plans (SSPs) that describe system boundaries, system environments of operation, how security requirements are implemented and the relationships with or connections to other systems.
   
CA.3.162 - Employ a security assessment of enterprise software that has been developed internally, for internal use, and that has been organizationally-defined as an area of risk.
   
CA.4.164 - Conduct penetration testing periodically, leveraging automated scanning tools and ad hoc tests using human experts.
   
CA.4.227 - Periodically perform red teaming against organizational assets in order to validate defensive capabilities.
   
CM.2.061 - Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware and documentation) throughout the respective system development life cycles.
   
CM.2.062 - Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.
   
CM.2.063 - Control and monitor user-installed software.
   
CM.2.064 - Establish and enforce security configuration settings for information technology products employed in organizational systems.
   
CM.2.065 - Track, review, approve or disapprove and log changes to organizational systems.
   
CM.3.067 - Define, document, approve and enforce physical and logical access restrictions associated with changes to organizational systems.
   
CM.3.068 - Restrict, disable or prevent the use of nonessential programs, functions, ports, protocols and services.
   
CM.3.069 - Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.
   
CM.4.073 - Employ application whitelisting and an application vetting process for systems identified by the organization.
   
IA.1.076 - Identify information system users, processes acting on behalf of users or devices.
   
IA.1.077 - Authenticate (or verify) the identities of those users, processes or devices, as a prerequisite to allowing access to organizational information systems.
   
IA.2.078 - Enforce a minimum password complexity and change of characters when new passwords are created.
   
IA.2.079 - Prohibit password reuse for a specified number of generations.
   
IA.2.081 - Store and transmit only cryptographically- protected passwords.
   
IA.3.083 - Use multi-factor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
   
IA.3.085 - Prevent the reuse of identifiers for a defined period.
   
IA.3.086 - Disable identifiers after a defined period of inactivity.
   
IR.2.092 - Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery and user response activities.
   
IR.2.093 - Detect and report events.
   
IR.2.095 - Develop and implement responses to declared incidents according to pre- defined procedures.
   
IR.3.098 - Track, document and report incidents to designated officials and/or authorities both internal and external to the organization.
   
IR.3.099 - Test the organizational incident response capability.
   
IR.5.110 - Perform unannounced operational exercises to demonstrate technical and procedural responses.
   
MA.2.111 - Establish and enforce security configuration settings for information technology products employed in organizational systems.
   
MP.2.120 - Limit access to CUI on system media to authorized users.
   
MP.2.121 - Control the use of removable media on system components.
   
MP.3.123 - Prohibit the use of portable storage devices when such devices have no identifiable owner.
   
MP.3.125 - Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.
   
PS.2.128 - Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.
   
RE.2.137 - Regularly perform and test data back-ups.
   
RE.2.138 - Protect the confidentiality of backup CUI at storage locations.
   
RE.3.139 - Regularly perform complete, comprehensive and resilient data backups as organizationally-defined.
   
RM.2.142 - Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
   
RM.2.143 - Remediate vulnerabilities in accordance with risk assessments.
   
RM.3.144 - Periodically perform risk assessments to identify and prioritize risks according to the defined risk categories, risk sources and risk measurement criteria.
   
RM.3.147 - Manage non-vendor-supported products (e.g., end of life) separately and restrict as necessary to reduce risk.
   
RM.4.151 - Perform scans for unauthorized ports available across perimeter network boundaries, over the organization's Internet boundaries and other organization-defined boundaries.
   
RM.5.152 - Utilize an exception process for non-whitelisted software that includes mitigation techniques.
   
SC.1.175 - Monitor, control and protect organizational communications (e.g., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
   
SC.1.176 - Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
   
SC.2.179 - Use encrypted sessions for the management of network devices.
   
SC.3.177 - Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.
   
SC.3.180 - Employ architectural designs, software development techniques and systems engineering principles that promote effective information security within organizational systems.
   
SC.3.181 - Separate user functionality from system management functionality.
   
SC.3.183 - Deny network communications traffic by default and allow network communications traffic by exception (e.g., deny all, permit by exception).
   
SC.3.184 - Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (e.g., split tunneling).
   
SC.3.185 - Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.
   
SC.3.187 - Establish and manage cryptographic keys for cryptography employed in organizational systems.
   
SC.3.188 - Control and monitor the use of mobile code.
   
SC.3.191 - Protect the confidentiality of CUI at rest.
   
SC.3.192 - Implement Domain Name System (DNS) filtering services.
   
SC.3.193 - Implement a policy restricting the publication of CUI on externally-owned, publicly-accessible websites (e.g., forums, LinkedIn, Facebook, Twitter, etc.).
   
SC.4.197 - Employ physical and logical isolation techniques in the system and security architecture and/or and where deemed appropriate by the organization.
   
SC.4.199 - Utilize threat intelligence to proactively block DNS requests from reaching malicious domains.
   
SC.4.202 - Employ mechanisms to analyze executable code and scripts (e.g., sandbox) traversing Internet network boundaries or other organizationally defined boundaries.
   
SC.4.228 - Isolate administration of organizationally-defined high-value critical network infrastructure components and servers.
   
SC.4.229 - Utilize a URL categorization service and implement techniques to enforce URL filtering of websites that are not approved by the organization.
   
SC.5.198 - Configure monitoring systems to record packets passing through the organization's Internet network boundaries and other organizational-defined boundaries.
   
SC.5.208 - Employ organizationally-defined and tailored boundary protections in addition to commercially-available solutions.
   
SC.5.230 - Enforce port and protocol compliance.
   
SI.1.210 - Identify, report and correct information and information system flaws in a timely manner.
   
SI.1.211 - Provide protection from malicious code at appropriate locations within organizational information systems.
   
SI.1.212 - Update malicious code protection mechanisms when new releases are available.
   
SI.1.213 - Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened or executed.
   
SI.2.214 - Monitor system security alerts and advisories and take action in response.
   
SI.2.216 - Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.
   
SI.2.217 - Identify unauthorized use of organizational systems.
   
SI.3.218 - Employ spam protection mechanisms at information system access entry and exit points.
   
SI.3.219 - Implement email forgery protections.
   
SI.3.220 - Utilize email sandboxing to detect or block potentially malicious email.
   
SI.5.222 - Analyze system behavior to detect and mitigate execution of normal system commands and scripts that indicate malicious actions.
   
SI.5.223 - Monitor individuals and system components on an ongoing basis for anomalous or suspicious behavior.
  • Please select the mappings you'd like to apply, then hit the 'Apply...' button.
  • Scroll down to view the filtered Sub-Controls.
   
T1001 - Data Obfuscation
   
T1002 - Data Compressed
   
T1003 - Credential Dumping
   
T1004 - Winlogon Helper DLL
   
T1008 - Fallback Channels
   
T1011 - Exfiltration Over Other Network Medium
   
T1015 - Accessibility Features
   
T1017 - Application Deployment Software
   
T1019 - System Firmware
   
T1021 - Remote Services
   
T1023 - Shortcut Modification
   
T1024 - Custom Cryptographic Protocol
   
T1026 - Multiband Communication
   
T1027 - Obfuscated Files or Information
   
T1028 - Windows Remote Management
   
T1029 - Scheduled Transfer
   
T1030 - Data Transfer Size Limits
   
T1031 - Modify Existing Service
   
T1032 - Standard Cryptographic Protocol
   
T1034 - Path Interception
   
T1035 - Service Execution
   
T1036 - Masquerading
   
T1037 - Logon Scripts
   
T1038 - DLL Search Order Hijacking
   
T1040 - Network Sniffing
   
T1041 - Exfiltration Over Command and Control Channel
   
T1043 - Commonly Used Port
   
T1044 - File System Permissions Weakness
   
T1045 - Software Packing
   
T1046 - Network Service Scanning
   
T1047 - Windows Management Instrumentation
   
T1048 - Exfiltration Over Alternative Protoco
   
T1050 - New Service
   
T1051 - Shared Webroot
   
T1052 - Exfiltration Over Physical Medium
   
T1053 - Scheduled Task
   
T1054 - Indicator Blocking
   
T1055 - Process Injection
   
T1058 - Service Registry Permissions Weakness
   
T1059 - Command-Line Interface
   
T1064 - Scripting
   
T1065 - Uncommonly Used Port
   
T1067 - Bootkit
   
T1068 - Exploitation for Privilege Escalation
   
T1070 - Indicator Removal on Host
   
T1071 - Standard Application Layer Protocol
   
T1072 - Third-party Software
   
T1073 - DLL Side-Loading
   
T1075 - Pass the Hash
   
T1076 - Remote Desktop Protocol
   
T1077 - Windows Admin Shares
   
T1078 - Valid Accounts
   
T1079 - Multilayer Encryption
   
T1080 - Taint Shared Content
   
T1081 - Credentials in Files
   
T1084 - Windows Management Instrumentation Event Subscription
   
T1085 - Rundll32
   
T1086 - PowerShell
   
T1087 - Account Discovery
   
T1088 - Bypass User Account Control
   
T1089 - Disabling Security Tools
   
T1090 - Connection Proxy
   
T1091 - Replication Through Removable Media
   
T1092 - Communication Through Removable Media
   
T1094 - Custom Command and Control Protocol
   
T1095 - Standard Non-Application Layer Protocol
   
T1096 - NTFS File Attributes
   
T1097 - Pass the Ticket
   
T1098 - Account Manipulation
   
T1100 - Web Shell
   
T1101 - Security Support Provider
   
T1102 - Web Service
   
T1103 - AppInit DLLs
   
T1104 - Multi-Stage Channels
   
T1105 - Remote File Copy
   
T1106 - Execution through API
   
T1108 - Redundant Access
   
T1110 - Brute Force
   
T1111 - Two-Factor Authentication Interception
   
T1112 - Modify Registry
   
T1114 - Email Collection
   
T1117 - Regsvr32
   
T1118 - InstallUtil
   
T1119 - Automated Collection
   
T1121 - Regsvcs/Regasm
   
T1127 - Trusted Developer Utilities
   
T1129 - Execution through Module Load
   
T1130 - Install Root Certificate
   
T1131 - Authentication Package
   
T1132 - Data Encoding
   
T1133 - External Remote Services
   
T1134 - Access Token Manipulation
   
T1136 - Create Account
   
T1137 - Office Application Startup
   
T1138 - Application Shimming
   
T1139 - Bash History
   
T1141 - Input Prompt
   
T1142 - Keychain
   
T1143 - Hidden Window
   
T1144 - Gatekeeper Bypass
   
T1145 - Private Keys
   
T1146 - Clear Command History
   
T1147 - Hidden Users
   
T1148 - HISTCONTROL
   
T1149 - LC_MAIN Hijacking
   
T1150 - Plist Modification
   
T1152 - Launchctl
   
T1155 - AppleScript
   
T1156 - .bash_profile and .bashrc
   
T1157 - Dylib Hijacking
   
T1159 - Launch Agent
   
T1160 - Launch Daemon
   
T1161 - LC_LOAD_DYLIB Addition
   
T1162 - Login Item
   
T1163 - Rc.common
   
T1164 - Re-opened Applications
   
T1165 - Startup Items
   
T1166 - Setuid and Setgid
   
T1168 - Local Job Scheduling
   
T1169 - Sudo
   
T1170 - Mshta
   
T1171 - LLMNR/NBT-NS Poisoning and Relay
   
T1172 - Domain Fronting
   
T1173 - Dynamic Data Exchange
   
T1174 - Password Filter DLL
   
T1175 - Component Object Model and Distributed COM
   
T1176 - Browser Extensions
   
T1177 - LSASS Driver
   
T1178 - SID-History Injection
   
T1180 - Screensaver
   
T1182 - AppCert DLLs
   
T1184 - SSH Hijacking
   
T1185 - Man in the Browser
   
T1187 - Forced Authentication
   
T1188 - Multi-hop Proxy
   
T1189 - Drive-by Compromise
   
T1190 - Exploit Public-Facing Application
   
T1191 - CMSTP
   
T1192 - Spearphishing Link
   
T1193 - Spearphishing Attachment
   
T1194 - Spearphishing via Service
   
T1195 - Supply Chain Compromise
   
T1196 - Control Panel Items
   
T1197 - BITS Jobs
   
T1198 - SIP and Trust Provider Hijacking
   
T1199 - Trusted Relationship
   
T1200 - Hardware Additions
   
T1201 - Password Policy Discovery
   
T1203 - Exploitation for Client Execution
   
T1204 - User Execution
   
T1205 - Port Knocking
   
T1206 - Sudo Caching
   
T1208 - Kerberoasting
   
T1209 - Time Providers
   
T1210 - Exploitation of Remote Services
   
T1211 - Exploitation for Defense Evasion
   
T1212 - Exploitation for Credential Access
   
T1213 - Data from Information Repositories
   
T1214 - Credentials in Registry
   
T1215 - Kernel Modules and Extensions
   
T1216 - Signed Script Proxy Execution
   
T1218 - Signed Binary Proxy Execution
   
T1219 - Remote Access Tools
   
T1220 - XSL Script Processing
   
T1221 - Template Injection
   
T1223 - Compiled HTML File
   
T1413 - Access Sensitive Data in Device Logs
   
T1482 - Domain Trust Discovery
   
T1483 - Domain Generation Algorithms
   
T1484 - Group Policy Modification
   
T1485 - Data Destruction
   
T1486 - Data Encrypted for Impact
   
T1487 - Disk Structure Wipe
   
T1488 - Disk Content Wipe
   
T1489 - Service Stop
   
T1490 - Inhibit System Recovery
   
T1491 - Defacement
   
T1492 - Stored Data Manipulation
   
T1493 - Transmitted Data Manipulation