Title; FIPS Low Impact
Doc. No.
Rev. No.
Date: Page 1 of x
Company Name
Division or Address
Division or Address
FIPS
Specifications for Minimum Security
Requirements Procedure
Approved:
__________________________________________________
title
Name
Approved:
___________________________________________________
title
Name
Approved:
__________________________________________________
title
Name
Approved:
__________________________________________________
title
Name
Approved:
__________________________________________________
title
Name
1. Change Record
Rev
Date
Responsible
Person
Description of Change
A
date
Name
Initial Release
2. Distribution List
Information Systems Security (ISS)
Development Operations (DevOPs)
(List the departments that receive controlled copies)
3. Acronyms
FIPS
Controlled Copy, Do Not Duplicate
Federal Information Processing
For Internal Use Only
Company Name
Division or Address
Division or Address
Title; FIPS Low Impact
Doc. No.
Rev. No.
Date: Page 2 of x
4. Definitions
5. Purpose
5.1.
The purpose of this procedure is to establish the executive directive of
the minimum standards for Federal Information Processing Systems
(FIPS). Our company information systems and information is categorized
as Low impact. This also applies to the security objectives of
confidentiality, integrity, and availability.
6.
Policy for the Standards for Security Categorization of Federal
Information and Information Systems
Our company will follow the standards for Federal Information Processing
Systems (FIPS). Our company will be categorized as low impact Moderate
Impact, or high impact. This will apply to the security objectives of
confidentiality, integrity, and availability.
The Minimum Security requirements shall cover the 17 security related areas
with regard to protecting the confidentiality, integrity, and availability. This
applies to federal information systems and information processes, stored and
transmitted by those systems.
8. Scope
This applies to
Controlled Copy, Do Not Duplicate
For Internal Use Only
Company Name
Division or Address
Division or Address
I.
Title; FIPS Low Impact
Doc. No.
Rev. No.
Date: Page 3 of x
Standards for categorizing information and information systems
according to a range of risk levels
8.I.1. Information collected or maintained for on or on behalf of each
federal agency
8.I.2. Providing appropriate levels of information security
8.I.3. Guidelines for categorizing the types of information and
information systems
II.
Minimum information security requirements for information and
information systems in each category
9. Responsibilities
9.1. Chief Information Officer (CIO)
The person responsible for:
1. Providing advice to the executive committee or decision makers for
acquiring technology
2. Information systems that is managed in accordance with Executive
Orders, directives, policies, regulations and priorities established by our
company.
3. Developing, maintaining, and facilitating the implementation of a sound
and integrated information technology architecture for the company
4. Promoting the effective and efficient design and operation of all major
information resources management processes for the company including
improvements
9.2. Chief Information Security Officer
1. Responsible for carrying out the directives of the CIO.
10. Low Impact Security Control Selection Process –
10.1. The FIPS requires Organizations that perform information system
security must comply with the requirements of FIPS 200 / FIPS 199.
They must select the appropriate security controls and assurance
requirements described in NIST Special Publications 800-53
Recommended Security Controls for Federal Information Systems
10.1.1. The following table lists Low Impact systems organizations minimum
security controls from the low baseline controls of NIST 800-53. They
Controlled Copy, Do Not Duplicate
For Internal Use Only
Company Name
Division or Address
Division or Address
Title; FIPS Low Impact
Doc. No.
Rev. No.
Date: Page 4 of x
assure that the minimum assurance requirements associated with the
low baseline are satisfied.
1
AC-01
ACCESS CONTROL
AC-1
ACCESS CONTROL POLICY
AND PROCEDURES
2
AC-02
ACCESS CONTROL
AC-2
ACCOUNT MANAGEMENT
3
AC-03
ACCESS CONTROL
AC-3
ACCESS ENFORCEMENT
4
AC-07
ACCESS CONTROL
AC-7
UNSUCCESSFUL LOGON
ATTEMPTS
5
AC-08
ACCESS CONTROL
AC-8
SYSTEM USE
NOTIFICATION
6
AC-14
ACCESS CONTROL
AC14
PERMITTED ACTIONS
WITHOUT IDENTIFICATION
OR
AUTHENTICATION
7
AC-17
ACCESS CONTROL
AC17
REMOTE ACCESS
8
AC-18
ACCESS CONTROL
AC18
WIRELESS ACCESS
9
AC-19
ACCESS CONTROL
AC19
ACCESS CONTROL FOR
MOBILE DEVICES
10
AC-20
ACCESS CONTROL
AC20
USE OF EXTERNAL
INFORMATION SYSTEMS
11
AC-22
ACCESS CONTROL
AC22
PUBLICLY ACCESSIBLE
CONTENT
12
AT-01
AWARENESS AND TRAINING
AT-1
SECURITY AWARENESS
AND TRAINING POLICY
ANDPROCEDURES
13
AT-02
AWARENESS AND TRAINING
AT-2
SECURITY AWARENESS
TRAINING
14
AT-03
AWARENESS AND TRAINING
AT-3
ROLE-BASED SECURITY
TRAINING
15
AT-04
AWARENESS AND TRAINING
AT-4
SECURITY TRAINING
RECORDS
16
AU-01
AUDIT AND ACCOUNTABILITY
AU-1
AUDIT AND
ACCOUNTABILITY POLICY
AND
PROCEDURES
17
AU-02
AUDIT AND ACCOUNTABILITY
AU-2
AUDIT EVENTS
18
AU-03
AUDIT AND ACCOUNTABILITY
AU-3
CONTENT OF AUDIT
RECORDS
Controlled Copy, Do Not Duplicate
For Internal Use Only
Company Name
Division or Address
Division or Address
Title; FIPS Low Impact
Doc. No.
Rev. No.
Date: Page 5 of x
19
AU-04
AUDIT AND ACCOUNTABILITY
AU-4
AUDIT STORAGE
CAPACITY
20
AU-05
AUDIT AND ACCOUNTABILITY
AU-5
RESPONSE TO AUDIT
PROCESSING FAILURES
21
AU-06
AUDIT AND ACCOUNTABILITY
AU-6
AUDIT REVIEW, ANALYSIS,
AND REPORTING
22
AU-08
AUDIT AND ACCOUNTABILITY
AU-8
TIME STAMPS
23
AU-09
AUDIT AND ACCOUNTABILITY
AU-9
PROTECTION OF AUDIT
INFORMATION
24
AU-11
AUDIT AND ACCOUNTABILITY
AU11
AUDIT RECORD
RETENTION
25
AU-12
AUDIT AND ACCOUNTABILITY
AU12
AUDIT GENERATION
26
CA-01
SECURITY ASSESSMENT AND
AUTHORIZATION
CA-1
SECURITY ASSESSMENT
AND AUTHORIZATION
POLICY AND
PROCEDURES
27
CA-02
SECURITY ASSESSMENT AND
AUTHORIZATION
CA-2
SECURITY ASSESSMENTS
28
CA-02
(01)
SECURITY ASSESSMENT AND
AUTHORIZATION
CA-2
(1)
SECURITY ASSESSMENTS |
INDEPENDENT
ASSESSORS
29
CA-03
SECURITY ASSESSMENT AND
AUTHORIZATION
CA-3
SYSTEM
INTERCONNECTIONS
30
CA-05
SECURITY ASSESSMENT AND
AUTHORIZATION
CA-5
PLAN OF ACTION AND
MILESTONES
31
CA-06
SECURITY ASSESSMENT AND
AUTHORIZATION
CA-6
SECURITY
AUTHORIZATION
32
CA-07
SECURITY ASSESSMENT AND
AUTHORIZATION
CA-7
CONTINUOUS
MONITORING
33
CA-09
SECURITY ASSESSMENT AND
AUTHORIZATION
CA-9
INTERNAL SYSTEM
CONNECTIONS
34
CM-01
CONFIGURATION MANAGEMENT
CM-1
CONFIGURATION
MANAGEMENT POLICY
AND
PROCEDURES
35
CM-02
CONFIGURATION MANAGEMENT
CM-2
BASELINE
CONFIGURATION
36
CM-04
CONFIGURATION MANAGEMENT
CM-4
SECURITY IMPACT
ANALYSIS
Controlled Copy, Do Not Duplicate
For Internal Use Only
Company Name
Division or Address
Division or Address
Title; FIPS Low Impact
Doc. No.
Rev. No.
Date: Page 6 of x
37
CM-06
CONFIGURATION MANAGEMENT
CM-6
CONFIGURATION
SETTINGS
38
CM-07
CONFIGURATION MANAGEMENT
CM-7
LEAST FUNCTIONALITY
39
CM-08
CONFIGURATION MANAGEMENT
CM-8
INFORMATION SYSTEM
COMPONENT INVENTORY
40
CM-10
CONFIGURATION MANAGEMENT
CM10
SOFTWARE USAGE
RESTRICTIONS
41
CM-11
CONFIGURATION MANAGEMENT
CM11
USER-INSTALLED
SOFTWARE
42
CP-01
CONTINGENCY PLANNING
CP-1
CONTINGENCY PLANNING
POLICY AND
PROCEDURES
43
CP-02
CONTINGENCY PLANNING
CP-2
CONTINGENCY PLAN
44
CP-03
CONTINGENCY PLANNING
CP-3
CONTINGENCY TRAINING
45
CP-04
CONTINGENCY PLANNING
CP-4
CONTINGENCY PLAN
TESTING
46
CP-09
CONTINGENCY PLANNING
CP-9
INFORMATION SYSTEM
BACKUP
47
CP-10
CONTINGENCY PLANNING
CP10
INFORMATION SYSTEM
RECOVERY AND
RECONSTITUTION
48
IA-01
IDENTIFICATION AND
AUTHENTICATION
IA-1
IDENTIFICATION AND
AUTHENTICATION POLICY
AND
PROCEDURES
49
IA-02
IDENTIFICATION AND
AUTHENTICATION
IA-2
IDENTIFICATION AND
AUTHENTICATION
(ORGANIZATIONAL USERS)
50
IA-02
(01)
IDENTIFICATION AND
AUTHENTICATION
IA-2
(1)
IDENTIFICATION AND
AUTHENTICATION |
NETWORK ACCESS TO
PRIVILEGED ACCOUNTS
51
IA-02
(12)
IDENTIFICATION AND
AUTHENTICATION
IA-2
(12)
IDENTIFICATION AND
AUTHENTICATION |
ACCEPTANCE OF PIV
CREDENTIALS
52
IA-04
IDENTIFICATION AND
AUTHENTICATION
IA-4
IDENTIFIER MANAGEMENT
53
IA-05
IDENTIFICATION AND
AUTHENTICATION
IA-5
AUTHENTICATOR
MANAGEMENT
Controlled Copy, Do Not Duplicate
For Internal Use Only
Company Name
Division or Address
Division or Address
Title; FIPS Low Impact
Doc. No.
Rev. No.
Date: Page 7 of x
54
IA-05
(01)
IDENTIFICATION AND
AUTHENTICATION
IA-5
(1)
AUTHENTICATOR
MANAGEMENT |
PASSWORD-BASED
AUTHENTICATION
55
IA-05
(11)
IDENTIFICATION AND
AUTHENTICATION
IA-5
(11)
AUTHENTICATOR
MANAGEMENT |
HARDWARE TOKENBASED AUTHENTICATION
56
IA-06
IDENTIFICATION AND
AUTHENTICATION
IA-6
AUTHENTICATOR
FEEDBACK
57
IA-07
IDENTIFICATION AND
AUTHENTICATION
IA-7
CRYPTOGRAPHIC MODULE
AUTHENTICATION
58
IA-08
IDENTIFICATION AND
AUTHENTICATION
IA-8
IDENTIFICATION AND
AUTHENTICATION (NONORGANIZATIONAL USERS)
59
IA-08
(01)
IDENTIFICATION AND
AUTHENTICATION
IA-8
(1)
IDENTIFICATION AND
AUTHENTICATION |
ACCEPTANCE OF PIV
CREDENTIALS FROM
OTHER AGENCIES
60
IA-08
(02)
IDENTIFICATION AND
AUTHENTICATION
IA-8
(2)
IDENTIFICATION AND
AUTHENTICATION |
ACCEPTANCE OF THIRDPARTY CREDENTIALS
61
IA-08
(03)
IDENTIFICATION AND
AUTHENTICATION
IA-8
(3)
IDENTIFICATION AND
AUTHENTICATION | USE OF
FICAM-APPROVED
PRODUCTS
62
IA-08
(04)
IDENTIFICATION AND
AUTHENTICATION
IA-8
(4)
IDENTIFICATION AND
AUTHENTICATION | USE OF
FICAM-ISSUED PROFILES
63
IR-01
INCIDENT RESPONSE
IR-1
INCIDENT RESPONSE
POLICY AND
PROCEDURES
64
IR-02
INCIDENT RESPONSE
IR-2
INCIDENT RESPONSE
TRAINING
65
IR-04
INCIDENT RESPONSE
IR-4
INCIDENT HANDLING
66
IR-05
INCIDENT RESPONSE
IR-5
INCIDENT MONITORING
67
IR-06
INCIDENT RESPONSE
IR-6
INCIDENT REPORTING
68
IR-07
INCIDENT RESPONSE
IR-7
INCIDENT RESPONSE
ASSISTANCE
Controlled Copy, Do Not Duplicate
For Internal Use Only
Company Name
Division or Address
Division or Address
Title; FIPS Low Impact
Doc. No.
Rev. No.
Date: Page 8 of x
69
IR-08
INCIDENT RESPONSE
IR-8
INCIDENT RESPONSE
PLAN
70
MA-01
MAINTENANCE
MA-1
SYSTEM MAINTENANCE
POLICY AND
PROCEDURES
71
MA-02
MAINTENANCE
MA-2
CONTROLLED
MAINTENANCE
72
MA-04
MAINTENANCE
MA-4
NONLOCAL MAINTENANCE
73
MA-05
MAINTENANCE
MA-5
MAINTENANCE
PERSONNEL
74
MP-01
MEDIA PROTECTION
MP-1
MEDIA PROTECTION
POLICY AND
PROCEDURES
75
MP-02
MEDIA PROTECTION
MP-2
MEDIA ACCESS
76
MP-06
MEDIA PROTECTION
MP-6
MEDIA SANITIZATION
77
MP-07
MEDIA PROTECTION
MP-7
MEDIA USE
78
PE-01
PHYSICAL AND ENVIRONMENTAL
PROTECTION
PE-1
PHYSICAL AND
ENVIRONMENTAL
PROTECTION
POLICY AND
PROCEDURES
79
PE-02
PHYSICAL AND ENVIRONMENTAL
PROTECTION
PE-2
PHYSICAL ACCESS
AUTHORIZATIONS
80
PE-03
PHYSICAL AND ENVIRONMENTAL
PROTECTION
PE-3
PHYSICAL ACCESS
CONTROL
81
PE-06
PHYSICAL AND ENVIRONMENTAL
PROTECTION
PE-6
MONITORING PHYSICAL
ACCESS
82
PE-08
PHYSICAL AND ENVIRONMENTAL
PROTECTION
PE-8
VISITOR ACCESS
RECORDS
83
PE-12
PHYSICAL AND ENVIRONMENTAL
PROTECTION
PE12
EMERGENCY LIGHTING
84
PE-13
PHYSICAL AND ENVIRONMENTAL
PROTECTION
PE13
FIRE PROTECTION
85
PE-14
PHYSICAL AND ENVIRONMENTAL
PROTECTION
PE14
TEMPERATURE AND
HUMIDITY CONTROLS
86
PE-15
PHYSICAL AND ENVIRONMENTAL
PROTECTION
PE15
WATER DAMAGE
PROTECTION
87
PE-16
PHYSICAL AND ENVIRONMENTAL
PROTECTION
PE16
DELIVERY AND REMOVAL
Controlled Copy, Do Not Duplicate
For Internal Use Only
Company Name
Division or Address
Division or Address
Title; FIPS Low Impact
Doc. No.
Rev. No.
Date: Page 9 of x
88
PL-01
PLANNING
PL-1
SECURITY PLANNING
POLICY AND
PROCEDURES
89
PL-02
PLANNING
PL-2
SYSTEM SECURITY PLAN
90
PL-04
PLANNING
PL-4
RULES OF BEHAVIOR
91
PS-01
PERSONNEL SECURITY
PS-1
PERSONNEL SECURITY
POLICY AND
PROCEDURES
92
PS-02
PERSONNEL SECURITY
PS-2
POSITION RISK
DESIGNATION
93
PS-03
PERSONNEL SECURITY
PS-3
PERSONNEL SCREENING
94
PS-04
PERSONNEL SECURITY
PS-4
PERSONNEL TERMINATION
95
PS-05
PERSONNEL SECURITY
PS-5
PERSONNEL TRANSFER
96
PS-06
PERSONNEL SECURITY
PS-6
ACCESS AGREEMENTS
97
PS-07
PERSONNEL SECURITY
PS-7
THIRD-PARTY PERSONNEL
SECURITY
98
PS-08
PERSONNEL SECURITY
PS-8
PERSONNEL SANCTIONS
99
RA-01
RISK ASSESSMENT
RA-1
RISK ASSESSMENT
POLICY AND
PROCEDURES
100
RA-02
RISK ASSESSMENT
RA-2
SECURITY
CATEGORIZATION
101
RA-03
RISK ASSESSMENT
RA-3
RISK ASSESSMENT
102
RA-05
RISK ASSESSMENT
RA-5
VULNERABILITY
SCANNING
103
SA-01
SYSTEM AND SERVICES ACQUISITION
SA-1
SYSTEM AND SERVICES
ACQUISITION POLICY AND
PROCEDURES
104
SA-02
SYSTEM AND SERVICES ACQUISITION
SA-2
ALLOCATION OF
RESOURCES
105
SA-03
SYSTEM AND SERVICES ACQUISITION
SA-3
SYSTEM DEVELOPMENT
LIFE CYCLE
106
SA-04
SYSTEM AND SERVICES ACQUISITION
SA-4
ACQUISITION PROCESS
107
SA-05
SYSTEM AND SERVICES ACQUISITION
SA-5
INFORMATION SYSTEM
DOCUMENTATION
108
SA-09
SYSTEM AND SERVICES ACQUISITION
SA-9
EXTERNAL INFORMATION
SYSTEM SERVICES
Controlled Copy, Do Not Duplicate
For Internal Use Only
Company Name
Division or Address
Division or Address
Title; FIPS Low Impact
Doc. No.
Rev. No.
Date: Page 10 of x
109
SC-01
SYSTEM AND COMMUNICATIONS
PROTECTION
SC-1
SYSTEM AND
COMMUNICATIONS
PROTECTION
POLICY AND
PROCEDURES
110
SC-05
SYSTEM AND COMMUNICATIONS
PROTECTION
SC-5
DENIAL OF SERVICE
PROTECTION
111
SC-07
SYSTEM AND COMMUNICATIONS
PROTECTION
SC-7
BOUNDARY PROTECTION
112
SC-12
SYSTEM AND COMMUNICATIONS
PROTECTION
SC12
CRYPTOGRAPHIC KEY
ESTABLISHMENT AND
MANAGEMENT
113
SC-13
SYSTEM AND COMMUNICATIONS
PROTECTION
SC13
CRYPTOGRAPHIC
PROTECTION
114
SC-15
SYSTEM AND COMMUNICATIONS
PROTECTION
SC15
COLLABORATIVE
COMPUTING DEVICES
115
SC-20
SYSTEM AND COMMUNICATIONS
PROTECTION
SC20
SECURE NAME /ADDRESS
RESOLUTION SERVICE
(AUTHORITATIVE SOURCE)
116
SC-21
SYSTEM AND COMMUNICATIONS
PROTECTION
SC21
SECURE NAME /ADDRESS
RESOLUTION SERVICE
(RECURSIVE OR CACHING
RESOLVER)
117
SC-22
SYSTEM AND COMMUNICATIONS
PROTECTION
SC22
ARCHITECTURE AND
PROVISIONING FOR
NAME/ADDRESS
RESOLUTION SERVICE
118
SC-39
SYSTEM AND COMMUNICATIONS
PROTECTION
SC39
PROCESS ISOLATION
119
SI-01
SYSTEM AND INFORMATION INTEGRITY
SI-1
SYSTEM AND
INFORMATION INTEGRITY
POLICY AND
PROCEDURES
120
SI-02
SYSTEM AND INFORMATION INTEGRITY
SI-2
FLAW REMEDIATION
121
SI-03
SYSTEM AND INFORMATION INTEGRITY
SI-3
MALICIOUS CODE
PROTECTION
122
SI-04
SYSTEM AND INFORMATION INTEGRITY
SI-4
INFORMATION SYSTEM
MONITORING
123
SI-05
SYSTEM AND INFORMATION INTEGRITY
SI-5
SECURITY ALERTS,
ADVISORIES, AND
DIRECTIVES
Controlled Copy, Do Not Duplicate
For Internal Use Only
Company Name
Division or Address
Division or Address
Title; FIPS Low Impact
Doc. No.
Rev. No.
Date: Page 11 of x
124
SI-12
SYSTEM AND INFORMATION INTEGRITY
SI-12
INFORMATION HANDLING
AND RETENTION
125
SI-16
SYSTEM AND INFORMATION INTEGRITY
SI-16
MEMORY PROTECTION
11. Risk Management
I.
The selection and specification of security controls for an information system is
accomplished as part of an organization-wide information security program for
the management of risk—that is, the risk to organizational operations and assets,
individuals, other organizations, and the Nation associated with the operation of
information systems. Risk-based approaches to security control selection and
specification consider effectiveness, efficiency, and constraints due to applicable
federal laws, Executive Orders, directives, policies, regulations, standards, and
guidelines.
Tier 1 provides a prioritization of organizational missions/business functions which in turn drives
investment strategies and funding decisions—promoting cost-effective, efficient information
technology solutions consistent with the strategic goals and objectives of the organization and
measures of performance. Tier 2 includes: (i) defining the mission/business processes needed to
support the organizational missions/business functions; (ii) determining the security categories of
the information systems needed to execute the mission/business processes; (iii) incorporating
information security requirements into the mission/business processes; and (iv) establishing an
enterprise architecture (including an embedded information security architecture) to facilitate the
Controlled Copy, Do Not Duplicate
For Internal Use Only
Company Name
Division or Address
Division or Address
Title; FIPS Low Impact
Doc. No.
Rev. No.
Date: Page 12 of x
allocation of security controls to organizational information systems and the environments in
which those systems operate. The Risk Management Framework (RMF), depicted in Figure 2, is
the primary means for addressing risk at Tier 3.1 This publication focuses on Step 2 of the RMF,
the security control selection process, in the context of the three tiers in the organizational risk
management hierarchy.
Step 1: Categorize the information system based on a FIPS Publication 199 impact assessment;2
Step 2: Select the applicable security control baseline based on the results of the security
categorization and apply tailoring guidance (including the potential use of overlays);
Step 3: Implement the security controls and document the design, development, and
implementation details for the controls;
Step 4: Assess the security controls to determine the extent to which the controls are implemented
correctly, operating as intended, and producing the desired outcome with respect to meeting the
security requirements for the system;3
Step 5: Authorize information system operation based on a determination of risk to organizational
operations and assets, individuals, other organizations, and the Nation resulting from the
operation and use of the information system and the decision that this risk is acceptable; and
1
NIST Special Publication 800-37 provides guidance on the implementation of the Risk Management Framework. A
complete listing of all publications supporting the RMF and referenced in Figure 2 is provided in Appendix A.
2
CNSS Instruction 1253 provides security categorization guidance for national security systems.
3
NIST Special Publication 800-53A provides guidance on assessing the effectiveness of security controls.
Controlled Copy, Do Not Duplicate
For Internal Use Only
Title; FIPS Low Impact
Doc. No.
Rev. No.
Date: Page 13 of x
Company Name
Division or Address
Division or Address
Step 6: Monitor the security controls in the information system and environment of operation on
an ongoing basis to determine control effectiveness, changes to the system/environment, and
compliance to legislation, Executive Orders, directives, policies, regulations, and standards.
Architecture Description




Organizational Inputs
Mission/Business Processes
FEA Reference Models
Segment and Solution Architectures
Information System Boundaries




Starting
Point
Laws, Directives, Policy, Guidance
Strategic Goals and Objectives
Information Security Requirements
Priorities and Resource Availability
Repeat as necessary
Step 1
CATEGORIZE
Information Systems
Step 6
Step 2
FIPS 199 / SP 800-60
MONITOR
SELECT
Security Controls
Security Controls
SP 800-137
FIPS 200 / SP 800-53
RISK
MANAGEMENT
FRAMEWORK
Security Life Cycle
Step 5
Step 3
AUTHORIZE
IMPLEMENT
Information Systems
Security Controls
SP 800-37
SP 800-160
Step 4
ASSESS
Security Controls
SP 800-53A
Note: CNSS Instruction 1253 provides guidance for RMF Steps 1 and 2 for National Security Systems
(NSS).
Figure 1 Risk Management Framework
12. Security Control Structure
TABLE 1: SECURITY CONTROL IDENTIFIERS AND FAMILY NAMES
ID
FAMILY
ID
FAMILY
AC
Access Control
MP
Media Protection
AT
Awareness and Training
PE
Physical and Environmental Protection
AU
Audit and Accountability
PL
Planning
CA
Security Assessment and Authorization
PS
Personnel Security
CM
Configuration Management
RA
Risk Assessment
CP
Contingency Planning
SA
System and Services Acquisition
Controlled Copy, Do Not Duplicate
For Internal Use Only
Title; FIPS Low Impact
Doc. No.
Rev. No.
Date: Page 14 of x
Company Name
Division or Address
Division or Address
ID
FAMILY
ID
FAMILY
IA
Identification and Authentication
SC
System and Communications Protection
IR
Incident Response
SI
System and Information Integrity
MA
Maintenance
PM
Program Management
Controlled Copy, Do Not Duplicate
For Internal Use Only