The following provides a markup copy of Special Publication 800-53, Revision 4, Appendix D.

If discrepancies are noted between the markup copy and the Initial Public Draft (IPD) released on February 28th, the IPD takes precedence.

TABLE D-2: SECURITY CONTROL BASELINES

PRIORITY

CNTL NO.

CONTROL BASELINES LOW MOD HIGH

CONTROL NAME

Access Control AC-1 AC-2 AC-3 AC-4 AC-5 AC-6 AC-7 AC-8 AC-9 AC-10 AC-11 AC-12 AC-13 AC-14 AC-15 AC-16 AC-17 AC-18 AC-19 AC-20 AC-21 AC-22 AC-23 AC-24 AC-25 Access Control Policy and Procedures Account Management Access Enforcement Information Flow Enforcement Separation of Duties Least Privilege Unsuccessful Login Attempts System Use Notification Previous Logon (Access) Notification Concurrent Session Control Session Lock Withdrawn Withdrawn Permitted Actions without Identification or Authentication Withdrawn Security Attributes Remote Access Wireless Access Access Control for Mobile Devices Use of External Information Systems Collaboration and Information Sharing Publicly Accessible Content Data Mining Protection Access Control Decisions Reference Monitor Function P1 P1 P1 P1 P1 P1 P2 P1 P0 P2 P3 ----P1 --P0 P1 P1 P1 P1 P0 P2 P0 P0 P0 AC-1 AC-2 AC-3 Not Selected Not Selected Not Selected AC-7 AC-8 Not Selected Not Selected Not Selected ----AC-14 --Not Selected AC-17 AC-18 AC-19 AC-20 Not Selected AC-22 Not Selected Not Selected Not Selected AC-1 AC-2 (1) (2) (3) (4) AC-3 AC-4 AC-5 AC-6 (1) (2) (5) AC-7 AC-8 Not Selected Not Selected AC-11 ----AC-14 --Not Selected AC-17 (1) (2) (3) (4) AC-18 (1) AC-19 (6) AC-20 (1) (2) AC-21 AC-22 Not Selected Not Selected Not Selected AC-1 AC-2 (1) (2) (3) (4) (5) (12) (13) AC-3 AC-4 AC-5 AC-6 (1) (2) (3) (5) AC-7 AC-8 Not Selected AC-10 AC-11 ----AC-14 --Not Selected AC-17 (1) (2) (3) (4) AC-18 (1) (4) (5) AC-19 (6) AC-20 (1) (2) AC-21 AC-22 Not Selected Not Selected Not Selected Deleted: (5) (7) (8) Deleted: (5) (7) (8) Deleted: 2) ( Deleted: 1) (2) (3 Deleted: 1) (2) (3 Deleted: User-Based Deleted: Not Selected Deleted: Not Selected Deleted: (1) Deleted: (1)

Awareness and Training AT-1 AT-2 AT-3 AT-4 AT-5 Security Awareness and Training Policy and Procedures Security Awareness Security Training Security Training Records Contacts with Security Groups and Associations P1 P1 P1 P3 P3 AT-1 AT-2 AT-3 AT-4 Not Selected AT-1 AT-2 (2) AT-3 AT-4 AT-5 AT-1 AT-2 (2) AT-3 AT-4 AT-5 Deleted: P0 Deleted: Not Selected Audit and Accountability AU-1 AU-2 AU-3 Audit and Accountability Policy and Procedures Auditable Events Content of Audit Records P1 P1 P1 AU-1 AU-2 AU-3 AU-1 AU-2 (3) (4) AU-3 (1) AU-1 AU-2 (3) (4) AU-3 (1) (2) Deleted: Not Selected

APPENDIX D

PAGE D-2

PRIORITY

CNTL NO. AU-4 AU-5 AU-6 AU-7 AU-8 AU-9 AU-10 AU-11 AU-12 AU-13 AU-14 AU-15 AU-16

CONTROL BASELINES LOW AU-4 AU-5 AU-6 Not Selected AU-8 AU-9 Not Selected AU-11 AU-12 Not Selected Not Selected Not Selected Not Selected MOD AU-4 AU-5 AU-6 (1) (3) (9) AU-7 (1) AU-8 (1) AU-9 (4) Not Selected AU-11 AU-12 Not Selected Not Selected Not Selected Not Selected HIGH AU-4 AU-5 (1) (2) AU-6 (1) (3) (5) (6) (9) AU-7 (1) AU-8 (1) AU-9 (2) (3) (4) AU-10 AU-11 AU-12 (1) (3) Not Selected Not Selected Not Selected Not Selected

CONTROL NAME
Audit Storage Capacity Response to Audit Processing Failures Audit Review, Analysis, and Reporting Audit Reduction and Report Generation Time Stamps Protection of Audit Information Non-repudiation Audit Record Retention Audit Generation Monitoring for Information Disclosure Session Audit Alternate Audit Capability Cross-Organizational Auditing

P1 P1 P1 P2 P1 P1 P1 P3 P1 P0 P0 P0 P0

Security Assessment and Authorization CA-1 CA-2 CA-3 CA-4 CA-5 CA-6 CA-7 Security Assessment and Authorization Policies and Procedures Security Assessments Information System Connections Withdrawn Plan of Action and Milestones Security Authorization Continuous Monitoring P1 P2 P1 --P3 P3 P3 CA-1 CA-2 CA-3 --CA-5 CA-6 CA-7 CA-1 CA-2 (1) CA-3 --CA-5 CA-6 CA-7 (1) CA-1 CA-2 (1) (2) CA-3 --CA-5 CA-6 CA-7 (1)

Configuration Management CM-1 CM-2 CM-3 CM-4 CM-5 CM-6 CM-7 CM-8 CM-9 CM-10 CM-11 Configuration Management Policy and Procedures Baseline Configuration Configuration Change Control Security Impact Analysis Access Restrictions for Change Configuration Settings Least Functionality Information System Component Inventory Configuration Management Plan Software Usage Restrictions User-Installed Software P1 P1 P1 P2 P1 P1 P1 P1 P1 P1 P1 CM-1 CM-2 Not Selected Not Selected Not Selected CM-6 CM-7 CM-8 Not Selected CM-10 CM-11 CM-1 CM-2 (1) (3) CM-3 (2) CM-4 CM-5 CM-6 CM-7 (1) (4) CM-8 (1) (5) CM-9 CM-10 CM-11 CM-1 CM-2 (1) (2) (3) (6) CM-3 (1) (2) CM-4 (1) CM-5 (1) (2) (3) CM-6 (1) (2) CM-7 (1) (2) (5) CM-8 (1) (2) (3) (4) (5) CM-9 CM-10 CM-11 Deleted: (3) Deleted: (3) Deleted: CM-4 Deleted: (4) Deleted: 5) (

Contingency Planning CP-1 CP-2 CP-3 CP-4 Contingency Planning Policy and Procedures Contingency Plan Contingency Training Contingency Plan Testing P1 P1 P2 P2 CP-1 CP-2 CP-3 CP-4 CP-1 CP-2 (1) (3) (8) CP-3 CP-4 (1) CP-1 CP-2 (1) (2) (3) (4) (5) (8) CP-3 (1) CP-4 (1) (2) (4) Deleted: and Exercises

APPENDIX D

PAGE D-3

PRIORITY

CNTL NO. CP-5 CP-6 CP-7 CP-8 CP-9 CP-10 CP-11 CP-12 CP-13

CONTROL BASELINES LOW --Not Selected Not Selected Not Selected CP-9 CP-10 Not Selected Not Selected Not Selected MOD --CP-6 (1) (3) CP-7 (1) (2) (3) CP-8 (1) (2) CP-9 (1) CP-10 (2) (3) Not Selected Not Selected Not Selected HIGH --CP-6 (1) (2) (3) CP-7 (1) (2) (3) (4) CP-8 (1) (2) (3) (4) CP-9 (1) (2) (3) (5) CP-10 (2) (3) (4) (5) CP-11 Not Selected Not Selected Deleted: (5) Deleted: (5)

CONTROL NAME
Withdrawn Alternate Storage Site Alternate Processing Site Telecommunications Services Information System Backup Information System Recovery and Reconstitution Predictable Failure Prevention Alternate Communications Protocols Safe Mode

--P1 P1 P1 P1 P1 P1 P0 P0

Identification and Authentication IA-1 IA-2 IA-3 IA-4 IA-5 IA-6 IA-7 IA-8 IA-9 IA-10 IA-11 IA-12 Identification and Authentication Policy and Procedures Identification and Authentication (Organizational Users) Device-to-Device Identification and Authentication Identifier Management Authenticator Management Authenticator Feedback Cryptographic Module Authentication Identification and Authentication (NonOrganizational Users) Service Identification and Authentication Alternative Authentication Adaptive Identification and Authentication Reauthentication P1 P1 P1 P1 P1 P1 P1 P1 P0 P0 P0 P0 IA-1 IA-2 (1) Not Selected IA-4 IA-5 (1) IA-6 IA-7 IA-8 Not Selected Not Selected Not Selected Not Selected IA-1 IA-2 (1) (2) (3) (8) IA-3 IA-4 IA-5 (1) (2) (3) IA-6 IA-7 IA-8 Not Selected Not Selected Not Selected Not Selected IA-1 IA-2 (1) (2) (3) (4) (8) (9) IA-3 IA-4 IA-5 (1) (2) (3) IA-6 IA-7 IA-8 Not Selected Not Selected Not Selected Not Selected

Incident Response IR-1 IR-2 IR-3 IR-4 IR-5 IR-6 IR-7 IR-8 IR-9 Incident Response Policy and Procedures Incident Response Training Incident Response Testing Incident Handling Incident Monitoring Incident Reporting Incident Response Assistance Incident Response Plan Information Spillage Response P1 P2 P2 P1 P1 P1 P3 P1 P0 Maintenance MA-1 MA-2 MA-3 MA-4 MA-5 System Maintenance Policy and Procedures Controlled Maintenance Maintenance Tools Non-Local Maintenance Maintenance Personnel P1 P2 P2 P1 P1 MA-1 MA-2 Not Selected MA-4 MA-5 MA-1 MA-2 MA-3 (1) (2) MA-4 (1) (2) MA-5 MA-1 MA-2 (2) MA-3 (1) (2) (3) MA-4 (1) (2) (3) MA-5 (1) Deleted: (1) Deleted: 1) ( IR-1 IR-2 Not Selected IR-4 IR-5 IR-6 IR-7 IR-8 Not Selected IR-1 IR-2 IR-3 (2) IR-4 (1) IR-5 IR-6 (1) IR-7 (1) IR-8 Not Selected IR-1 IR-2 (1) (2) IR-3 (1) (2) IR-4 (1) (4) IR-5 (1) IR-6 (1) IR-7 (1) IR-8 Not Selected Deleted: and Exercises

APPENDIX D

PAGE D-4

PRIORITY

CNTL NO. MA-6

CONTROL BASELINES LOW Not Selected MOD MA-6 HIGH MA-6

CONTROL NAME
Timely Maintenance

P1

Media Protection MP-1 MP-2 MP-3 MP-4 MP-5 MP-6 MP-7 MP-8 Media Protection Policy and Procedures Media Access Media Marking Media Storage Media Transport Media Sanitization Media Use Media Downgrading P1 P1 P1 P1 P1 P1 P1 P0 MP-1 MP-2 Not Selected Not Selected Not Selected MP-6 MP-7 Not Selected MP-1 MP-2 (1) MP-3 MP-4 MP-5 (4) MP-6 MP-7 (1) (2) Not Selected MP-1 MP-2 (1) MP-3 MP-4 MP-5 (3) (4) MP-6 (1) (2) (3) MP-7 (1) (2) Not Selected Deleted: 2) ( Deleted: 2) (

Physical and Environmental Protection PE-1 PE-2 PE-3 PE-4 PE-5 PE-6 PE-7 PE-8 PE-9 PE-10 PE-11 PE-12 PE-13 PE-14 PE-15 PE-16 PE-17 PE-18 PE-19 PE-20 Physical and Environmental Protection Policy and Procedures Physical Access Authorizations Physical Access Control Access Control for Transmission Medium Access Control for Output Devices Monitoring Physical Access Withdrawn Visitor Access Records Power Equipment and Cabling Emergency Shutoff Emergency Power Emergency Lighting Fire Protection Temperature and Humidity Controls Water Damage Protection Delivery and Removal Alternate Work Site Location of Information System Components Information Leakage Port and I/O Device Access P1 P1 P1 P1 P1 P1 --P3 P1 P1 P1 P1 P1 P1 P1 P1 P1 P2 P0 P0 Planning PL-1 PL-2 PL-3 PL-4 PL-5 PL-6 PL-7 PL-8 Security Planning Policy and Procedures System Security Plan Withdrawn Rules of Behavior Withdrawn Withdrawn Security Concept of Operations Security Architecture P1 P1 --P1 ----P0 P0 PL-1 PL-2 --PL-4 ----Not Selected Not Selected PL-1 PL-2 (3) --PL-4 (1) ----Not Selected Not Selected PL-1 PL-2 (3) --PL-4 (1) ----Not Selected Not Selected PE-1 PE-2 PE-3 Not Selected Not Selected PE-6 --PE-8 Not Selected Not Selected Not Selected PE-12 PE-13 PE-14 PE-15 PE-16 Not Selected Not Selected Not Selected Not Selected PE-1 PE-2 PE-3 PE-4 PE-5 PE-6 (1) --PE-8 PE-9 PE-10 PE-11 PE-12 PE-13 (1) (2) (3) PE-14 PE-15 PE-16 PE-17 PE-18 (1) Not Selected Not Selected PE-1 PE-2 PE-3 (1) PE-4 PE-5 PE-6 (1) (2) --PE-8 (1) PE-9 PE-10 PE-11 (1) PE-12 PE-13 (1) (2) (3) PE-14 PE-15 (1) PE-16 PE-17 PE-18 (1) Not Selected Not Selected Deleted: Privacy Impact Assessment Deleted: P1 Deleted: PL-5 Deleted: PL-5 Deleted: PL-5 Deleted: 6 Deleted: -Related Activity Planning Deleted: P3 Deleted: PL-6 PS-1 PS-1 PS-1 Deleted: PL-6 Deleted: Visitor Control Deleted: P1 Deleted: PE-7 Deleted: PE-7 (1) Deleted: PE-7 (1) Deleted: (2) Deleted: Power

Personnel Security PS-1 Personnel Security Policy and Procedures P1

APPENDIX D

PAGE D-5

PRIORITY

CNTL NO. PS-2 PS-3 PS-4 PS-5 PS-6 PS-7 PS-8

CONTROL BASELINES LOW PS-2 PS-3 PS-4 PS-5 PS-6 PS-7 PS-8 MOD PS-2 PS-3 PS-4 PS-5 PS-6 PS-7 (1) PS-8 (1) HIGH PS-2 PS-3 PS-4 (1) (2) PS-5 PS-6 PS-7 (1) PS-8 (1)

CONTROL NAME
Position Categorization Personnel Screening Personnel Termination Personnel Transfer Access Agreements Third-Party Personnel Security Personnel Sanctions

P1 P1 P2 P2 P3 P1 P3 Risk Assessment

RA-1 RA-2 RA-3 RA-4 RA-5

Risk Assessment Policy and Procedures Security Categorization Risk Assessment Withdrawn Vulnerability Scanning

P1 P1 P1 --P1

RA-1 RA-2 RA-3 --RA-5

RA-1 RA-2 RA-3 --RA-5 (1)

RA-1 RA-2 RA-3 --RA-5 (1) (2) (3) (4) (5) (7)

System and Services Acquisition SA-1 SA-2 SA-3 SA-4 SA-5 SA-6 SA-7 SA-8 SA-9 SA-10 SA-11 SA-12 SA-13 SA-14 SA-15 SA-16 SA-17 SA-18 SA-19 System and Services Acquisition Policy and Procedures Allocation of Resources System Development Life Cycle Acquisition Process Information System Documentation Withdrawn Withdrawn Security Engineering Principles External Information System Services Developer Configuration Management Developer Security Testing Supply Chain Protection Withdrawn Critical Information System Components Development Process, Standards, and Tools Developer-Provided Training Developer Security Architecture and Design Tamper Resistance and Detection Anti-Counterfeit P1 P1 P1 P1 P2 ----P1 P1 P1 P2 P1 --P0 P2 P2 P1 P0 P0 SA-1 SA-2 SA-3 SA-4 SA-5 ----Not Selected SA-9 Not Selected Not Selected Not Selected --Not Selected Not Selected Not Selected Not Selected Not Selected Not Selected SA-1 SA-2 SA-3 SA-4 (1) (4) SA-5 (1) (3) (6) ----SA-8 SA-9 (2) SA-10 SA-11 Not Selected --Not Selected Not Selected Not Selected Not Selected Not Selected Not Selected SA-1 SA-2 SA-3 SA-4 (1) (2) (4) SA-5 (1) (2) (3) (6) ----SA-8 SA-9 (2) (3) SA-10 SA-11 SA-12 --Not Selected SA-15 SA-16 SA-17 Not Selected Not Selected Deleted: Software Usage Restrictions Deleted: P1 Deleted: SA-6 Deleted: SA-6 Deleted: SA-6 Deleted: User-Installed Software Deleted: P1 Deleted: SA-7 Deleted: SA-7 Deleted: SA-7 Deleted: Trustworthiness Deleted: P1 Deleted: Not Selected Deleted: Not Selected SC-1 SC-2 Not Selected SC-4 SC-5 Not Selected SC-1 SC-2 SC-3 (6) SC-4 SC-5 Not Selected Deleted: Priority Deleted: SA-13 Deleted: Support Deleted: Acquisitions

System and Communications Protection SC-1 SC-2 SC-3 SC-4 SC-5 SC-6 System and Communications Protection Policy and Procedures Application Partitioning Security Function Isolation Information in Shared Resources Denial of Service Protection Resource Availability P1 P1 P1 P1 P1 P0 SC-1 Not Selected Not Selected Not Selected SC-5 Not Selected

APPENDIX D

PAGE D-6

PRIORITY

CNTL NO. SC-7 SC-8 SC-9 SC-10 SC-11 SC-12 SC-13 SC-14 SC-15 SC-16 SC-17 SC-18 SC-19 SC-20 SC-21 SC-22 SC-23 SC-24 SC-25 SC-26 SC-27 SC-28 SC-29 SC-30 SC-31 SC-32 SC-33 SC-34 SC-35 SC-36 SC-37 SC-38 SC-39 SC-40 SC-41 SC-42

CONTROL BASELINES LOW SC-7 Not Selected Not Selected Not Selected Not Selected SC-12 SC-13 SC-14 SC-15 Not Selected Not Selected Not Selected Not Selected SC-20 SC-21 SC-22 Not Selected Not Selected Not Selected Not Selected Not Selected Not Selected Not Selected Not Selected Not Selected Not Selected --Not Selected Not Selected Not Selected Not Selected Not Selected Not Selected Not Selected SC-41 Not Selected MOD SC-7 (1) (3) (4) (5) (7) SC-8 (1) SC-9 (1) SC-10 Not Selected SC-12 SC-13 SC-14 SC-15 Not Selected SC-17 SC-18 SC-19 SC-20 SC-21 SC-22 SC-23 Not Selected Not Selected Not Selected Not Selected SC-28 Not Selected Not Selected Not Selected SC-32 --Not Selected Not Selected Not Selected Not Selected Not Selected Not Selected Not Selected SC-41 Not Selected HIGH SC-7 (1) (3) (4) (5) (6) (7) (8) SC-8 (1) SC-9 (1) SC-10 Not Selected SC-12 (1) SC-13 SC-14 SC-15 Not Selected SC-17 SC-18 SC-19 SC-20 SC-21 SC-22 SC-23 SC-24 Not Selected Not Selected Not Selected SC-28 Not Selected Not Selected Not Selected SC-32 --Not Selected Not Selected Not Selected Not Selected Not Selected Not Selected Not Selected SC-41 Not Selected Deleted: Transmission Preparation Integrity Deleted: P0 Deleted: Not Selected Deleted: Not Selected Deleted: Not Selected Deleted: Virtualization Techniques Deleted: (1) Deleted: (1) Deleted: Use of Cryptography Deleted: 2) ( Deleted: 2) (

CONTROL NAME
Boundary Protection Transmission Integrity Transmission Confidentiality Network Disconnect Trusted Path Cryptographic Key Establishment and Management Cryptographic Protection Public Access Protections Collaborative Computing Devices Transmission of Security Attributes Public Key Infrastructure Certificates Mobile Code Voice Over Internet Protocol Secure Name /Address Resolution Service (Authoritative Source) Secure Name /Address Resolution Service (Recursive or Caching Resolver) Architecture and Provisioning for Name/Address Resolution Service Session Authenticity Fail in Known State Thin Nodes Honeypots Operating System-Independent Applications Protection of Information at Rest Heterogeneity Concealment and Misdirection Covert Channel Analysis Information System Partitioning Withdrawn Non-Modifiable Executable Programs Technical Surveillance Countermeasures Survey Honeyclients Distributed Processing and Storage Malware Analysis Out-of-Band Channels Operations Security Process Isolation Wireless Link Protection

P1 P1 P1 P2 P0 P1 P1 P1 P1 P0 P1 P1 P1 P1 P1 P1 P1 P1 P0 P0 P0 P1 P0 P0 P0 P1 --P0 P0 P0 P0 P0 P0 P0 P1 P0

Deleted: (1) Deleted: Not Selected Deleted: Not Selected Deleted: Not Selected

System and Information Integrity SI-1 System and Information Integrity Policy and Procedures P1 SI-1 SI-1 SI-1

APPENDIX D

PAGE D-7

PRIORITY

CNTL NO. SI-2 SI-3 SI-4 SI-5 SI-6 SI-7 SI-8 SI-9 SI-10 SI-11 SI-12 SI-13 SI-14

CONTROL BASELINES LOW SI-2 SI-3 SI-4 SI-5 Not Selected Not Selected Not Selected Not Selected Not Selected Not Selected SI-12 --Not Selected MOD SI-2 (2) SI-3 (1) (2) (3) SI-4 (2) (4) (5) (6) SI-5 Not Selected SI-7 (1) (8) SI-8 (1) (2) SI-9 SI-10 SI-11 SI-12 --Not Selected HIGH SI-2 (1) (2) SI-3 (1) (2) (3) SI-4 (2) (4) (5) (6) SI-5 (1) SI-6 SI-7 (1) (2) (5) (8) (15) SI-8 (1) (2) SI-9 SI-10 SI-11 SI-12 --Not Selected Deleted: 13 Deleted: Predictable Failure Prevention Deleted: Functionality Deleted: Not Selected

CONTROL NAME
Flaw Remediation Malicious Code Protection Information System Monitoring Security Alerts, Advisories, and Directives Security Function Verification Software, Firmware, and Information Integrity Spam Protection Information Input Restrictions Information Input Validation Error Handling Information Output Handling and Retention Withdrawn Non-Persistence

P1 P1 P1 P1 P1 P1 P1 P2 P1 P2 P2 --P0

Program Management PM-1 PM-2 PM-3 PM-4 PM-5 PM-6 PM-7 PM-8 PM-9 PM-10 PM-11 PM-12 PM-13 PM-14 PM-15 Information Security Program Plan Senior Information Security Officer Information Security Resources Plan of Action and Milestones Process Information System Inventory Information Security Measures of Performance Enterprise Architecture Critical Infrastructure Plan Risk Management Strategy Security Authorization Process Mission/Business Process Definition Insider Threat Program Information Security Workforce Operations Security Program Testing, Training, and Monitoring P1 P1 P1 P1 P1 P1 P1 P1 P1 P1 P1 P1 P1 P1 P1 Deployed organization-wide. Supporting all baselines.

APPENDIX D

PAGE D-8