IA-8 (3)

HOME

AC-1 ACCESS CONTROL POLICY AND PROCEDURES
AC-2 ACCOUNT MANAGEMENT
AC-2 (1)
AC-2 (2)
AC-2 (3)
AC-2 (4)
AC-2 (5)
AC-2 (7)
AC-2 (9)
AC-2 (10)
AC-2 (11)
AC-2 (12)
AC-2 (13)
AC-3 ACCESS ENFORCEMENT
AC-4 INFORMATION FLOW ENFORCEMENT
AC-4 (8)
AC-4 (21)
AC-5 SEPARATION OF DUTIES
AC-6 LEAST PRIVILEGE
AC-6 (1)
AC-6 (2)
AC-6 (3)
AC-6 (5)
AC-6 (7)
AC-6 (8)
AC-6 (9)
AC-6 (10)
AC-7 UNSUCCESSFUL LOGON ATTEMPTS
AC-7 (2)
AC-8 SYSTEM USE NOTIFICATION
AC-10 CONCURRENT SESSION CONTROL
AC-11 SESSION LOCK
AC-11 (1)
AC-12 SESSION TERMINATION
AC-12 (1)
AC-14 PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION
AC-17 REMOTE ACCESS
AC-17 (1)
AC-17 (2)
AC-17 (3)
AC-17 (4)
AC-17 (9)
AC-18 WIRELESS ACCESS
AC-18 (1)
AC-18 (3)
AC-18 (4)
AC-18 (5)
AC-19 ACCESS CONTROL FOR MOBILE DEVICES
AC-19 (5)
AC-20 USE OF EXTERNAL INFORMATION SYSTEMS
AC-20 (1)
AC-20 (2)
AC-21 INFORMATION SHARING
AC-22 PUBLICLY ACCESSIBLE CONTENT
AT-1 SECURITY AWARENESS AND TRAINING POLICY ANDPROCEDURES
AT-2 SECURITY AWARENESS TRAINING
AT-2 (2)
AT-3 ROLE-BASED SECURITY TRAINING
AT-3 (3)
AT-3 (4)
AT-4 SECURITY TRAINING RECORDS
AU-1 AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES
AU-2 AUDIT EVENTS
AU-2 (3)
AU-3 CONTENT OF AUDIT RECORDS
AU-3 (1)
AU-3 (2)
AU-4 AUDIT STORAGE CAPACITY
AU-5 RESPONSE TO AUDIT PROCESSING FAILURES
AU-5 (1)
AU-5 (2)
AU-6 AUDIT REVIEW, ANALYSIS, AND REPORTING
AU-6 (1)
AU-6 (3)
AU-6 (4)
AU-6 (5)
AU-6 (6)
AU-6 (7)
AU-6 (10)
AU-7 AUDIT REDUCTION AND REPORT GENERATION
AU-7 (1)
AU-8 TIME STAMPS
AU-8 (1)
AU-9 PROTECTION OF AUDIT INFORMATION
AU-9 (2)
AU-9 (3)
AU-9 (4)
AU-10 NON-REPUDIATION
AU-11 AUDIT RECORD RETENTION
AU-12 AUDIT GENERATION
AU-12 (1)
AU-12 (3)
CA-1 SECURITY ASSESSMENT AND AUTHORIZATION POLICY AND PROCEDURES
CA-2 SECURITY ASSESSMENTS
CA-2 (1)
CA-2 (2)
CA-2 (3)
CA-3 SYSTEM INTERCONNECTIONS
CA-3 (3)
CA-3 (5)
CA-5 PLAN OF ACTION AND MILESTONES
CA-6 SECURITY AUTHORIZATION
CA-7 CONTINUOUS MONITORING
CA-7 (1)
CA-7 (3)
CA-8 PENETRATION TESTING
CA-8 (1)
CA-9 INTERNAL SYSTEM CONNECTIONS
CM-1 CONFIGURATION MANAGEMENT POLICY AND PROCEDURES
CM-2 BASELINE CONFIGURATION
CM-2 (1)
CM-2 (2)
CM-2 (3)
CM-2 (7)
CM-3 CONFIGURATION CHANGE CONTROL
CM-3 (1)
CM-3 (2)
CM-3 (4)
CM-3 (6)
CM-4 SECURITY IMPACT ANALYSIS
CM-4 (1)
CM-5 ACCESS RESTRICTIONS FOR CHANGE
CM-5 (1)
CM-5 (2)
CM-5 (3)
CM-5 (5)
CM-6 CONFIGURATION SETTINGS
CM-6 (1)
CM-6 (2)
CM-7 LEAST FUNCTIONALITY
CM-7 (1)
CM-7 (2)
CM-7 (5)
CM-8 INFORMATION SYSTEM COMPONENT INVENTORY
CM-8 (1)
CM-8 (2)
CM-8 (3)
CM-8 (4)
CM-8 (5)
CM-9 CONFIGURATION MANAGEMENT PLAN
CM-10 SOFTWARE USAGE RESTRICTIONS
CM-10 (1)
CM-11 USER-INSTALLED SOFTWARE
CM-11 (1)
CP-1 CONTINGENCY PLANNING POLICY AND PROCEDURES
CP-2 CONTINGENCY PLAN
CP-2 (1)
CP-2 (2)
CP-2 (3)
CP-2 (4)
CP-2 (5)
CP-2 (8)
CP-3 CONTINGENCY TRAINING
CP-3 (1)
CP-4 CONTINGENCY PLAN TESTING
CP-4 (1)
CP-4 (2)
CP-6 ALTERNATE STORAGE SITE
CP-6 (1)
CP-6 (2)
CP-6 (3)
CP-7 ALTERNATE PROCESSING SITE
CP-7 (1)
CP-7 (2)
CP-7 (3)
CP-7 (4)
CP-8 TELECOMMUNICATIONS SERVICES
CP-8 (1)
CP-8 (2)
CP-8 (3)
CP-8 (4)
CP-9 INFORMATION SYSTEM BACKUP
CP-9 (1)
CP-9 (2)
CP-9 (3)
CP-9 (5)
CP-10 INFORMATION SYSTEM RECOVERY AND RECONSTITUTION
CP-10 (2)
CP-10 (4)
IA-1 IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES
IA-2 IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS)
IA-2 (1)
IA-2 (2)
IA-2 (3)
IA-2 (4)
IA-2 (5)
IA-2 (8)
IA-2 (9)
IA-2 (11)
IA-2 (12)
IA-3 DEVICE IDENTIFICATION AND AUTHENTICATION
IA-4 IDENTIFIER MANAGEMENT
IA-4 (4)
IA-5 AUTHENTICATOR MANAGEMENT
IA-5 (1)
IA-5 (2)
IA-5 (3)
IA-5 (4)
IA-5 (6)
IA-5 (7)
IA-5 (8)
IA-5 (11)
IA-5 (13)
IA-6 AUTHENTICATOR FEEDBACK
IA-7 CRYPTOGRAPHIC MODULE AUTHENTICATION
IA-8 IDENTIFICATION AND AUTHENTICATION (NON- ORGANIZATIONAL USERS)
IA-8 (1)
IA-8 (2)
IA-8 (3)
IA-8 (4)
IR-1 INCIDENT RESPONSE POLICY AND PROCEDURES
IR-2 INCIDENT RESPONSE TRAINING
IR-2 (1)
IR-2 (2)
IR-3 INCIDENT RESPONSE TESTING
IR-3 (2)
IR-4 INCIDENT HANDLING
IR-4 (1)
IR-4 (2)
IR-4 (3)
IR-4 (4)
IR-4 (6)
IR-4 (8)
IR-5 INCIDENT MONITORING
IR-5 (1)
IR-6 INCIDENT REPORTING
IR-6 (1)
IR-7 INCIDENT RESPONSE ASSISTANCE
IR-7 (1)
IR-7 (2)
IR-8 INCIDENT RESPONSE PLAN
IR-9 INFORMATION SPILLAGE RESPONSE
IR-9 (1)
IR-9 (2)
IR-9 (3)
IR-9 (4)
MA-1 SYSTEM MAINTENANCE POLICY AND PROCEDURES
MA-2 CONTROLLED MAINTENANCE
MA-2 (2)
MA-3 MAINTENANCE TOOLS
MA-3 (1)
MA-3 (2)
MA-3 (3)
MA-4 NONLOCAL MAINTENANCE
MA-4 (2)
MA-4 (3)
MA-4 (6)
MA-5 MAINTENANCE PERSONNEL
MA-5 (1)
MA-6 TIMELY MAINTENANCE
MP-1 MEDIA PROTECTION POLICY AND PROCEDURES
MP-2 MEDIA ACCESS
MP-3 MEDIA MARKING
MP-4 MEDIA STORAGE
MP-5 MEDIA TRANSPORT
MP-5 (4)
MP-6 MEDIA SANITIZATION
MP-6 (1)
MP-6 (2)
MP-6 (3)
MP-7 MEDIA USE
MP-7 (1)
PE-1 PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES
PE-2 PHYSICAL ACCESS AUTHORIZATIONS
PE-3 PHYSICAL ACCESS CONTROL
PE-3 (1)
PE-4 ACCESS CONTROL FOR TRANSMISSION MEDIUM
PE-5 ACCESS CONTROL FOR OUTPUT DEVICES
PE-6 MONITORING PHYSICAL ACCESS
PE-6 (1)
PE-6 (4)
PE-8 VISITOR ACCESS RECORDS
PE-8 (1)
PE-9 POWER EQUIPMENT AND CABLING
PE-10 EMERGENCY SHUTOFF
PE-11 EMERGENCY POWER
PE-11 (1)
PE-12 EMERGENCY LIGHTING
PE-13 FIRE PROTECTION
PE-13 (1)
PE-13 (2)
PE-13 (3)
PE-14 TEMPERATURE AND HUMIDITY CONTROLS
PE-14 (2)
PE-15 WATER DAMAGE PROTECTION
PE-15 (1)
PE-16 DELIVERY AND REMOVAL
PE-17 ALTERNATE WORK SITE
PE-18 LOCATION OF INFORMATION SYSTEM COMPONENTS
PL-1 SECURITY PLANNING POLICY AND PROCEDURES
PL-2 SYSTEM SECURITY PLAN
PL-2 (3)
PL-4 RULES OF BEHAVIOR
PL-4 (1)
PL-8 INFORMATION SECURITY ARCHITECTURE
PS-1 PERSONNEL SECURITY POLICY AND PROCEDURES
PS-2 POSITION RISK DESIGNATION
PS-3 PERSONNEL SCREENING
PS-3 (3)
PS-4 PERSONNEL TERMINATION
PS-4 (2)
PS-5 PERSONNEL TRANSFER
PS-6 ACCESS AGREEMENTS
PS-7 THIRD-PARTY PERSONNEL SECURITY
PS-8 PERSONNEL SANCTIONS
RA-1 RISK ASSESSMENT POLICY AND PROCEDURES
RA-2 SECURITY CATEGORIZATION
RA-3 RISK ASSESSMENT
RA-5 VULNERABILITY SCANNING
RA-5 (1)
RA-5 (2)
RA-5 (3)
RA-5 (4)
RA-5 (5)
RA-5 (6)
RA-5 (8)
RA-5 (10)
SA-1 SYSTEM AND SERVICES ACQUISITION POLICY AND PROCEDURES
SA-2 ALLOCATION OF RESOURCES
SA-3 SYSTEM DEVELOPMENT LIFE CYCLE
SA-4 ACQUISITION PROCESS
SA-4 (1)
SA-4 (2)
SA-4 (8)
SA-4 (9)
SA-4 (10)
SA-5 INFORMATION SYSTEM DOCUMENTATION
SA-8 SECURITY ENGINEERING PRINCIPLES
SA-9 EXTERNAL INFORMATION SYSTEM SERVICES
SA-9 (1)
SA-9 (2)
SA-9 (4)
SA-9 (5)
SA-10 DEVELOPER CONFIGURATION MANAGEMENT
SA-10 (1)
SA-11 DEVELOPER SECURITY TESTING AND EVALUATION
SA-11 (1)
SA-11 (2)
SA-11 (8)
SA-12 SUPPLY CHAIN PROTECTION
SA-15 DEVELOPMENT PROCESS, STANDARDS, AND TOOLS
SA-16 DEVELOPER-PROVIDED TRAINING
SA-17 DEVELOPER SECURITY ARCHITECTURE AND DESIGN
SC-1 SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURES
SC-2 APPLICATION PARTITIONING
SC-3 SECURITY FUNCTION ISOLATION
SC-4 INFORMATION IN SHARED RESOURCES
SC-5 DENIAL OF SERVICE PROTECTION
SC-6 RESOURCE AVAILABILITY
SC-7 BOUNDARY PROTECTION
SC-7 (3)
SC-7 (4)
SC-7 (5)
SC-7 (7)
SC-7 (8)
SC-7 (10)
SC-7 (12)
SC-7 (13)
SC-7 (18)
SC-7 (20)
SC-7 (21)
SC-8 TRANSMISSION CONFIDENTIALITY AND INTEGRITY
SC-8 (1)
SC-10 NETWORK DISCONNECT
SC-12 CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT
SC-12 (1)
SC-12 (2)
SC-12 (3)
SC-13 CRYPTOGRAPHIC PROTECTION
SC-15 COLLABORATIVE COMPUTING DEVICES
SC-17 PUBLIC KEY INFRASTRUCTURE CERTIFICATES
SC-18 MOBILE CODE
SC-19 VOICE OVER INTERNET PROTOCOL
SC-20 SECURE NAME /ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE)
SC-21 SECURE NAME /ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER)
SC-22 ARCHITECTURE AND PROVISIONING FOR NAME/ADDRESS RESOLUTION SERVICE
SC-23 SESSION AUTHENTICITY
SC-23 (1)
SC-24 FAIL IN KNOWN STATE
SC-28 PROTECTION OF INFORMATION AT REST
SC-28 (1)
SC-39 PROCESS ISOLATION
SI-1 SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES
SI-2 FLAW REMEDIATION
SI-2 (1)
SI-2 (2)
SI-2 (3)
SI-3 MALICIOUS CODE PROTECTION
SI-3 (1)
SI-3 (2)
SI-3 (7)
SI-4 INFORMATION SYSTEM MONITORING
SI-4 (1)
SI-4 (2)
SI-4 (4)
SI-4 (5)
SI-4 (11)
SI-4 (14)
SI-4 (16)
SI-4 (18)
SI-4 (19)
SI-4 (20)
SI-4 (22)
SI-4 (23)
SI-4 (24)
SI-5 SECURITY ALERTS, ADVISORIES, AND DIRECTIVES
SI-5 (1)
SI-6 SECURITY FUNCTION VERIFICATION
SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY
SI-7 (1)
SI-7 (2)
SI-7 (5)
SI-7 (7)
SI-7 (14)
SI-8 SPAM PROTECTION
SI-8 (1)
SI-8 (2)
SI-10 INFORMATION INPUT VALIDATION
SI-11 ERROR HANDLING
SI-12 INFORMATION HANDLING AND RETENTION
SI-16 MEMORY PROTECTION

IA-8 (3)

IA-8 (3) H M L

Description

The organization employs only FICAM-approved information system components in [Assignment:
organization-defined information systems] to accept third-party credentials.

DISA Cloud Computing SRG

Not appropriate for DoD to define for all CSP's infrastructure or service offerings

Source:
DoD RMF TAG

Supplemental Guidance

This control enhancement typically applies to information systems that are accessible to the general public, for example, public-facing websites. FICAM-approved information system components include, for example, information technology products and software libraries that have been approved by the Federal Identity, Credential, and Access Management conformance program.

Related Controls

SA-4