4 - Controls |
also known as
countermeasures, defenses |
for
best viewing this tab should be set at a size of 75% |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
return to Main |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
LINK TO: |
Matching
Controls to Threat & Vulnerability |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Risk Management Framework Controls |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
NIST
800-53 Controls |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Matching
MITRE Controls to ATT&CK Techniques |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
MITRE D3FEND |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1,620 Cyber Security Vendors |
https://www.digitaldefense.com/wp-content/uploads/2018/09/Volume-3.1-TAG-Cyber-Security-Annual-Vendor-Listings.pdf |
|
|
|
|
|
|
|
|
Controls - Prices |
https://cybersecuritypricing.org/ |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
NIST 800-53 Controls |
https://csrc.nist.gov/CSRC/media//Publications/sp/800-53/rev-5/draft/documents/sp800-53r5-draft.pdf |
|
|
|
|
|
|
|
Tactics |
Techniques |
Sub Techniques |
Actors/APTs |
Attack Tools |
Mitigations |
|
|
|
|
Control Correlation Identifiers |
https://public.cyber.mil/stigs/cci/ |
|
|
|
|
|
|
|
|
|
|
|
|
14 |
188 |
379 |
129 |
638 |
55 |
|
|
|
|
CISE Controls |
https://learn.cisecurity.org/cis-controls-download |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Scan of all ports on the internet |
https://censys.io/data |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
See NIST Pubs for specific areas |
NIST_Special_Publications__SP |
|
|
|
|
|
|
|
|
|
|
|
|
Mapping of MITRE
ATT&CK Mitigations against Threats |
14 Tactics, 342 Techniques |
|
|
|
|
NIST Cybersecurity Framework |
https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf |
|
|
|
|
|
|
|
|
|
|
ATT&CK
Techniques - I,P,D,R,or RC Rating where 10 = Strong
Direct Protection, 5 = Moderate, 0 = None |
|
|
|
|
|
Bill Stearns Active Countermeasures Series |
Bill_Stearns_Active_Countermeasures_Series |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Rating where 10 = Strong Direct Protection, 5 =
Moderate, Blank = None |
|
|
https://attack.mitre.org/mitigations |
|
|
Note that
that the columns, representing the 14 Enterprise Tactics have only the first Technique listed |
|
|
|
|
|
Example
Matching Controls to Threats & Vulnerabilities |
Control Type |
Identify(I) Protect
(P) Detect (D) Respond(RS) Recover (RC) |
Denial of Service Attacks |
Malicious Web Pages |
Malicious Email Attachments |
Unauthorized Access to DBMS |
Unauthorized Access to Network |
Unauthorized Access to Building |
Poor Program Oversight |
Disgruntled Employee |
Switch & Router Attack |
|
Phishing |
Cross-Ref |
|
MITRE ATT&CK Control
Type
55 Controls |
MITRE Identifier |
Identify(I) Protect
(P) Detect (D) Respond(RS) Recover (RC) |
Reconnaissance
Active Scanning |
Resource Development Acquire Infrastructure |
Initial Access |
Execution |
Persistence |
Priviledge Escalation |
Defense Evasion |
Credential Access |
Discovery |
Lateral Movement |
Collection |
Command & Control |
Exfiltration |
Impact |
|
ID |
(E)nterprise or (M)obile |
Name |
Description |
|
|
|
1 |
Anti-Malware |
I,P |
8 |
9 |
9 |
|
|
|
|
|
|
|
|
|
1 |
Account
Use Policies |
M1036 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1 |
M1001 |
M |
Security
Updates |
Install security updates in
response to discovered vulnerabilities. |
1 |
M1013 |
Application
Developer Guidance |
This mitigation describes any
guidance or training given to developers of applications to avoid introducing
security weaknesses that an adversary may be able to take advantage of. |
|
|
|
|
|
2 |
Anti-Virus |
I,RS |
|
4 |
9 |
|
|
|
|
|
|
|
|
|
2 |
Active
Directory Configuration |
M1015 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2 |
M1002 |
M |
Attestation |
Enable remote attestation
capabilities when available (such as Android SafetyNet or Samsung Knox TIMA
Attestation) and prohibit devices that fail the attestation from accessing
enterprise resources. |
2 |
M1015 |
Active
Directory Configuration |
Configure Active Directory to
prevent use of certain techniques; use SID Filtering, etc. |
|
|
|
|
|
3 |
Backup |
RC |
|
|
|
|
|
|
|
|
|
|
|
1,2 |
3 |
Antivirus/Antimalware |
M1049 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3 |
M1003 |
M |
Lock
Bootloader |
On devices that provide the
capability to unlock the bootloader (hence allowing any operating system code
to be flashed onto the device), perform periodic checks to ensure that the
bootloader is locked. |
3 |
M1016 |
Vulnerability
Scanning |
Vulnerability scanning is used
to find potentially exploitable software vulnerabilities to remediate them. |
|
|
|
|
|
4 |
Best Current Practice RFCs |
I,D |
9 |
|
|
|
|
|
|
|
|
|
|
|
4 |
Application
Developer Guidance |
M1013 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4 |
M1004 |
M |
System
Partition Integrity |
Ensure that Android devices
being used include and enable the Verified Boot capability, which
cryptographically ensures the integrity of the system partition. |
4 |
M1017 |
User
Training |
Train users to be aware of
access or manipulation attempts by an adversary to reduce the risk of
successful spearphishing, social engineering, and other techniques that
involve user interaction. |
|
|
|
|
|
5 |
Building Access Control |
P |
|
|
|
|
|
|
|
|
|
|
|
|
5 |
Application
Isolation and Sandboxing |
M1048 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5 |
M1005 |
M |
Application
Vetting |
Enterprises can vet
applications for exploitable vulnerabilities or unwanted (privacy-invasive or
malicious) behaviors. Enterprises can inspect applications themselves or use
a third-party service. |
5 |
M1018 |
User
Account Management |
Manage the creation,
modification, use, and permissions associated to user accounts. |
|
|
|
|
|
6 |
Certificates & Cerifying Authority |
P |
|
|
|
|
|
|
|
|
|
|
|
|
6 |
Application
Vetting |
M1005 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6 |
M1006 |
M |
Use Recent
OS Version |
New mobile operating system
versions bring not only patches against discovered vulnerabilities but also
often bring security architecture improvements that provide resilience
against potential vulnerabilities or weaknesses that have not yet been
discovered. They may also bring improvements that block use of observed
adversary techniques. |
6 |
M1019 |
Threat
Intelligence Program |
A threat intelligence program
helps an organization generate their own threat intelligence information and
track trends to inform defensive priorities to mitigate risk. |
|
|
|
|
|
7 |
Client Lockdown |
P |
|
|
|
|
|
|
|
|
|
|
|
13,16 |
7 |
Attestation |
M1002 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7 |
M1007 |
M |
Caution
with Device Administrator Access |
Warn device users not to accept
requests to grant Device Administrator access to applications without good
reason. |
7 |
M1020 |
SSL/TLS
Inspection |
Break and inspect SSL/TLS
sessions to look at encrypted web traffic for adversary activity. |
|
|
|
|
|
8 |
DMZ |
P |
5 |
7 |
|
|
|
|
|
|
|
|
|
|
8 |
Audit |
M1047 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8 |
M1009 |
M |
Encrypt
Network Traffic |
Application developers should
encrypt all of their application network traffic using the Transport Layer
Security (TLS) protocol to ensure protection of sensitive data and deter
network-based attacks. If desired, application developers could perform message-based
encryption of data before passing it for TLS encryption. |
8 |
M1021 |
Restrict
Web-Based Content |
Restrict use of certain
websites, block downloads/attachments, block Javascript, restrict browser
extensions, etc. |
|
|
|
|
|
9 |
Email Attachment Blocking/Analysis |
D,P |
7 |
|
|
|
|
|
|
|
|
|
|
|
9 |
Behavior
Prevention on Endpoint |
M1040 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9 |
M1010 |
M |
Deploy
Compromised Device Detection Method |
A variety of methods exist that
can be used to enable enterprises to identify compromised (e.g.
rooted/jailbroken) devices, whether using security mechanisms built directly
into the device, third-party mobile security applications, enterprise
mobility management (EMM)/mobile device management (MDM) capabilities, or
other methods. Some methods may be trivial to evade while others may be more
sophisticated. |
9 |
M1022 |
Restrict
File and Directory Permissions |
Restrict access by setting
directory and file permissions that are not specific to users or privileged
accounts. |
|
|
|
|
|
10 |
Encryption - Data at Rest |
P |
|
|
|
|
|
|
|
|
|
|
|
|
10 |
Boot
Integrity |
M1046 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10 |
M1011 |
M |
User
Guidance |
Describes any guidance or
training given to users to set particular configuration settings or avoid
specific potentially risky behaviors. |
10 |
M1024 |
Restrict
Registry Permissions |
Restrict the ability to modify
certain hives or keys in the Windows Registry. |
|
|
|
|
|
11 |
Encryption - Data in Transit |
P |
|
|
|
|
|
|
|
|
|
|
|
3 |
11 |
Caution
with Device Administrator Access |
M1007 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
11 |
M1012 |
M |
Enterprise
Policy |
An enterprise mobility
management (EMM), also known as mobile device management (MDM), system can be
used to provision policies to mobile devices to control aspects of their
allowed behavior. |
11 |
M1025 |
Privileged
Process Integrity |
Protect processes with high
privileges that can be used to interact with critical system components
through use of protected process light, anti-process injection defenses, or
other process integrity enforcement measures. |
|
|
|
|
|
12 |
Extensible Authentication Protocol |
I,P |
|
|
|
|
|
|
|
|
|
|
|
|
12 |
Code
Signing |
M1045 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
12 |
M1013 |
M |
Application
Developer Guidance |
This mitigation describes any
guidance or training given to developers of applications to avoid introducing
security weaknesses that an adversary may be able to take advantage of. |
12 |
M1026 |
Privileged
Account Management |
Manage the creation,
modification, use, and permissions associated to privileged accounts,
including SYSTEM and root. |
|
|
|
|
|
13 |
Firewall Rules |
D,P |
9 |
6 |
|
|
|
|
|
|
|
|
|
|
13 |
Credential
Access Protection |
M1043 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
13 |
M1014 |
M |
Interconnection
Filtering |
In order to mitigate Signaling
System 7 (SS7) exploitation, the Communications, Security, Reliability, and
Interoperability Council (CSRIC) describes filtering interconnections between
network operators to block inappropriate requests . |
13 |
M1027 |
Password
Policies |
Set and enforce secure password
policies for accounts. |
|
|
|
|
|
14 |
Hardened Switch & Router Configuration |
P |
|
|
|
|
|
|
|
|
|
|
|
10,11 |
14 |
Data
Backup |
M1053 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14 |
M1015 |
E |
Active
Directory Configuration |
Configure Active Directory to
prevent use of certain techniques; use SID Filtering, etc. |
14 |
M1028 |
Operating
System Configuration |
Make configuration changes
related to the operating system or a common feature of the operating system
that result in system hardening against techniques. |
|
|
|
|
|
15 |
Infosec Personnel Training |
I,P,D,RS,RC |
|
8 |
|
|
|
|
|
|
|
|
|
|
15 |
Deploy
Compromised Device Detection Method |
M1010 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
15 |
M1016 |
E |
Vulnerability
Scanning |
Vulnerability scanning is used
to find potentially exploitable software vulnerabilities to remediate them. |
15 |
M1029 |
Remote
Data Storage |
Use remote security log and
sensitive file storage where access can be controlled better to prevent
exposure of intrusion detection log data or sensitive information. |
|
|
|
|
|
16 |
Intrusion Detection & Prevention |
D,RS |
10 |
|
|
|
|
|
|
|
|
|
|
|
16 |
Disable or
Remove Feature or Program |
M1042 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
16 |
M1017 |
E |
User
Training |
Train users to be aware of
access or manipulation attempts by an adversary to reduce the risk of
successful spearphishing, social engineering, and other techniques that
involve user interaction. |
16 |
M1030 |
Network
Segmentation |
Architect sections of the
network to isolate critical systems, functions, or resources. Use physical
and logical segmentation to prevent access to potentially sensitive systems
and information. Use a DMZ to contain any internet-facing services that should
not be exposed from the internal network. Configure separate virtual private
cloud (VPC) instances to isolate critical cloud systems. |
|
|
|
|
|
17 |
Inventories - HW, SW, Datacomm |
I |
|
|
|
|
|
|
|
|
|
|
|
16 |
17 |
Do Not
Mitigate |
M1055 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
17 |
M1018 |
E |
User
Account Management |
Manage the creation,
modification, use, and permissions associated to user accounts. |
17 |
M1031 |
Network
Intrusion Prevention |
Use intrusion detection
signatures to block traffic at network boundaries. |
|
|
|
|
|
18 |
IPSEC |
P |
|
|
|
|
|
|
|
|
|
|
|
13 |
18 |
Encrypt
Network Traffic |
M1009 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
18 |
M1019 |
E |
Threat
Intelligence Program |
A threat intelligence program
helps an organization generate their own threat intelligence information and
track trends to inform defensive priorities to mitigate risk. |
18 |
M1032 |
Multi-factor
Authentication |
Use two or more pieces of
evidence to authenticate to a system; such as username and password in
addition to a token from a physical smart card or token generator. |
|
|
|
|
|
19 |
Logging & Alerts |
I,D |
4 |
|
|
|
|
|
|
|
|
|
|
|
19 |
Encrypt
Sensitive Information |
M1041 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
19 |
M1020 |
E |
SSL/TLS
Inspection |
Break and inspect SSL/TLS
sessions to look at encrypted web traffic for adversary activity. |
19 |
M1033 |
Limit
Software Installation |
Block users or groups from
installing unapproved software. |
|
|
|
|
|
20 |
Multi-Factor Authentication |
P |
|
|
|
|
|
|
|
|
|
|
|
|
20 |
Enterprise
Policy |
M1012 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
20 |
M1021 |
E |
Restrict
Web-Based Content |
Restrict use of certain
websites, block downloads/attachments, block Javascript, restrict browser
extensions, etc. |
20 |
M1034 |
Limit
Hardware Installation |
Block users or groups from
installing or using unapproved hardware on systems, including USB devices. |
|
|
|
|
|
21 |
Personnel Basic Cyber Training |
P |
|
8 |
|
|
|
|
|
|
|
|
|
|
21 |
Environment
Variable Permissions |
M1039 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
21 |
M1022 |
E |
Restrict
File and Directory Permissions |
Restrict access by setting
directory and file permissions that are not specific to users or privileged
accounts. |
21 |
M1035 |
Limit
Access to Resource Over Network |
Prevent access to file shares,
remote access to systems, unnecessary services. Mechanisms to limit access
may include use of network concentrators, RDP gateways, etc. |
|
|
|
|
|
22 |
Public Key Infrastructure |
P |
|
|
|
|
|
|
|
|
|
|
|
20 |
22 |
Execution
Prevention |
M1038 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
22 |
M1024 |
E |
Restrict
Registry Permissions |
Restrict the ability to modify
certain hives or keys in the Windows Registry. |
22 |
M1036 |
Account
Use Policies |
Configure features related to
account use like login attempt lockouts, specific login times, etc. |
|
|
|
|
|
23 |
Reverse Path Filtering |
P,D |
|
|
|
|
|
|
|
|
|
|
|
16 |
23 |
Exploit
Protection |
M1050 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
23 |
M1025 |
E |
Privileged
Process Integrity |
Protect processes with high
privileges that can be used to interact with critical system components
through use of protected process light, anti-process injection defenses, or
other process integrity enforcement measures. |
23 |
M1037 |
Filter
Network Traffic |
Use network appliances to
filter ingress or egress traffic and perform protocol-based filtering.
Configure software on endpoints to filter network traffic. |
|
|
|
|
|
24 |
Client & Server OS Lockdown |
P |
|
|
|
|
|
|
|
|
|
|
|
13 |
24 |
Filter
Network Traffic |
M1037 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
24 |
M1026 |
E |
Privileged
Account Management |
Manage the creation,
modification, use, and permissions associated to privileged accounts,
including SYSTEM and root. |
24 |
M1038 |
Execution
Prevention |
Block execution of code on a
system through application control, and/or script blocking. |
|
|
|
|
|
25 |
Strong Password Policy |
P |
|
|
|
|
|
|
|
|
|
|
|
7,24 |
25 |
Interconnection
Filtering |
M1014 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
25 |
M1027 |
E |
Password
Policies |
Set and enforce secure password
policies for accounts. |
25 |
M1039 |
Environment
Variable Permissions |
Prevent modification of
environment variables by unauthorized users and groups. |
|
|
|
|
|
26 |
Threat Intelligence |
I |
4 |
6 |
|
|
|
|
|
|
|
|
|
|
26 |
Limit
Access to Resource Over Network |
M1035 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
26 |
M1028 |
E |
Operating
System Configuration |
Make configuration changes
related to the operating system or a common feature of the operating system
that result in system hardening against techniques. |
26 |
M1040 |
Behavior
Prevention on Endpoint |
Use capabilities to prevent
suspicious behavior patterns from occurring on endpoint systems. This could
include suspicious process, file, API call, etc. behavior. |
|
|
|
|
|
27 |
Updates / Patch Management |
P |
|
7 |
|
|
|
|
|
|
|
|
|
|
27 |
Limit
Hardware Installation |
M1034 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
27 |
M1029 |
E |
Remote
Data Storage |
Use remote security log and
sensitive file storage where access can be controlled better to prevent
exposure of intrusion detection log data or sensitive information. |
27 |
M1041 |
Encrypt
Sensitive Information |
Protect sensitive information
with strong encryption. |
|
|
|
|
|
28 |
Vulnerability Scanning |
I |
|
|
|
|
|
|
|
|
|
|
|
|
28 |
Limit
Software Installation |
M1033 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
28 |
M1030 |
E |
Network
Segmentation |
Architect sections of the
network to isolate critical systems, functions, or resources. Use physical
and logical segmentation to prevent access to potentially sensitive systems
and information. Use a DMZ to contain any internet-facing services that should
not be exposed from the internal network. Configure separate virtual private
cloud (VPC) instances to isolate critical cloud systems. |
28 |
M1042 |
Disable or
Remove Feature or Program |
Remove or deny access to
unnecessary and potentially vulnerable software to prevent abuse by
adversaries. |
|
|
|
|
|
29 |
Web Page Vulnerability Testing |
D,P |
|
8 |
|
|
|
|
|
|
|
|
|
|
29 |
Lock
Bootloader |
M1003 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
29 |
M1031 |
E |
Network
Intrusion Prevention |
Use intrusion detection
signatures to block traffic at network boundaries. |
29 |
M1043 |
Credential
Access Protection |
Use capabilities to prevent
successful credential access by adversaries; including blocking forms of
credential dumping. |
|
|
|
|
|
30 |
White/Gray/Blacklisting |
I,P |
|
9 |
|
|
|
|
|
|
|
|
|
|
30 |
Authentication
- Multifactor |
M1032 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
30 |
M1032 |
E |
Multi-factor
Authentication |
Use two or more pieces of
evidence to authenticate to a system; such as username and password in
addition to a token from a physical smart card or token generator. |
30 |
M1044 |
Restrict
Library Loading |
Prevent abuse of library
loading mechanisms in the operating system and software to load untrusted
code by configuring appropriate library loading mechanisms and investigating
potential vulnerable software. |
|
|
|
|
|
31 |
Endpoint Detection & Response |
|
|
|
|
|
|
|
|
|
|
|
|
|
31 |
Network
Intrusion Prevention |
M1031 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
31 |
M1033 |
E |
Limit
Software Installation |
Block users or groups from
installing unapproved software. |
31 |
M1045 |
Code
Signing |
Enforce binary and application
integrity with digital signature verification to prevent untrusted code from
executing. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
32 |
Network
Segmentation |
M1030 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
32 |
M1034 |
E |
Limit
Hardware Installation |
Block users or groups from
installing or using unapproved hardware on systems, including USB devices. |
32 |
M1046 |
Boot
Integrity |
Use secure methods to boot a
system and verify the integrity of the operating system and loading
mechanisms. |
|
|
|
|
The
Risk Management Framework (RMF) Controls |
SOURCE: |
https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf |
|
|
|
|
|
|
|
33 |
Operating
System Configuration |
M1028 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
33 |
M1035 |
E |
Limit
Access to Resource Over Network |
Prevent access to file shares,
remote access to systems, unnecessary services. Mechanisms to limit access
may include use of network concentrators, RDP gateways, etc. |
33 |
M1047 |
Audit |
Perform audits or scans of
systems, permissions, insecure software, insecure configurations, etc. to
identify potential weaknesses. |
|
|
|
|
|
return to top |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
34 |
Password
Policies |
M1027 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
34 |
M1036 |
E |
Account
Use Policies |
Configure features related to
account use like login attempt lockouts, specific login times, etc. |
34 |
M1048 |
Application
Isolation and Sandboxing |
Restrict execution of code to a
virtual environment on or in transit to an endpoint system. |
|
|
|
|
IDENTIFY (ID) |
Asset Management |
ID.AM-1: Physical devices and systems within the
organization are inventoried |
|
|
|
35 |
Pre-compromise |
M1056 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
35 |
M1037 |
E |
Filter
Network Traffic |
Use network appliances to
filter ingress or egress traffic and perform protocol-based filtering.
Configure software on endpoints to filter network traffic. |
35 |
M1049 |
Antivirus/Antimalware |
Use signatures or heuristics to
detect malicious software. |
|
|
|
|
Business Environment |
ID.AM-2: Software platforms and applications
within the organization are inventoried |
|
|
|
36 |
Privileged Account Management |
M1026 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
36 |
M1038 |
E |
Execution
Prevention |
Block execution of code on a
system through application control, and/or script blocking. |
36 |
M1050 |
Exploit
Protection |
Use capabilities to detect and
block conditions that may lead to or be indicative of a software exploit
occurring. |
|
|
|
|
Governance |
ID.AM-3: Organizational communication and data
flows are mapped |
|
|
|
37 |
Privileged
Process Integrity |
M1025 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
37 |
M1039 |
E |
Environment
Variable Permissions |
Prevent modification of
environment variables by unauthorized users and groups. |
37 |
M1051 |
Update
Software |
Perform regular software
updates to mitigate exploitation risk. |
|
|
|
|
Risk Assessment |
ID.AM-4: External information systems are
catalogued |
|
|
27 |
38 |
Remote
Data Storage |
M1029 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
38 |
M1040 |
E |
Behavior
Prevention on Endpoint |
Use capabilities to prevent
suspicious behavior patterns from occurring on endpoint systems. This could
include suspicious process, file, API call, etc. behavior. |
38 |
M1052 |
User
Account Control |
Configure Windows User Account
Control to mitigate risk of adversaries obtaining elevated process access. |
|
|
|
|
Risk Management Strategy |
ID.AM-5: Resources (e.g., hardware, devices, data,
time, personnel, and software) are prioritized based on their classification,
criticality, and business value |
|
|
|
39 |
Restrict File and Directory Permissions |
M1022 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
39 |
M1041 |
E |
Encrypt
Sensitive Information |
Protect sensitive information
with strong encryption. |
39 |
M1053 |
Data
Backup |
Take and store data backups
from end user systems and critical servers. Ensure backup and storage systems
are hardened and kept separate from the corporate network to prevent
compromise. |
|
|
|
|
Supply Chain Risk Management |
ID.AM-6: Cybersecurity roles and responsibilities
for the entire workforce and third-party stakeholders (e.g., suppliers,
customers, partners) are established |
|
|
|
40 |
Restrict
Library Loading |
M1044 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
40 |
M1042 |
E |
Disable or
Remove Feature or Program |
Remove or deny access to
unnecessary and potentially vulnerable software to prevent abuse by
adversaries. |
40 |
M1054 |
Software
Configuration |
Implement configuration changes
to software (other than the operating system) to mitigate security risks
associated to how the software operates. |
|
|
|
|
|
|
ID.BE-1: The organization’s role in the supply chain is identified and
communicated |
|
|
15,21 |
41 |
Restrict
Registry Permissions |
M1024 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
41 |
M1043 |
E |
Credential
Access Protection |
Use capabilities to prevent
successful credential access by adversaries; including blocking forms of
credential dumping. |
41 |
M1055 |
Do Not
Mitigate |
This category is to associate
techniques that mitigation might increase risk of compromise and therefore
mitigation is not recommended. |
|
|
|
|
|
ID.BE-2: The organization’s place in critical infrastructure and its
industry sector is identified and communicated |
|
|
28 |
42 |
Restrict
Web-Based Content |
M1021 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
42 |
M1044 |
E |
Restrict
Library Loading |
Prevent abuse of library
loading mechanisms in the operating system and software to load untrusted
code by configuring appropriate library loading mechanisms and investigating
potential vulnerable software. |
42 |
M1056 |
Pre-compromise |
This category is used for any
applicable mitigation activities that apply to techniques occurring before an
adversary gains Initial Access, such as Reconnaissance and Resource
Development techniques. |
|
|
|
|
|
ID.BE-3: Priorities for organizational mission, objectives, and
activities are established and communicated |
|
|
|
43 |
Security
Updates |
M1001 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43 |
M1045 |
E |
Code
Signing |
Enforce binary and application
integrity with digital signature verification to prevent untrusted code from
executing. |
43 |
M1057 |
Data Loss
Prevention |
Use a data loss prevention
(DLP) strategy to categorize sensitive data, identify data formats indicative
of personal identifiable information (PII), and restrict exfiltration of
sensitive data. |
|
|
|
|
|
ID.BE-4: Dependencies and critical functions for delivery of critical
services are established |
|
|
|
44 |
Software Configuration |
M1054 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44 |
M1046 |
E |
Boot
Integrity |
Use secure methods to boot a
system and verify the integrity of the operating system and loading
mechanisms. |
|
|
ID.BE-5: Resilience requirements to support delivery of critical
services are established for all operating states (e.g. under duress/attack,
during recovery, normal operations) |
|
|
|
45 |
SSL/TLS
Inspection |
M1020 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45 |
M1047 |
E |
Audit |
Perform audits or scans of
systems, permissions, insecure software, insecure configurations, etc. to
identify potential weaknesses. |
|
|
ID.GV-1: Organizational cybersecurity policy is established and
communicated |
|
|
|
46 |
System
Partition Integrity |
M1004 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46 |
M1048 |
E |
Application
Isolation and Sandboxing |
Restrict execution of code to a
virtual environment on or in transit to an endpoint system. |
|
|
ID.GV-2: Cybersecurity roles and responsibilities are coordinated and
aligned with internal roles and external partners |
|
|
|
47 |
Threat
Intelligence Program |
M1019 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
47 |
M1049 |
E |
Antivirus/Antimalware |
Use signatures or heuristics to
detect malicious software. |
|
|
ID.GV-3: Legal and regulatory requirements regarding cybersecurity,
including privacy and civil liberties obligations, are understood and managed |
|
|
|
48 |
Update
Software |
M1051 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
48 |
M1050 |
E |
Exploit
Protection |
Use capabilities to detect and
block conditions that may lead to or be indicative of a software exploit
occurring. |
|
|
ID.GV-4: Governance and risk management processes address
cybersecurity risks |
|
|
|
49 |
Use Recent
OS Version |
M1006 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
49 |
M1051 |
E |
Update
Software |
Perform regular software
updates to mitigate exploitation risk. |
|
|
ID.RA-1: Asset vulnerabilities are identified and documented |
|
|
|
50 |
User
Account Control |
M1052 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
50 |
M1052 |
E |
User
Account Control |
Configure Windows User Account
Control to mitigate risk of adversaries obtaining elevated process access. |
|
|
|
ID.RA-2: Cyber threat intelligence is received from information sharing
forums and sources |
|
|
|
51 |
User
Account Management |
M1018 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
51 |
M1053 |
E |
Data
Backup |
Take and store data backups
from end user systems and critical servers. Ensure backup and storage systems
are hardened and kept separate from the corporate network to prevent
compromise. |
|
|
ID.RA-3: Threats, both internal and external, are identified and
documented |
|
|
|
52 |
User
Guidance |
M1011 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
52 |
M1054 |
E |
Software
Configuration |
Implement configuration changes
to software (other than the operating system) to mitigate security risks
associated to how the software operates. |
|
|
ID.RA-4: Potential business impacts and likelihoods are identified |
|
|
|
53 |
User
Training |
M1017 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
53 |
M1055 |
E |
Do Not
Mitigate |
This category is to associate
techniques that mitigation might increase risk of compromise and therefore
mitigation is not recommended. |
|
|
ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used
to determine risk |
|
|
|
54 |
Vulnerability
Scanning |
M1016 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
54 |
M1056 |
E |
Pre-compromise |
This category is used for any
applicable mitigation activities that apply to techniques occurring before an
adversary gains Initial Access, such as Reconnaissance and Resource
Development techniques. |
|
|
ID.RA-6: Risk responses are identified and prioritized |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
55 |
M1057 |
E |
Data Loss
Prevention |
Use a data loss prevention
(DLP) strategy to categorize sensitive data, identify data formats indicative
of personal identifiable information (PII), and restrict exfiltration of
sensitive data. |
|
|
ID.RM-1: Risk management processes are established, managed, and agreed
to by organizational stakeholders |
|
|
|
|
|
|
|
|
ID.RM-2: Organizational risk tolerance is determined and clearly
expressed |
|
|
|
|
MITRE D3FEND (2022) |
|
|
|
|
ID.RM-3: The organization’s determination of risk tolerance is
informed by its role in critical infrastructure and sector specific risk
analysis |
|
|
|
|
|
|
ID.SC-1: Cyber supply chain risk management processes are identified,
established, assessed, managed, and agreed to by organizational stakeholders |
|
|
|
|
|
|
ID.SC-2: Suppliers and third party partners of information systems,
components, and services are identified, prioritized, and assessed using a
cyber supply chain risk assessment process |
|
|
|
|
|
|
|
|
ID.SC-3: Contracts with suppliers and 3rd-party partners are used to
implement appropriate measures designed to meet the objectives of an org’s
cybersecurity program and Cyber SupplyChain Risk Mgmt Plan |
|
|
|
|
|
ID.SC-4: Suppliers and third-party partners are routinely assessed
using audits, test results, or other forms of evaluations to confirm they are
meeting their contractual obligations. |
|
|
|
|
|
|
|
ID.SC-5: Response and recovery planning and testing are conducted with
suppliers and third-party providers |
|
|
|
|
|
|
PROTECT (PR) |
Access Control &
Identity Management |
PR.AC-1: Identities and credentials are issued,
managed, verified, revoked, and audited for authorized devices, users and
processes |
|
|
|
|
|
|
Awareness and Training |
PR.AC-2: Physical access to assets is managed and
protected |
|
|
|
|
|
|
Data Security |
PR.AC-3: Remote access is managed |
|
|
|
|
|
|
Information Protection Processes and Procedures |
PR.AC-4: Access permissions and authorizations are
managed, incorporating the principles of least privilege and separation of
duties |
|
|
|
|
|
|
Maintenance |
PR.AC-5: Network integrity is protected (e.g.,
network segregation, network segmentation) |
|
|
|
|
|
|
Protective Technology |
PR.AC-6: Identities
are proofed and bound to credentials and asserted in interactions |
|
|
|
|
|
|
|
PR.AC-7: Users, devices, and other assets are authenticated (e.g.,
single-factor, multi-factor) commensurate with the risk of the transaction
(e.g., individuals’ security and privacy risks and other organizational
risks) |
|
|
|
|
|
|
|
PR.AT-1: All users are informed and trained |
|
|
|
|
|
|
|
|
|
PR.AT-2: Privileged users understand their roles and
responsibilities |
|
|
|
|
|
|
|
|
|
PR.AT-3: Third-party stakeholders (e.g., suppliers, customers,
partners) understand their roles and responsibilities |
|
|
|
|
|
|
|
|
|
PR.AT-4: Senior executives understand their roles and
responsibilities |
|
|
|
|
|
|
|
|
|
PR.AT-5: Physical and cybersecurity personnel understand their roles
and responsibilities |
|
|
|
|
|
|
|
|
|
PR.DS-1: Data-at-rest is protected |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
PR.DS-2: Data-in-transit is protected |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
PR.DS-3: Assets are formally managed
throughout removal,
transfers, and disposition |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
PR.DS-4: Adequate capacity to ensure
availability is
maintained |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
PR.DS-5: Protections against data leaks
are implemented |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
PR.DS-6: Integrity checking mechanisms
are used to verify
software, firmware, and information integrity |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
PR.DS-7: The development and testing
environment(s) are
separate from the production environment |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
PR.DS-8: Integrity checking mechanisms
are used to verify
hardware integrity |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
PR.IP-1: A baseline configuration of
information technology/industrial
control systems is created and maintained incorporating security principles
(e.g. concept of least functionality) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
PR.IP-2: A System Development Life Cycle
to manage systems is
implemented |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
PR.IP-3: Configuration change control
processes are in place |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
PR.IP-4: Backups of information are
conducted, maintained,
and tested |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
PR.IP-5: Policy and regulations
regarding the physical
operating environment for organizational assets are met |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
PR.IP-6: Data is destroyed according to
policy |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
PR.IP-7: Protection processes are
improved |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
PR.IP-8: Effectiveness of protection
technologies is shared |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
PR.IP-9: Response plans (Incident
Response and Business
Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are
in place and managed |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
PR.IP-10: Response and recovery plans
are tested |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
PR.IP-11: Cybersecurity is included in
human resources
practices (e.g., deprovisioning, personnel screening) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
PR.IP-12: A vulnerability management plan is developed and implemented |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
PR.MA-1: Maintenance and repair of
organizational assets
are performed and logged, with approved and controlled tools |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
PR.MA-2: Remote maintenance of
organizational assets
is approved, logged, and performed in a manner that prevents unauthorized
access |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
PR.PT-1: Audit/log records are
determined, documented,
implemented, and reviewed in accordance with policy |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
PR.PT-2: Removable media is protected
and its use restricted
according to policy |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
PR.PT-3: The principle of least
functionality is incorporated
by configuring systems to provide only essential capabilities |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
PR.PT-4: Communications and control
networks are protected |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
PR.PT-5: Mechanisms (e.g., failsafe,
load balancing, hot
swap) are implemented to achieve resilience requirements in normal and
adverse situations |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
DETECT |
Anomalies and Events |
DE.AE-1: A baseline of network
operations and expected
data flows for users and systems is established and managed |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Security Continuous Monitoring |
DE.AE-2: Detected events are analyzed to
understand attack targets and methods |
|
|
|
|
|
|
|
|
|
|
|
Detection Processes |
DE.AE-3: Event data are collected and correlated
from multiple sources and sensors |
|
|
|
|
|
|
|
|
|
|
|
|
DE.AE-4: Impact of events is determined |
|
|
|
|
|
|
|
|
|
|
|
|
DE.AE-5: Incident alert thresholds are established |
|
|
|
|
|
|
|
|
|
|
|
|
DE.CM-1: The network is monitored to detect potential cybersecurity events |
|
|
|
|
|
|
|
|
|
|
|
|
DE.CM-2: The physical environment is monitored to detect potential
cybersecurity events |
|
|
|
|
|
|
|
|
|
|
|
|
DE.CM-3: Personnel activity is monitored to detect potential
cybersecurity events |
|
|
|
|
|
|
|
|
|
|
|
|
DE.CM-4: Malicious code is detected |
|
|
|
|
|
|
|
|
|
|
|
|
DE.CM-5: Unauthorized mobile code is detected |
|
|
|
|
|
|
|
|
|
|
|
|
DE.CM-6: External service provider activity is monitored to detect
potential cybersecurity events |
|
|
|
|
|
|
|
|
|
|
|
|
DE.CM-7: Monitoring for unauthorized personnel, connections, devices,
and software is performed |
|
|
|
|
|
|
|
|
|
|
|
|
DE.CM-8: Vulnerability scans are performed |
|
|
|
|
|
|
|
|
|
|
|
|
DE.DP-1: Roles and responsibilities for detection are well defined to
ensure accountability |
|
|
|
|
|
|
|
|
|
|
|
|
DE.DP-2: Detection activities comply with all applicable requirements |
|
|
|
|
|
|
|
|
|
|
|
|
DE.DP-3: Detection processes are tested |
|
|
|
|
|
|
|
|
|
|
|
|
DE.DP-4: Event detection information is communicated |
|
|
|
|
|
|
|
|
|
|
|
|
DE.DP-5: Detection processes are continuously improved |
|
|
|
|
|
|
|
|
|
|
|
RESPOND |
Response Planning |
RS.RP-1: Response plan is executed during or after
an incident |
|
|
|
|
|
|
|
|
|
|
|
Communications |
RS.CO-1: Personnel know their roles and order of
operations when a response is needed |
|
|
|
|
|
|
|
|
|
|
|
Analysis |
RS.CO-2: Incidents are reported consistent with
established criteria |
|
|
|
|
|
|
|
|
|
|
|
Mitigation |
RS.CO-3: Information is shared consistent with
response plans |
|
|
|
|
|
|
|
|
|
|
|
Improvements |
RS.CO-4: Coordination with stakeholders occurs
consistent with response plans |
|
|
|
|
|
|
|
|
|
|
|
|
|
RS.CO-5: Voluntary information sharing occurs with external
stakeholders to achieve broader cybersecurity situational awareness |
|
|
|
|
|
|
|
|
|
|
|
|
RS.AN-1: Notifications from detection
systems are investigated |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
RS.AN-2: The impact of the incident is
understood |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
RS.AN-3: Forensics are performed |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
RS.AN-4: Incidents are categorized
consistent with response
plans |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
RS.AN-5: Processes are established to receive, analyze and respond to
vulnerabilities disclosed to the organization from internal and external
sources (e.g. internal testing, security bulletins, or security researchers) |
|
|
|
|
|
|
RS.MI-1: Incidents are contained |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
RS.MI-2: Incidents are mitigated |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
RS.MI-3: Newly identified
vulnerabilities are mitigated or documented as accepted risks |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
RS.IM-1: Response plans incorporate lessons learned |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
RS.IM-2: Response strategies are updated |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Recover |
Recovery Planning |
RC.RP-1: Recovery plan is executed
during or after a
cybersecurity incident |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Improvements |
RC.IM-1: Recovery plans incorporate
lessons learned |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Communications |
RC.IM-2: Recovery strategies are updated |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
RC.CO-1: Public relations are managed |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
RC.CO-2: Reputation is repaired after an
incident |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
RC.CO-3: Recovery activities are
communicated to internal
and external stakeholders as well as executive and management teams |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Detail Location in
800-53 r4 |
|
|
|
|
|
|
|
|
|
|
|
|
NIST
Publication 800-53 Controls (Total 173) |
[Return to Top] |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Family |
Number |
Name |
Appendix |
|
in PDF |
|
|
|
|
|
|
|
|
|
|
|
ACCESS CONTROL |
AC-1 |
ACCESS CONTROL POLICY AND
PROCEDURES |
F-AC |
F-7 |
164 |
|
|
|
|
|
|
|
|
|
|
|
AC-2 |
ACCOUNT MANAGEMENT |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
AC-3 |
ACCESS ENFORCEMENT |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
AC-4 |
INFORMATION FLOW ENFORCEMENT |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
AC-5 |
SEPARATION OF DUTIES |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
AC-6 |
LEAST PRIVILEGE |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
AC-7 |
UNSUCCESSFUL LOGON ATTEMPTS |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
AC-8 |
SYSTEM USE NOTIFICATION |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
AC-10 |
CONCURRENT SESSION LOCK |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
AC-11 |
SESSION LOCK |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
AC-12 |
SESSION TERMINATION |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
AC-14 |
PERMITTED ACTIONS WITHOUT
IDENTIFICATION OR AUTHENTICATION |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
AC-17 |
REMOTE ACCESS |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
AC-18 |
WIRELESS ACCESS |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
AC-19 |
ACCESS CONTROL FOR MOBILE
DEVICES |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
AC-20 |
USE OF EXTERNAL INFORMATION
SYSTEMS |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
AC-21 |
INFORMATION SHARING |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
AC-22 |
PUBLICLY ACCESSIBLE CONTENT |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
AWARENESS
& TRAINING |
AT-1 |
SECURITY AWARENESS AND TRAINING
POLICY AND PROCEDURES |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
AT-2 |
SECURITY AWARENESS TRAINING |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
AT-3 |
ROLE-BASED SECURITY TRAINING |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
AT-4 |
SECURITY TRAINING RECORDS |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
AUDIT
AND ACCOUNTABILITY |
AU-1 |
AUDIT AND ACCOUNTABILITY POLICY
AND PROCEDURES |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
AU-2 |
AUDIT EVENTS |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
AU-3 |
CONTENT OF AUDIT RECORDS |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
AU-4 |
AUDIT STORAGE CAPACITY |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
AU-5 |
RESPONSE TO AUDIT PROCESSING
FAILURES |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
AU-6 |
AUDIT REVIEW, ANALYSIS, AND
REPORTING |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
AU-7 |
AUDIT REDUCTION AND REPORT
GENERATION |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
AU-8 |
TIME STAMPS |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
AU-9 |
PROTECTION OF AUDIT INFORMATION |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
AU-11 |
AUDIT RECORD RETENTION |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
AU-12 |
AUDIT GENERATION |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SECURITY ASSESSMENT AND
AUTHOR-IZATION |
CA-1 |
SECURITY ASSESSMENT AND
AUTHORIZATION POLICY AND PROCEDURES |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
CA-2 |
SECURITY ASSESSMENTS |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
CA-3 |
SYSTEM INTERCONNECTIONS |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
CA-5 |
PLAN OF ACTION AND MILESTONES |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
CA-6 |
SECURITY AUTHORIZATION |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
CA-7 |
CONTINUOUS MONITORING |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
CA-8 |
PENETRATION TESTING |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
CA-9 |
INTERNAL SYSTEM CONNECTIONS |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
CONFIGURATION MANAGEMENT |
CM-1 |
CONFIGURATION MANAGEMENT POLICY
AND PROCEDURES |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
CM-2 |
BASELINE CONFIGURATION |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
CM-3 |
CONFIGURATION CHANGE CONTROL |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
CM-4 |
SECURITY IMPACT ANALYSIS |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
CM-5 |
ACCESS RESTRICTIONS FOR CHANGE |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
CM-6 |
CONFIGURATION SETTINGS |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
CM-7 |
LEAST FUNCTIONALITY |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
CM-8 |
INFORMATION SYSTEM COMPONENT
INVENTORY |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
CM-9 |
CONFIGURATION MANAGEMENT PLAN |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
CM-10 |
SOFTWARE USAGE RESTRICTIONS |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
CM-11 |
USER-INSTALLED SOFTWARE |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
CONTINGENCY PLANNING |
CP-1 |
CONTINGENCY PLANNING POLICY AND
PROCEDURES |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
CP-2 |
CONTINGENCY PLAN |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
CP-3 |
CONTINGENCY TRAINING |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
CP-4 |
CONTINGENCY PLAN TESTING |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
CP-6 |
ALTERNATE STORAGE SITE |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
CP-7 |
ALTERNATE PROCESSING SITE |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
CP-8 |
TELECOMMUNICATIONS SERVICES |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
CP-9 |
INFORMATION SYSTEM BACKUP |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
CP-10 |
INFORMATION SYSTEM RECOVERY AND
RECONSTITUTION |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
IDENTIFICATION AND AUTHENTICATION |
IA-1 |
IDENTIFICATION AND
AUTHENTICATION POLICY AND PROCEDURES |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
IA-2 |
IDENTIFICATION AND
AUTHENTICATION (ORGANIZATIONAL USERS) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
IA-3 |
DEVICE IDENTIFICATION AND
AUTHENTICATION |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
IA-4 |
IDENTIFIER MANAGEMENT |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
IA-5 |
AUTHENTICATOR MANAGEMENT |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
IA-6 |
AUTHENTICATOR FEEDBACK |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
IA-7 |
CRYPTOGRAPHIC MODULE
AUTHENTICATION |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
IA-8 |
IDENTIFICATION AND
AUTHENTICATION (NON-ORGANIZATIONAL USERS) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
INCIDENT RESPONSE |
IR-1 |
INCIDENT RESPONSE POLICY AND
PROCEDURES |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
IR-2 |
INCIDENT RESPONSE TRAINING |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
IR-3 |
INCIDENT RESPONSE TESTING |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
IR-4 |
INCIDENT HANDLING |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
IR-5 |
INCIDENT MONITORING |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
IR-6 |
INCIDENT REPORTING |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
IR-7 |
INCIDENT RESPONSE ASSISTANCE |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
IR-8 |
INCIDENT RESPONSE PLAN |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
IR-9 |
NFORMATION SPILLAGE RESPONSE |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
MAINTENANCE |
MA-1 |
SYSTEM MAINTENANCE POLICY AND
PROCEDURES |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
MA-2 |
CONTROLLED MAINTENANCE |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
MA-3 |
MAINTENANCE TOOLS |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
MA-4 |
NONLOCAL MAINTENANCE |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
MA-5 |
MAINTENANCE PERSONNEL |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
MA-6 |
TIMELY MAINTENANCE |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
MEDIA PROTECTION |
MP-1 |
MEDIA PROTECTION POLICY AND
PROCEDURES |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
MP-2 |
MEDIA ACCESS |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
MP-3 |
MEDIA MARKING |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
MP-4 |
MEDIA STORAGE |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
MP-5 |
MEDIA TRANSPORT |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
MP-6 |
MEDIA SANITIZATION |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
MP-7 |
MEDIA USE |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
PHYSICAL AND ENVIRONMENTAL
PROTECTION |
PE-1 |
PHYSICAL AND ENVIRONMENTAL
PROTECTION POLICY AND PROCEDURES |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
PE-2 |
PHYSICAL ACCESS AUTHORIZATIONS |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
PE-3 |
PHYSICAL ACCESS CONTROL |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
PE-4 |
ACCESS CONTROL FOR TRANSMISSION
MEDIUM |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
PE-5 |
ACCESS CONTROL FOR OUTPUT
DEVICES |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
PE-6 |
MONITORING PHYSICAL ACCESS |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
PE-8 |
VISITOR ACCESS RECORDS |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
PE-9 |
POWER EQUIPMENT AND CABLING |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
PE-10 |
EMERGENCY SHUTOFF |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
PE-11 |
EMERGENCY POWER |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
PE-12 |
EMERGENCY LIGHTING |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
PE-13 |
FIRE PROTECTION |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
PE-14 |
TEMPERATURE AND HUMIDITY
CONTROLS |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
PE-15 |
WATER DAMAGE PROTECTION |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
PE-16 |
DELIVERY AND REMOVAL |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
PE-17 |
ALTERNATE WORK SITE |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
PLANNING |
PL-1 |
SECURITY PLANNING POLICY AND
PROCEDURES |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
PL-2 |
SYSTEM SECURITY PLAN |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
PL-4 |
RULES OF BEHAVIOR |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
PL-8 |
INFORMATION SECURITY
ARCHITECTURE |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
PERSONNEL SECURITY |
PS-1 |
PERSONNEL SECURITY POLICY AND
PROCEDURES |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
PS-2 |
POSITION RISK DESIGNATION |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
PS-3 |
PERSONNEL SCREENING |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
PS-4 |
PERSONNEL TERMINATION |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
PS-5 |
PERSONNEL TRANSFER |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
PS-6 |
ACCESS AGREEMENTS |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
PS-7 |
THIRD-PARTY PERSONNEL SECURITY |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
PS-8 |
PERSONNEL SANCTIONS |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
RISK ASSESSMENT |
RA-1 |
RISK ASSESSMENT POLICY AND
PROCEDURES |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
RA-2 |
SECURITY CATEGORIZATION |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
RA-3 |
RISK ASSESSMENT |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
RA-5 |
VULNERABILITY SCANNING |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SYSTEM AND SERVICES ACQUISITION |
SA-1 |
SYSTEM AND SERVICES ACQUISITION
POLICY AND PROCEDURES |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SA-2 |
ALLOCATION OF RESOURCES |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SA-3 |
SYSTEM DEVELOPMENT LIFE CYCLE |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SA-4 |
ACQUISITION PROCESS |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SA-5 |
INFORMATION SYSTEM
DOCUMENTATION |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SA-8 |
SECURITY ENGINEERING PRINCIPLES |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SA-9 |
EXTERNAL INFORMATION SYSTEM
SERVICES |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SA-10 |
DEVELOPER CONFIGURATION
MANAGEMENT |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SA-11 |
DEVELOPER SECURITY TESTING AND
EVALUATION |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SYSTEM AND COMMUNICATIONS
PROTECTION |
SC-1 |
SYSTEM AND COMMUNICATIONS
PROTECTION POLICY AND PROCEDURES |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SC-2 |
APPLICATION PARTITIONING |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SC-4 |
INFORMATION IN SHARED RESOURCES |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SC-5 |
DENIAL OF SERVICE PROTECTION |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SC-7 |
BOUNDARY PROTECTION |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SC-8 |
TRANSMISSION CONFIDENTIALITY
AND INTEGRITY |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SC-10 |
NETWORK DISCONNECT |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SC-12 |
CRYPTOGRAPHIC KEY ESTABLISHMENT
AND MANAGEMENT |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SC-13 |
CRYPTOGRAPHIC PROTECTION |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SC-15 |
COLLABORATIVE COMPUTING DEVICES |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SC-17 |
PUBLIC KEY INFRASTRUCTURE
CERTIFICATES |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SC-18 |
MOBILE CODE |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SC-19 |
VOICE OVER INTERNET PROTOCOL |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SC-20 |
SECURE NAME / ADDRESS
RESOLUTION SERVICE (AUTHORITATIVE SOURCE) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SC-21 |
SECURE NAME / ADDRESS
RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SC-22 |
ARCHITECTURE AND PROVISIONING
FOR NAME / ADDRESS RESOLUTION SERVICE |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SC-23 |
SESSION AUTHENTICITY |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SC-28 |
PROTECTION OF INFORMATION AT
REST |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SC-39 |
PROCESS ISOLATION |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SYSTEM AND INFORMATION INTEGRITY |
SI-1 |
SYSTEM AND INFORMATION
INTEGRITY POLICY AND PROCEDURES |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SI-2 |
FLAW REMEDIATION |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SI-3 |
MALICIOUS CODE PROTECTION |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SI-4 |
INFORMATION SYSTEM MONITORING |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SI-5 |
SECURITY ALERTS, ADVISORIES,
AND DIRECTIVES |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SI-6 |
SECURITY FUNCTION VERIFICATION |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SI-7 |
SOFTWARE, FIRMWARE, AND
INFORMATION INTEGRITY |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SI-8 |
SPAM PROTECTION |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SI-10 |
INFORMATION INPUT VALIDATION |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SI-11 |
ERROR HANDLING |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SI-12 |
INFORMATION OUTPUT HANDLING AND
RETENTION |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SI-16 |
MEMORY PROTECTION |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SECURITY |
SE-1 |
INVENTORY OF PERSONALLY
IDENTIFIABLE INFORMATION |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SE-2 |
PRIVACY INCIDENT RESPONSE |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
TRANSPARENCY |
TR-1 |
PRIVACY NOTICE |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
TR-2 |
SYSTEM OF RECORDS NOTICES AND
PRIVACY ACT STATEMENTS |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
TR-3 |
DISSEMINATION OF PRIVACY
PROGRAM INFORMATION |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
USE LIMITATION |
UL-1 |
INTERNAL USE |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
UL-2 |
INFORMATION SHARING WITH THIRD
PARTIES |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Bill Stearns Active
Countermeasures Series |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1. Unexpected Protocol on Non-Standard Port |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2. Long Connections |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3. Client Signatures (User Agent) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4. DNS |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5. Beacons |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6. Threat Intel |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7. Certificate Issues |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8. Client Signatures (TLS Signature) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|