05-07-2013
|
Editorial
|
Changed CA-9 Priority Code from P1 to P2 in Table D-2.
|
D-3
|
05-07-2013
|
Editorial
|
Changed CM-10 Priority Code from P1 to P2 in Table D-2.
|
D-4
|
05-07-2013
|
Editorial
|
Changed MA-6 Priority Code from P1 to P2 in Table D-2.
|
D-5
|
05-07-2013
|
Editorial
|
Changed MP-3 Priority Code from P1 to P2 in Table D-2.
|
D-5
|
05-07-2013
|
Editorial
|
Changed PE-5 Priority Code from P1 to P2 in Table D-2.
|
D-5
|
05-07-2013
|
Editorial
|
Changed PE-16 Priority Code from P1 to P2 in Table D-2.
|
D-5
|
05-07-2013
|
Editorial
|
Changed PE-17 Priority Code from P1 to P2 in Table D-2.
|
D-5
|
05-07-2013
|
Editorial
|
Changed PE-18 Priority Code from P2 to P3 in Table D-2.
|
D-5
|
05-07-2013
|
Editorial
|
Changed PL-4 Priority Code from P1 to P2 in Table D-2.
|
D-6
|
05-07-2013
|
Editorial
|
Changed PS-4 Priority Code from P2 to P1 in Table D-2.
|
D-6
|
05-07-2013
|
Editorial
|
Changed SA-11 Priority Code from P2 to P1 in Table D-2.
|
D-6
|
05-07-2013
|
Editorial
|
Changed SC-18 Priority Code from P1 to P2 in Table D-2.
|
D-7
|
05-07-2013
|
Editorial
|
Changed SI-8 Priority Code from P1 to P2 in Table D-2.
|
D-8
|
05-07-2013
|
Editorial
|
Deleted reference to SA-5 (6) in Table D-17.
|
D-32
|
05-07-2013
|
Editorial
|
Deleted CM-4 (3) from Table E-2.
|
E-4
|
05-07-2013
|
Editorial
|
Deleted CM-4 (3) from Table E-3.
|
E-5
|
05-07-2013
|
Editorial
|
Deleted reference to SA-5 (6).
|
F-161
|
05-07-2013
|
Editorial
|
Changed SI-16 Priority Code from P0 to P1.
|
F-233
|
01-15-2014
|
Editorial
|
Deleted “(both intentional and unintentional)” in line 5 in Abstract.
|
iii
|
01-15-2014
|
Editorial
|
Deleted “security and privacy” in line 5 in Abstract.
|
iii
|
01-15-2014
|
Editorial
|
Changed “an initial set of baseline security controls” to “the applicable security control baseline” in Section 2.1, RMF Step 2.
|
9
|
01-15-2014
|
Editorial
|
Deleted the following paragraph: “The security control enhancements section provides…in Appendix F.”
|
11
|
01-15-2014
|
Editorial
|
Changed “baseline security controls” to “the security control baselines” in Section 2.3, 2nd paragraph, line 6.
|
13
|
01-15-2014
|
Editorial
|
Changed “an initial set of security controls” to “the applicable security control baseline” in Section 3.1, paragraph 2, line 4.
|
28
|
01-15-2014
|
Editorial
|
Changed “security control baselines” to “baselines identified in Appendix D” in Section 3.1, paragraph 2, line 5.
|
28
|
01-15-2014
|
Editorial
|
Changed “an appropriate set of baseline controls” to “the appropriate security control baseline” in Section 3.1, paragraph 3, line 3.
|
29
|
01-15-2014
|
Editorial
|
Deleted “initial” before “security control baseline” and added “FIPS 200” before “impact level” in Section 3.1, paragraph 3, line 4.
|
29
|
01-15-2014
|
Editorial
|
Changed “sets of baseline security controls” to “security control baselines” in Section 3.1, paragraph 3, line 6.
|
29
|
01-15-2014
|
Editorial
|
Changed “initial set of baseline security controls” to “applicable security control baseline” in Section 3.2, paragraph 1, line 1.
|
30
|
01-15-2014
|
Editorial
|
Changed “initial set of baseline security controls” to “applicable security control baseline” in Section 3.2, paragraph 3, line 5.
|
31
|
01-15-2014
|
Editorial
|
Deleted “set of” before “security controls” in Section 3.2, Applying Scoping Considerations, Mobility paragraph, line 1.
|
33
|
01-15-2014
|
Editorial
|
Deleted “initial” before “set of” in Section 3.2, Applying Scoping Considerations, Mobility paragraph, line 2.
|
33
|
01-15-2014
|
Editorial
|
Changed “the baselines” to “each baseline” in Section 3.2, Applying Scoping Considerations, Mobility paragraph, line 3.
|
33
|
01-15-2014
|
Editorial
|
Changed “initial set of security controls” to “security control baseline” in Section 3.2, Applying Scoping Considerations, Mobility paragraph, line 5.
|
33
|
01-15-2014
|
Editorial
|
Added “specific” before “locations” in Section 3.2, Applying Scoping Considerations, Mobility paragraph, line 6.
|
33
|
01-15-2014
|
Editorial
|
Changed “initial” to “three” in Section 3.2, Applying Scoping Considerations, Mobility paragraph, line 8.
|
33
|
01-15-2014
|
Editorial
|
Changed “initial set of baseline security controls” to “applicable security control baseline” in Section 3.2, Selecting Compensating Security Controls, line 10.
|
36
|
01-15-2014
|
Editorial
|
Changed “a set of initial baseline security controls” to “security control baselines” in Section 3.3, line 1.
|
40
|
01-15-2014
|
Editorial
|
Added “.” after “C.F.R” in #3, Policies, Directives, Instructions, Regulations, and Memoranda.
|
A-1
|
01-15-2014
|
Editorial
|
Added “Revision 1 (Draft)” to NIST Special Publication 800-52 in References.
|
A-7
|
01-15-2014
|
Editorial
|
Added “Configuration,” to title of NIST Special Publication 800-52, Revision 1.
|
A-7
|
01-15-2014
|
Editorial
|
Changed date for NIST Special Publication 800-52, Revision 1 to September 2013.
|
A-7
|
01-15-2014
|
Editorial
|
Moved definition for Information Security Risk after Information Security Program Plan in Glossary.
|
B-11
|
01-15-2014
|
Editorial
|
Added AC-2 (11) to high baseline in Table D-2.
|
D-2
|
01-15-2014
|
Editorial
|
Changed AC-10 Priority Code from P2 to P3 in Table D-2.
|
D-2
|
01-15-2014
|
Editorial
|
Changed AC-14 Priority Code from P1 to P3 in Table D-2.
|
D-2
|
01-15-2014
|
Editorial
|
Changed AC-22 Priority Code from P2 to P3 in Table D-2.
|
D-2
|
01-15-2014
|
Editorial
|
Changed AU-10 Priority Code from P1 to P2 in Table D-2.
|
D-3
|
01-15-2014
|
Editorial
|
Changed CA-6 Priority Code from P3 to P2 in Table D-2.
|
D-3
|
01-15-2014
|
Editorial
|
Changed CA-7 Priority Code from P3 to P2 in Table D-2.
|
D-3
|
01-15-2014
|
Editorial
|
Changed CA-8 Priority Code from P1 to P2 in Table D-2.
|
D-3
|
01-15-2014
|
Editorial
|
Changed IA-6 Priority Code from P1 to P2 in Table D-2.
|
D-4
|
01-15-2014
|
Editorial
|
Changed IR-7 Priority Code from P3 to P2 in Table D-2.
|
D-5
|
01-15-2014
|
Editorial
|
Changed MA-3 Priority Code from P2 to P3 in Table D-2.
|
D-5
|
01-15-2014
|
Editorial
|
Changed MA-4 Priority Code from P1 to P2 in Table D-2.
|
D-5
|
01-15-2014
|
Editorial
|
Changed MA-5 Priority Code from P1 to P2 in Table D-2.
|
D-5
|
01-15-2014
|
Editorial
|
Deleted Program Management Controls from Table D-2.
|
D-8/9
|
01-15-2014
|
Editorial
|
Deleted the following sentence at end of paragraph:
“There is no summary table provided for the Program Management (PM) family since PM controls are not associated with any particular security control baseline.”
|
D-9
|
01-15-2014
|
Editorial
|
Added AC-2 (12) and AC-2 (13) to high baseline in Table D-3.
|
D-10
|
01-15-2014
|
Editorial
|
Changed AC-17 (5) incorporated into reference from AC-17 to SI-4 in Table D-3.
|
D-12
|
01-15-2014
|
Editorial
|
Changed AC-17 (7) incorporated into reference from AC-3 to AC-3 (10) in Table D-3.
|
D-12
|
01-15-2014
|
Editorial
|
Changed AC-6 to AC-6 (9) in AU-2 (4) withdrawal notice in Table D-5.
|
D-15
|
01-15-2014
|
Editorial
|
Changed “Training” to “Scanning” in SA-19 (4) title in Table D-17.
|
D-34
|
01-15-2014
|
Editorial
|
Deleted SC-9 (1), SC-9 (2), SC-9 (3), and SC-9 (4) from Table D-18.
|
D-37
|
01-15-2014
|
Editorial
|
Added AC-2 and AC-5 to SC-14 and deleted SI-9 from SC-14 in Table D-18.
|
D-37
|
01-15-2014
|
Editorial
|
Deleted CA-3 (5) from Table E-2.
|
E-4
|
01-15-2014
|
Editorial
|
Added CM-3 (2) to Table E-2.
|
E-4
|
01-15-2014
|
Editorial
|
Added RA-5 (2) and RA-5 (5) to Table E-2.
|
E-4
|
01-15-2014
|
Editorial
|
Deleted CA-3 (5) from Table E-3.
|
E-5
|
01-15-2014
|
Editorial
|
Added CM-3 (2) to Table E-3.
|
E-5
|
01-15-2014
|
Editorial
|
Deleted bold text from RA-5 (2) and RA-5 (5) in Table E-3.
|
E-5
|
01-15-2014
|
Editorial
|
Added CM-8 (9) to Table E-4.
|
E-7
|
01-15-2014
|
Editorial
|
Added CP-4 (4) to Table E-4.
|
E-7
|
01-15-2014
|
Editorial
|
Added IR-3 (1) to Table E-4.
|
E-7
|
01-15-2014
|
Editorial
|
Added RA-5 (3) to Table E-4.
|
E-7
|
01-15-2014
|
Editorial
|
Deleted SA-4 (4) from Table E-4.
|
E-7
|
01-15-2014
|
Editorial
|
Changed SA-21 (1) from “enhancements” to “enhancement” in Table E-4.
|
E-7
|
01-15-2014
|
Editorial
|
Deleted SI-4 (8) from Table E-4.
|
E-7
|
01-15-2014
|
Editorial
|
Changed “risk management process” to “RMF” in Using the Catalog, line 4.
|
F-6
|
01-15-2014
|
Editorial
|
Changed “an appropriate set of security controls” to “the appropriate security control baselines” in Using the Catalog, line 5.
|
F-6
|
01-15-2014
|
Editorial
|
Deleted extraneous “,” from AC-2 g.
|
F-7
|
01-15-2014
|
Editorial
|
Added AC-2 (11) to high baseline.
|
F-10
|
01-15-2014
|
Substantive
|
Added the following text to AC-3 (2) Supplemental Guidance:
“Dual authorization may also be known as two-person control.”
|
F-11
|
01-15-2014
|
Editorial
|
Changed “ucdmo.gov” to “None” in AC-4 References.
|
F-18
|
01-15-2014
|
Editorial
|
Added “.” after “C.F.R” in AT-2 References.
|
F-38
|
01-15-2014
|
Editorial
|
Changed AC-6 to AC-6 (9) in AU-2 (4) withdrawal notice.
|
F-42
|
01-15-2014
|
Editorial
|
Deleted “csrc.nist.gov/pcig/cig.html” and added “http://” to URL in AU-2 References.
|
F-42
|
01-15-2014
|
Editorial
|
Changed “identify” to “identity” in AU-6 (6) Supplemental Guidance.
|
F-46
|
01-15-2014
|
Substantive
|
Added the following text to AU-9 (5) Supplemental Guidance:
“Dual authorization may also be known as two-person control.”
|
F-49
|
01-15-2014
|
Editorial
|
Added “Control Enhancements: None.” to AU-15.
|
F-53
|
01-15-2014
|
Editorial
|
Deleted extraneous “.” from CM-2 (7) Supplemental Guidance.
|
F-66
|
01-15-2014
|
Editorial
|
Added “)” after “board” in CM-3 g.
|
F-66
|
01-15-2014
|
Substantive
|
Added CA-7 to related controls list in CM-3.
|
F-66
|
01-15-2014
|
Substantive
|
Added the following text to CM-5 (4) Supplemental Guidance:
“Dual authorization may also be known as two-person control.”
|
F-69
|
01-15-2014
|
Editorial
|
Added “http://” to URLs in CM-6 References.
|
F-71
|
01-15-2014
|
Editorial
|
Added “component” before “inventories” in CM-8 (5).
|
F-74
|
01-15-2014
|
Editorial
|
Changed “tsp.ncs.gov” to “http://www.dhs.gov/telecommunications-service-priority-tsp” in CP-8 References.
|
F-86
|
01-15-2014
|
Substantive
|
Added the following text to CP-9 (7) Supplemental Guidance:
“Dual authorization may also be known as two-person control.”
|
F-87
|
01-15-2014
|
Editorial
|
Changed “HSPD 12” to “HSPD-12” and added “http://” to URL in IA-2 References.
|
F-93
|
01-15-2014
|
Editorial
|
Changed “encrypted representations of” to “cryptographically-protected” in IA-5 (1) (c).
|
F-96
|
01-15-2014
|
Editorial
|
Changed “Encrypted representations of” to “Cryptographically-protected” in IA-5 (1) Supplemental Guidance.
|
F-97
|
01-15-2014
|
Substantive
|
Added the following text to IA-5 (1) Supplemental Guidance:
“To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords.”
|
F-97
|
01-15-2014
|
Editorial
|
Added “http://” to URL in IA-5 References.
|
F-99
|
01-15-2014
|
Editorial
|
Added “http://” to URL in IA-7 References.
|
F-99
|
01-15-2014
|
Editorial
|
Added “http://” to URL in IA-8 References.
|
F-101
|
01-15-2014
|
Editorial
|
Changed “:” to “;” after “800-61” and added “http://” to URL in IR-6 References.
|
F-108
|
01-15-2014
|
Substantive
|
Added the following text to MP-6 (7) Supplemental Guidance:
“Dual authorization may also be known as two-person control.”
|
F-124
|
01-15-2014
|
Editorial
|
Added “http://” to URL in MP-6 References.
|
F-124
|
01-15-2014
|
Editorial
|
Changed “DoDI” to “DoD Instruction” and added “http://” to URLs in PE-3 References.
|
F-130
|
01-15-2014
|
Editorial
|
Deleted “and supplementation” after “tailoring” in PL-2 a. 8.
|
F-140
|
01-15-2014
|
Editorial
|
Added “Special” before “Publication” in PL-4 References.
|
F-141
|
01-15-2014
|
Editorial
|
Added “Control Enhancements: None.” to PL-7.
|
F-142
|
01-15-2014
|
Editorial
|
Deleted AT-5 and AC-19 (6) (8) (9) from PL-9 Supplemental Guidance.
|
F-144
|
01-15-2014
|
Editorial
|
Added “Control Enhancements: None.” to PL-9.
|
F-144
|
01-15-2014
|
Editorial
|
Added “Special” before “Publication” in PL-9 References.
|
F-144
|
01-15-2014
|
Editorial
|
Changed “731.106(a)” to “731.106” in PS-2 References.
|
F-145
|
01-15-2014
|
Editorial
|
Changed “Publication” to “Publications” and added “http://” to URL in RA-3 References.
|
F-153
|
01-15-2014
|
Editorial
|
Added “http://” to URLs in RA-5 References.
|
F-155
|
01-15-2014
|
Editorial
|
Added “http://” to URLs in SA-4 References.
|
F-160
|
01-15-2014
|
Substantive
|
Added the following text to SA-11 (8) Supplemental Guidance:
“To understand the scope of dynamic code analysis and hence the assurance provided, organizations may also consider conducting code coverage analysis (checking the degree to which the code has been tested using metrics such as percent of subroutines tested or percent of program statements called during execution of the test suite) and/or concordance analysis (checking for words that are out of place in software code such as non-English language words or derogatory terms).”
|
F-169
|
01-15-2014
|
Editorial
|
Added “http://” to URLs in SA-11 References.
|
F-169
|
01-15-2014
|
Editorial
|
Added “Control Enhancements: None.” to SA-16.
|
F-177
|
01-15-2014
|
Editorial
|
Changed “Training” to “Scanning” in SA-19 (4) title.
|
F-181
|
01-15-2014
|
Editorial
|
Changed “physical” to “protected” in SC-8 Supplemental Guidance.
|
F-193
|
01-15-2014
|
Editorial
|
Changed “140-2” to “140” and added “http://” to URLs in SC-13 References.
|
F-196
|
01-15-2014
|
Editorial
|
Added “authentication” after “data origin” in SC-20, Part a.
|
F-199
|
01-15-2014
|
Editorial
|
Added “verification” after “integrity” in SC-20, Part a.
|
F-199
|
01-15-2014
|
Editorial
|
Added “Control Enhancements: None.” to SC-35.
|
F-209
|
01-15-2014
|
Editorial
|
Deleted extraneous “References: None” from SI-7.
|
F-228
|
01-15-2014
|
Substantive
|
Added the following text as new third paragraph in Appendix G::
“Table G-1 provides a summary of the security controls in the program management family from Appendix G. Organizations can use the recommended priority code designation associated with each program management control to assist in making sequencing decisions for implementation (i.e., a Priority Code 1 [P1] control has a higher priority for implementation than a Priority Code 2 [P2] control; and a Priority Code 2 [P2] control has a higher priority for implementation than a Priority Code 3 [P3] control.”
|
G-1/2
|
01-15-2014
|
Editorial
|
Added Table G-1 to Appendix G.
|
G-2
|
01-15-2014
|
Editorial
|
Added “http://” to URL in PM-5 References.
|
G-5
|
01-15-2014
|
Editorial
|
Deleted “Web: www.fsam.gov” from PM-7 References.
|
G-5
|
01-15-2014
|
Editorial
|
Added “http://” to URL in Footnote 124.
|
J-22
|
|