§ Library · 800-53 r4 → r5
800-53 r4 → r5 control mapping
Side-by-side view of every NIST SP 800-53 control across both revisions. The mechanical layer pairs identical numbers, flags withdrawn r4 entries, and surfaces new-in-r5 entries from the catalogs themselves; the curated layer adds rationale text from NIST’s Rev 4 to Rev 5 mapping for context-rich rows.
r4 controls
922
r5 controls
1,189
Curated rows
0
Incorporated Into
145
New In R5
267
Unchanged
740
Withdrawn
37
| Family | r4 | r4 Title | Change | r5 | r5 Title | Rationale | Source |
|---|---|---|---|---|---|---|---|
| AC | AC-1 | ACCESS CONTROL POLICY AND PROCEDURES | Unchanged | AC-1 | POLICY AND PROCEDURES | mechanical | |
| AC | AC-2 | ACCOUNT MANAGEMENT | Unchanged | AC-2 | ACCOUNT MANAGEMENT | mechanical | |
| AC | AC-2 (1) | AUTOMATED SYSTEM ACCOUNT MANAGEMENT | Unchanged | AC-2(1) | AUTOMATED SYSTEM ACCOUNT MANAGEMENT | mechanical | |
| AC | AC-2 (2) | REMOVAL OF TEMPORARY / EMERGENCY ACCOUNTS | Unchanged | AC-2(2) | AUTOMATED TEMPORARY AND EMERGENCY ACCOUNT MANAGEMENT | mechanical | |
| AC | AC-2 (3) | DISABLE INACTIVE ACCOUNTS | Unchanged | AC-2(3) | DISABLE ACCOUNTS | mechanical | |
| AC | AC-2 (4) | AUTOMATED AUDIT ACTIONS | Unchanged | AC-2(4) | AUTOMATED AUDIT ACTIONS | mechanical | |
| AC | AC-2 (5) | INACTIVITY LOGOUT | Unchanged | AC-2(5) | INACTIVITY LOGOUT | mechanical | |
| AC | AC-2 (6) | DYNAMIC PRIVILEGE MANAGEMENT | Unchanged | AC-2(6) | DYNAMIC PRIVILEGE MANAGEMENT | mechanical | |
| AC | AC-2 (7) | ROLE-BASED SCHEMES | Unchanged | AC-2(7) | PRIVILEGED USER ACCOUNTS | mechanical | |
| AC | AC-2 (8) | DYNAMIC ACCOUNT CREATION | Unchanged | AC-2(8) | DYNAMIC ACCOUNT MANAGEMENT | mechanical | |
| AC | AC-2 (9) | RESTRICTIONS ON USE OF SHARED / GROUP ACCOUNTS | Unchanged | AC-2(9) | RESTRICTIONS ON USE OF SHARED AND GROUP ACCOUNTS | mechanical | |
| AC | AC-2 (10) | SHARED / GROUP ACCOUNT CREDENTIAL TERMINATION | Incorporated Into | AC-2 | Incorporated into AC-2 | mechanical | |
| AC | AC-2 (11) | USAGE CONDITIONS | Unchanged | AC-2(11) | USAGE CONDITIONS | mechanical | |
| AC | AC-2 (12) | ACCOUNT MONITORING / ATYPICAL USAGE | Unchanged | AC-2(12) | ACCOUNT MONITORING FOR ATYPICAL USAGE | mechanical | |
| AC | AC-2 (13) | DISABLE ACCOUNTS FOR HIGH-RISK INDIVIDUALS | Unchanged | AC-2(13) | DISABLE ACCOUNTS FOR HIGH-RISK INDIVIDUALS | mechanical | |
| AC | AC-3 | ACCESS ENFORCEMENT | Unchanged | AC-3 | ACCESS ENFORCEMENT | mechanical | |
| AC | AC-3 (1) | RESTRICTED ACCESS TO PRIVILEGED FUNCTIONS | Incorporated Into | AC-6 | Incorporated into AC-6 | mechanical | |
| AC | AC-3 (2) | DUAL AUTHORIZATION | Unchanged | AC-3(2) | DUAL AUTHORIZATION | mechanical | |
| AC | AC-3 (3) | MANDATORY ACCESS CONTROL | Unchanged | AC-3(3) | MANDATORY ACCESS CONTROL | mechanical | |
| AC | AC-3 (4) | DISCRETIONARY ACCESS CONTROL | Unchanged | AC-3(4) | DISCRETIONARY ACCESS CONTROL | mechanical | |
| AC | AC-3 (5) | SECURITY-RELEVANT INFORMATION | Unchanged | AC-3(5) | SECURITY-RELEVANT INFORMATION | mechanical | |
| AC | AC-3 (6) | PROTECTION OF USER AND SYSTEM INFORMATION | Incorporated Into | MP-4, SC-28 | Incorporated into MP-4, SC-28 | mechanical | |
| AC | AC-3 (7) | ROLE-BASED ACCESS CONTROL | Unchanged | AC-3(7) | ROLE-BASED ACCESS CONTROL | mechanical | |
| AC | AC-3 (8) | REVOCATION OF ACCESS AUTHORIZATIONS | Unchanged | AC-3(8) | REVOCATION OF ACCESS AUTHORIZATIONS | mechanical | |
| AC | AC-3 (9) | CONTROLLED RELEASE | Unchanged | AC-3(9) | CONTROLLED RELEASE | mechanical | |
| AC | AC-3 (10) | AUDITED OVERRIDE OF ACCESS CONTROL MECHANISMS | Unchanged | AC-3(10) | AUDITED OVERRIDE OF ACCESS CONTROL MECHANISMS | mechanical | |
| AC | — | New In R5 | AC-3(11) | RESTRICT ACCESS TO SPECIFIC INFORMATION TYPES | mechanical | ||
| AC | — | New In R5 | AC-3(12) | ASSERT AND ENFORCE APPLICATION ACCESS | mechanical | ||
| AC | — | New In R5 | AC-3(13) | ATTRIBUTE-BASED ACCESS CONTROL | mechanical | ||
| AC | — | New In R5 | AC-3(14) | INDIVIDUAL ACCESS | mechanical | ||
| AC | — | New In R5 | AC-3(15) | DISCRETIONARY AND MANDATORY ACCESS CONTROL | mechanical | ||
| AC | AC-4 | INFORMATION FLOW ENFORCEMENT | Unchanged | AC-4 | INFORMATION FLOW ENFORCEMENT | mechanical | |
| AC | AC-4 (1) | OBJECT SECURITY ATTRIBUTES | Unchanged | AC-4(1) | OBJECT SECURITY AND PRIVACY ATTRIBUTES | mechanical | |
| AC | AC-4 (2) | PROCESSING DOMAINS | Unchanged | AC-4(2) | PROCESSING DOMAINS | mechanical | |
| AC | AC-4 (3) | DYNAMIC INFORMATION FLOW CONTROL | Unchanged | AC-4(3) | DYNAMIC INFORMATION FLOW CONTROL | mechanical | |
| AC | AC-4 (4) | CONTENT CHECK ENCRYPTED INFORMATION | Unchanged | AC-4(4) | FLOW CONTROL OF ENCRYPTED INFORMATION | mechanical | |
| AC | AC-4 (5) | EMBEDDED DATA TYPES | Unchanged | AC-4(5) | EMBEDDED DATA TYPES | mechanical | |
| AC | AC-4 (6) | METADATA | Unchanged | AC-4(6) | METADATA | mechanical | |
| AC | AC-4 (7) | ONE-WAY FLOW MECHANISMS | Unchanged | AC-4(7) | ONE-WAY FLOW MECHANISMS | mechanical | |
| AC | AC-4 (8) | SECURITY POLICY FILTERS | Unchanged | AC-4(8) | SECURITY AND PRIVACY POLICY FILTERS | mechanical | |
| AC | AC-4 (9) | HUMAN REVIEWS | Unchanged | AC-4(9) | HUMAN REVIEWS | mechanical | |
| AC | AC-4 (10) | ENABLE / DISABLE SECURITY POLICY FILTERS | Unchanged | AC-4(10) | ENABLE AND DISABLE SECURITY OR PRIVACY POLICY FILTERS | mechanical | |
| AC | AC-4 (11) | CONFIGURATION OF SECURITY POLICY FILTERS | Unchanged | AC-4(11) | CONFIGURATION OF SECURITY OR PRIVACY POLICY FILTERS | mechanical | |
| AC | AC-4 (12) | DATA TYPE IDENTIFIERS | Unchanged | AC-4(12) | DATA TYPE IDENTIFIERS | mechanical | |
| AC | AC-4 (13) | DECOMPOSITION INTO POLICY-RELEVANT SUBCOMPONENTS | Unchanged | AC-4(13) | DECOMPOSITION INTO POLICY-RELEVANT SUBCOMPONENTS | mechanical | |
| AC | AC-4 (14) | SECURITY POLICY FILTER CONSTRAINTS | Unchanged | AC-4(14) | SECURITY OR PRIVACY POLICY FILTER CONSTRAINTS | mechanical | |
| AC | AC-4 (15) | DETECTION OF UNSANCTIONED INFORMATION | Unchanged | AC-4(15) | DETECTION OF UNSANCTIONED INFORMATION | mechanical | |
| AC | AC-4 (16) | INFORMATION TRANSFERS ON INTERCONNECTED SYSTEMS | Incorporated Into | AC-4 | Incorporated into AC-4 | mechanical | |
| AC | AC-4 (17) | DOMAIN AUTHENTICATION | Unchanged | AC-4(17) | DOMAIN AUTHENTICATION | mechanical | |
| AC | AC-4 (18) | SECURITY ATTRIBUTE BINDING | Incorporated Into | AC-16 | Incorporated into AC-16 | mechanical | |
| AC | AC-4 (19) | VALIDATION OF METADATA | Unchanged | AC-4(19) | VALIDATION OF METADATA | mechanical | |
| AC | AC-4 (20) | APPROVED SOLUTIONS | Unchanged | AC-4(20) | APPROVED SOLUTIONS | mechanical | |
| AC | AC-4 (21) | PHYSICAL / LOGICAL SEPARATION OF INFORMATION FLOWS | Unchanged | AC-4(21) | PHYSICAL OR LOGICAL SEPARATION OF INFORMATION FLOWS | mechanical | |
| AC | AC-4 (22) | ACCESS ONLY | Unchanged | AC-4(22) | ACCESS ONLY | mechanical | |
| AC | — | New In R5 | AC-4(23) | MODIFY NON-RELEASABLE INFORMATION | mechanical | ||
| AC | — | New In R5 | AC-4(24) | INTERNAL NORMALIZED FORMAT | mechanical | ||
| AC | — | New In R5 | AC-4(25) | DATA SANITIZATION | mechanical | ||
| AC | — | New In R5 | AC-4(26) | AUDIT FILTERING ACTIONS | mechanical | ||
| AC | — | New In R5 | AC-4(27) | REDUNDANT/INDEPENDENT FILTERING MECHANISMS | mechanical | ||
| AC | — | New In R5 | AC-4(28) | LINEAR FILTER PIPELINES | mechanical | ||
| AC | — | New In R5 | AC-4(29) | FILTER ORCHESTRATION ENGINES | mechanical | ||
| AC | — | New In R5 | AC-4(30) | FILTER MECHANISMS USING MULTIPLE PROCESSES | mechanical | ||
| AC | — | New In R5 | AC-4(31) | FAILED CONTENT TRANSFER PREVENTION | mechanical | ||
| AC | — | New In R5 | AC-4(32) | PROCESS REQUIREMENTS FOR INFORMATION TRANSFER | mechanical | ||
| AC | AC-5 | SEPARATION OF DUTIES | Unchanged | AC-5 | SEPARATION OF DUTIES | mechanical | |
| AC | AC-6 | LEAST PRIVILEGE | Unchanged | AC-6 | LEAST PRIVILEGE | mechanical | |
| AC | AC-6 (1) | AUTHORIZE ACCESS TO SECURITY FUNCTIONS | Unchanged | AC-6(1) | AUTHORIZE ACCESS TO SECURITY FUNCTIONS | mechanical | |
| AC | AC-6 (2) | NON-PRIVILEGED ACCESS FOR NONSECURITY FUNCTIONS | Unchanged | AC-6(2) | NON-PRIVILEGED ACCESS FOR NONSECURITY FUNCTIONS | mechanical | |
| AC | AC-6 (3) | NETWORK ACCESS TO PRIVILEGED COMMANDS | Unchanged | AC-6(3) | NETWORK ACCESS TO PRIVILEGED COMMANDS | mechanical | |
| AC | AC-6 (4) | SEPARATE PROCESSING DOMAINS | Unchanged | AC-6(4) | SEPARATE PROCESSING DOMAINS | mechanical | |
| AC | AC-6 (5) | PRIVILEGED ACCOUNTS | Unchanged | AC-6(5) | PRIVILEGED ACCOUNTS | mechanical | |
| AC | AC-6 (6) | PRIVILEGED ACCESS BY NON-ORGANIZATIONAL USERS | Unchanged | AC-6(6) | PRIVILEGED ACCESS BY NON-ORGANIZATIONAL USERS | mechanical | |
| AC | AC-6 (7) | REVIEW OF USER PRIVILEGES | Unchanged | AC-6(7) | REVIEW OF USER PRIVILEGES | mechanical | |
| AC | AC-6 (8) | PRIVILEGE LEVELS FOR CODE EXECUTION | Unchanged | AC-6(8) | PRIVILEGE LEVELS FOR CODE EXECUTION | mechanical | |
| AC | AC-6 (9) | AUDITING USE OF PRIVILEGED FUNCTIONS | Unchanged | AC-6(9) | LOG USE OF PRIVILEGED FUNCTIONS | mechanical | |
| AC | AC-6 (10) | PROHIBIT NON-PRIVILEGED USERS FROM EXECUTING PRIVILEGED FUNCTIONS | Unchanged | AC-6(10) | PROHIBIT NON-PRIVILEGED USERS FROM EXECUTING PRIVILEGED FUNCTIONS | mechanical | |
| AC | AC-7 | UNSUCCESSFUL LOGON ATTEMPTS | Unchanged | AC-7 | UNSUCCESSFUL LOGON ATTEMPTS | mechanical | |
| AC | AC-7 (1) | AUTOMATIC ACCOUNT LOCK | Incorporated Into | AC-7 | Incorporated into AC-7 | mechanical | |
| AC | AC-7 (2) | PURGE / WIPE MOBILE DEVICE | Unchanged | AC-7(2) | PURGE OR WIPE MOBILE DEVICE | mechanical | |
| AC | — | New In R5 | AC-7(3) | BIOMETRIC ATTEMPT LIMITING | mechanical | ||
| AC | — | New In R5 | AC-7(4) | USE OF ALTERNATE AUTHENTICATION FACTOR | mechanical | ||
| AC | AC-8 | SYSTEM USE NOTIFICATION | Unchanged | AC-8 | SYSTEM USE NOTIFICATION | mechanical | |
| AC | AC-9 | PREVIOUS LOGON (ACCESS) NOTIFICATION | Unchanged | AC-9 | PREVIOUS LOGON NOTIFICATION | mechanical | |
| AC | AC-9 (1) | UNSUCCESSFUL LOGONS | Unchanged | AC-9(1) | UNSUCCESSFUL LOGONS | mechanical | |
| AC | AC-9 (2) | SUCCESSFUL / UNSUCCESSFUL LOGONS | Unchanged | AC-9(2) | SUCCESSFUL AND UNSUCCESSFUL LOGONS | mechanical | |
| AC | AC-9 (3) | NOTIFICATION OF ACCOUNT CHANGES | Unchanged | AC-9(3) | NOTIFICATION OF ACCOUNT CHANGES | mechanical | |
| AC | AC-9 (4) | ADDITIONAL LOGON INFORMATION | Unchanged | AC-9(4) | ADDITIONAL LOGON INFORMATION | mechanical | |
| AC | AC-10 | CONCURRENT SESSION CONTROL | Unchanged | AC-10 | CONCURRENT SESSION CONTROL | mechanical | |
| AC | AC-11 | SESSION LOCK | Unchanged | AC-11 | DEVICE LOCK | mechanical | |
| AC | AC-11 (1) | PATTERN-HIDING DISPLAYS | Unchanged | AC-11(1) | PATTERN-HIDING DISPLAYS | mechanical | |
| AC | AC-12 | SESSION TERMINATION | Unchanged | AC-12 | SESSION TERMINATION | mechanical | |
| AC | AC-12 (1) | USER-INITIATED LOGOUTS / MESSAGE DISPLAYS | Unchanged | AC-12(1) | USER-INITIATED LOGOUTS | mechanical | |
| AC | — | New In R5 | AC-12(2) | TERMINATION MESSAGE | mechanical | ||
| AC | — | New In R5 | AC-12(3) | TIMEOUT WARNING MESSAGE | mechanical | ||
| AC | AC-13 | SUPERVISION AND REVIEW - ACCESS CONTROL | Incorporated Into | AC-2, AU-6 | Incorporated into AC-2, AU-6 | mechanical | |
| AC | AC-14 | PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION | Unchanged | AC-14 | PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION | mechanical | |
| AC | AC-14 (1) | NECESSARY USES | Incorporated Into | AC-14 | Incorporated into AC-14 | mechanical | |
| AC | AC-15 | AUTOMATED MARKING | Incorporated Into | MP-3 | Incorporated into MP-3 | mechanical | |
| AC | AC-16 | SECURITY ATTRIBUTES | Unchanged | AC-16 | SECURITY AND PRIVACY ATTRIBUTES | mechanical | |
| AC | AC-16 (1) | DYNAMIC ATTRIBUTE ASSOCIATION | Unchanged | AC-16(1) | DYNAMIC ATTRIBUTE ASSOCIATION | mechanical | |
| AC | AC-16 (2) | ATTRIBUTE VALUE CHANGES BY AUTHORIZED INDIVIDUALS | Unchanged | AC-16(2) | ATTRIBUTE VALUE CHANGES BY AUTHORIZED INDIVIDUALS | mechanical | |
| AC | AC-16 (3) | MAINTENANCE OF ATTRIBUTE ASSOCIATIONS BY INFORMATION SYSTEM | Unchanged | AC-16(3) | MAINTENANCE OF ATTRIBUTE ASSOCIATIONS BY SYSTEM | mechanical | |
| AC | AC-16 (4) | ASSOCIATION OF ATTRIBUTES BY AUTHORIZED INDIVIDUALS | Unchanged | AC-16(4) | ASSOCIATION OF ATTRIBUTES BY AUTHORIZED INDIVIDUALS | mechanical | |
| AC | AC-16 (5) | ATTRIBUTE DISPLAYS FOR OUTPUT DEVICES | Unchanged | AC-16(5) | ATTRIBUTE DISPLAYS ON OBJECTS TO BE OUTPUT | mechanical | |
| AC | AC-16 (6) | MAINTENANCE OF ATTRIBUTE ASSOCIATION BY ORGANIZATION | Unchanged | AC-16(6) | MAINTENANCE OF ATTRIBUTE ASSOCIATION | mechanical | |
| AC | AC-16 (7) | CONSISTENT ATTRIBUTE INTERPRETATION | Unchanged | AC-16(7) | CONSISTENT ATTRIBUTE INTERPRETATION | mechanical | |
| AC | AC-16 (8) | ASSOCIATION TECHNIQUES / TECHNOLOGIES | Unchanged | AC-16(8) | ASSOCIATION TECHNIQUES AND TECHNOLOGIES | mechanical | |
| AC | AC-16 (9) | ATTRIBUTE REASSIGNMENT | Unchanged | AC-16(9) | ATTRIBUTE REASSIGNMENT — REGRADING MECHANISMS | mechanical | |
| AC | AC-16 (10) | ATTRIBUTE CONFIGURATION BY AUTHORIZED INDIVIDUALS | Unchanged | AC-16(10) | ATTRIBUTE CONFIGURATION BY AUTHORIZED INDIVIDUALS | mechanical | |
| AC | AC-17 | REMOTE ACCESS | Unchanged | AC-17 | REMOTE ACCESS | mechanical | |
| AC | AC-17 (1) | AUTOMATED MONITORING / CONTROL | Unchanged | AC-17(1) | MONITORING AND CONTROL | mechanical | |
| AC | AC-17 (2) | PROTECTION OF CONFIDENTIALITY / INTEGRITY USING ENCRYPTION | Unchanged | AC-17(2) | PROTECTION OF CONFIDENTIALITY AND INTEGRITY USING ENCRYPTION | mechanical | |
| AC | AC-17 (3) | MANAGED ACCESS CONTROL POINTS | Unchanged | AC-17(3) | MANAGED ACCESS CONTROL POINTS | mechanical | |
| AC | AC-17 (4) | PRIVILEGED COMMANDS / ACCESS | Unchanged | AC-17(4) | PRIVILEGED COMMANDS AND ACCESS | mechanical | |
| AC | AC-17 (5) | MONITORING FOR UNAUTHORIZED CONNECTIONS | Incorporated Into | SI-4 | Incorporated into SI-4 | mechanical | |
| AC | AC-17 (6) | PROTECTION OF INFORMATION | Unchanged | AC-17(6) | PROTECTION OF MECHANISM INFORMATION | mechanical | |
| AC | AC-17 (7) | ADDITIONAL PROTECTION FOR SECURITY FUNCTION ACCESS | Incorporated Into | AC-3(10) | Incorporated into AC-3(10) | mechanical | |
| AC | AC-17 (8) | DISABLE NONSECURE NETWORK PROTOCOLS | Incorporated Into | CM-7 | Incorporated into CM-7 | mechanical | |
| AC | AC-17 (9) | DISCONNECT / DISABLE ACCESS | Unchanged | AC-17(9) | DISCONNECT OR DISABLE ACCESS | mechanical | |
| AC | — | New In R5 | AC-17(10) | AUTHENTICATE REMOTE COMMANDS | mechanical | ||
| AC | AC-18 | WIRELESS ACCESS | Unchanged | AC-18 | WIRELESS ACCESS | mechanical | |
| AC | AC-18 (1) | AUTHENTICATION AND ENCRYPTION | Unchanged | AC-18(1) | AUTHENTICATION AND ENCRYPTION | mechanical | |
| AC | AC-18 (2) | MONITORING UNAUTHORIZED CONNECTIONS | Incorporated Into | SI-4 | Incorporated into SI-4 | mechanical | |
| AC | AC-18 (3) | DISABLE WIRELESS NETWORKING | Unchanged | AC-18(3) | DISABLE WIRELESS NETWORKING | mechanical | |
| AC | AC-18 (4) | RESTRICT CONFIGURATIONS BY USERS | Unchanged | AC-18(4) | RESTRICT CONFIGURATIONS BY USERS | mechanical | |
| AC | AC-18 (5) | ANTENNAS / TRANSMISSION POWER LEVELS | Unchanged | AC-18(5) | ANTENNAS AND TRANSMISSION POWER LEVELS | mechanical | |
| AC | AC-19 | ACCESS CONTROL FOR MOBILE DEVICES | Unchanged | AC-19 | ACCESS CONTROL FOR MOBILE DEVICES | mechanical | |
| AC | AC-19 (1) | USE OF WRITABLE / PORTABLE STORAGE DEVICES | Incorporated Into | MP-7 | Incorporated into MP-7 | mechanical | |
| AC | AC-19 (2) | USE OF PERSONALLY OWNED PORTABLE STORAGE DEVICES | Incorporated Into | MP-7 | Incorporated into MP-7 | mechanical | |
| AC | AC-19 (3) | USE OF PORTABLE STORAGE DEVICES WITH NO IDENTIFIABLE OWNER | Incorporated Into | MP-7 | Incorporated into MP-7 | mechanical | |
| AC | AC-19 (4) | RESTRICTIONS FOR CLASSIFIED INFORMATION | Unchanged | AC-19(4) | RESTRICTIONS FOR CLASSIFIED INFORMATION | mechanical | |
| AC | AC-19 (5) | FULL DEVICE / CONTAINER-BASED ENCRYPTION | Unchanged | AC-19(5) | FULL DEVICE OR CONTAINER-BASED ENCRYPTION | mechanical | |
| AC | AC-20 | USE OF EXTERNAL INFORMATION SYSTEMS | Unchanged | AC-20 | USE OF EXTERNAL SYSTEMS | mechanical | |
| AC | AC-20 (1) | LIMITS ON AUTHORIZED USE | Unchanged | AC-20(1) | LIMITS ON AUTHORIZED USE | mechanical | |
| AC | AC-20 (2) | PORTABLE STORAGE DEVICES | Unchanged | AC-20(2) | PORTABLE STORAGE DEVICES — RESTRICTED USE | mechanical | |
| AC | AC-20 (3) | NON-ORGANIZATIONALLY OWNED SYSTEMS / COMPONENTS / DEVICES | Unchanged | AC-20(3) | NON-ORGANIZATIONALLY OWNED SYSTEMS — RESTRICTED USE | mechanical | |
| AC | AC-20 (4) | NETWORK ACCESSIBLE STORAGE DEVICES | Unchanged | AC-20(4) | NETWORK ACCESSIBLE STORAGE DEVICES — PROHIBITED USE | mechanical | |
| AC | — | New In R5 | AC-20(5) | PORTABLE STORAGE DEVICES — PROHIBITED USE | mechanical | ||
| AC | AC-21 | INFORMATION SHARING | Unchanged | AC-21 | INFORMATION SHARING | mechanical | |
| AC | AC-21 (1) | AUTOMATED DECISION SUPPORT | Unchanged | AC-21(1) | AUTOMATED DECISION SUPPORT | mechanical | |
| AC | AC-21 (2) | INFORMATION SEARCH AND RETRIEVAL | Unchanged | AC-21(2) | INFORMATION SEARCH AND RETRIEVAL | mechanical | |
| AC | AC-22 | PUBLICLY ACCESSIBLE CONTENT | Unchanged | AC-22 | PUBLICLY ACCESSIBLE CONTENT | mechanical | |
| AC | AC-23 | DATA MINING PROTECTION | Unchanged | AC-23 | DATA MINING PROTECTION | mechanical | |
| AC | AC-24 | ACCESS CONTROL DECISIONS | Unchanged | AC-24 | ACCESS CONTROL DECISIONS | mechanical | |
| AC | AC-24 (1) | TRANSMIT ACCESS AUTHORIZATION INFORMATION | Unchanged | AC-24(1) | TRANSMIT ACCESS AUTHORIZATION INFORMATION | mechanical | |
| AC | AC-24 (2) | NO USER OR PROCESS IDENTITY | Unchanged | AC-24(2) | NO USER OR PROCESS IDENTITY | mechanical | |
| AC | AC-25 | REFERENCE MONITOR | Unchanged | AC-25 | REFERENCE MONITOR | mechanical | |
| AT | AT-1 | SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES | Unchanged | AT-1 | POLICY AND PROCEDURES | mechanical | |
| AT | AT-2 | SECURITY AWARENESS TRAINING | Unchanged | AT-2 | LITERACY TRAINING AND AWARENESS | mechanical | |
| AT | AT-2 (1) | PRACTICAL EXERCISES | Unchanged | AT-2(1) | PRACTICAL EXERCISES | mechanical | |
| AT | AT-2 (2) | INSIDER THREAT | Unchanged | AT-2(2) | INSIDER THREAT | mechanical | |
| AT | — | New In R5 | AT-2(3) | SOCIAL ENGINEERING AND MINING | mechanical | ||
| AT | — | New In R5 | AT-2(4) | SUSPICIOUS COMMUNICATIONS AND ANOMALOUS SYSTEM BEHAVIOR | mechanical | ||
| AT | — | New In R5 | AT-2(5) | ADVANCED PERSISTENT THREAT | mechanical | ||
| AT | — | New In R5 | AT-2(6) | CYBER THREAT ENVIRONMENT | mechanical | ||
| AT | AT-3 | ROLE-BASED SECURITY TRAINING | Unchanged | AT-3 | ROLE-BASED TRAINING | mechanical | |
| AT | AT-3 (1) | ENVIRONMENTAL CONTROLS | Unchanged | AT-3(1) | ENVIRONMENTAL CONTROLS | mechanical | |
| AT | AT-3 (2) | PHYSICAL SECURITY CONTROLS | Unchanged | AT-3(2) | PHYSICAL SECURITY CONTROLS | mechanical | |
| AT | AT-3 (3) | PRACTICAL EXERCISES | Unchanged | AT-3(3) | PRACTICAL EXERCISES | mechanical | |
| AT | AT-3 (4) | SUSPICIOUS COMMUNICATIONS AND ANOMALOUS SYSTEM BEHAVIOR | Withdrawn | — | mechanical | ||
| AT | — | New In R5 | AT-3(5) | PROCESSING PERSONALLY IDENTIFIABLE INFORMATION | mechanical | ||
| AT | AT-4 | SECURITY TRAINING RECORDS | Unchanged | AT-4 | TRAINING RECORDS | mechanical | |
| AT | AT-5 | CONTACTS WITH SECURITY GROUPS AND ASSOCIATIONS | Incorporated Into | PM-15 | Incorporated into PM-15 | mechanical | |
| AT | — | New In R5 | AT-6 | TRAINING FEEDBACK | mechanical | ||
| AU | AU-1 | AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES | Unchanged | AU-1 | POLICY AND PROCEDURES | mechanical | |
| AU | AU-2 | AUDIT EVENTS | Unchanged | AU-2 | EVENT LOGGING | mechanical | |
| AU | AU-2 (1) | COMPILATION OF AUDIT RECORDS FROM MULTIPLE SOURCES | Incorporated Into | AU-12 | Incorporated into AU-12 | mechanical | |
| AU | AU-2 (2) | SELECTION OF AUDIT EVENTS BY COMPONENT | Incorporated Into | AU-12 | Incorporated into AU-12 | mechanical | |
| AU | AU-2 (3) | REVIEWS AND UPDATES | Incorporated Into | AU-2 | Incorporated into AU-2 | mechanical | |
| AU | AU-2 (4) | PRIVILEGED FUNCTIONS | Incorporated Into | AC-6(9) | Incorporated into AC-6(9) | mechanical | |
| AU | AU-3 | CONTENT OF AUDIT RECORDS | Unchanged | AU-3 | CONTENT OF AUDIT RECORDS | mechanical | |
| AU | AU-3 (1) | ADDITIONAL AUDIT INFORMATION | Unchanged | AU-3(1) | ADDITIONAL AUDIT INFORMATION | mechanical | |
| AU | AU-3 (2) | CENTRALIZED MANAGEMENT OF PLANNED AUDIT RECORD CONTENT | Incorporated Into | PL-9 | Incorporated into PL-9 | mechanical | |
| AU | — | New In R5 | AU-3(3) | LIMIT PERSONALLY IDENTIFIABLE INFORMATION ELEMENTS | mechanical | ||
| AU | AU-4 | AUDIT STORAGE CAPACITY | Unchanged | AU-4 | AUDIT LOG STORAGE CAPACITY | mechanical | |
| AU | AU-4 (1) | TRANSFER TO ALTERNATE STORAGE | Unchanged | AU-4(1) | TRANSFER TO ALTERNATE STORAGE | mechanical | |
| AU | AU-5 | RESPONSE TO AUDIT PROCESSING FAILURES | Unchanged | AU-5 | RESPONSE TO AUDIT LOGGING PROCESS FAILURES | mechanical | |
| AU | AU-5 (1) | AUDIT STORAGE CAPACITY | Unchanged | AU-5(1) | STORAGE CAPACITY WARNING | mechanical | |
| AU | AU-5 (2) | REAL-TIME ALERTS | Unchanged | AU-5(2) | REAL-TIME ALERTS | mechanical | |
| AU | AU-5 (3) | CONFIGURABLE TRAFFIC VOLUME THRESHOLDS | Unchanged | AU-5(3) | CONFIGURABLE TRAFFIC VOLUME THRESHOLDS | mechanical | |
| AU | AU-5 (4) | SHUTDOWN ON FAILURE | Unchanged | AU-5(4) | SHUTDOWN ON FAILURE | mechanical | |
| AU | — | New In R5 | AU-5(5) | ALTERNATE AUDIT LOGGING CAPABILITY | mechanical | ||
| AU | AU-6 | AUDIT REVIEW, ANALYSIS, AND REPORTING | Unchanged | AU-6 | AUDIT RECORD REVIEW, ANALYSIS, AND REPORTING | mechanical | |
| AU | AU-6 (1) | PROCESS INTEGRATION | Unchanged | AU-6(1) | AUTOMATED PROCESS INTEGRATION | mechanical | |
| AU | AU-6 (2) | AUTOMATED SECURITY ALERTS | Incorporated Into | SI-4 | Incorporated into SI-4 | mechanical | |
| AU | AU-6 (3) | CORRELATE AUDIT REPOSITORIES | Unchanged | AU-6(3) | CORRELATE AUDIT RECORD REPOSITORIES | mechanical | |
| AU | AU-6 (4) | CENTRAL REVIEW AND ANALYSIS | Unchanged | AU-6(4) | CENTRAL REVIEW AND ANALYSIS | mechanical | |
| AU | AU-6 (5) | INTEGRATION / SCANNING AND MONITORING CAPABILITIES | Unchanged | AU-6(5) | INTEGRATED ANALYSIS OF AUDIT RECORDS | mechanical | |
| AU | AU-6 (6) | CORRELATION WITH PHYSICAL MONITORING | Unchanged | AU-6(6) | CORRELATION WITH PHYSICAL MONITORING | mechanical | |
| AU | AU-6 (7) | PERMITTED ACTIONS | Unchanged | AU-6(7) | PERMITTED ACTIONS | mechanical | |
| AU | AU-6 (8) | FULL TEXT ANALYSIS OF PRIVILEGED COMMANDS | Unchanged | AU-6(8) | FULL TEXT ANALYSIS OF PRIVILEGED COMMANDS | mechanical | |
| AU | AU-6 (9) | CORRELATION WITH INFORMATION FROM NONTECHNICAL SOURCES | Unchanged | AU-6(9) | CORRELATION WITH INFORMATION FROM NONTECHNICAL SOURCES | mechanical | |
| AU | AU-6 (10) | AUDIT LEVEL ADJUSTMENT | Incorporated Into | AU-6 | Incorporated into AU-6 | mechanical | |
| AU | AU-7 | AUDIT REDUCTION AND REPORT GENERATION | Unchanged | AU-7 | AUDIT RECORD REDUCTION AND REPORT GENERATION | mechanical | |
| AU | AU-7 (1) | AUTOMATIC PROCESSING | Unchanged | AU-7(1) | AUTOMATIC PROCESSING | mechanical | |
| AU | AU-7 (2) | AUTOMATIC SORT AND SEARCH | Incorporated Into | AU-7(1) | Incorporated into AU-7(1) | mechanical | |
| AU | AU-8 | TIME STAMPS | Unchanged | AU-8 | TIME STAMPS | mechanical | |
| AU | AU-8 (1) | SYNCHRONIZATION WITH AUTHORITATIVE TIME SOURCE | Withdrawn | — | mechanical | ||
| AU | AU-8 (2) | SECONDARY AUTHORITATIVE TIME SOURCE | Withdrawn | — | mechanical | ||
| AU | AU-9 | PROTECTION OF AUDIT INFORMATION | Unchanged | AU-9 | PROTECTION OF AUDIT INFORMATION | mechanical | |
| AU | AU-9 (1) | HARDWARE WRITE-ONCE MEDIA | Unchanged | AU-9(1) | HARDWARE WRITE-ONCE MEDIA | mechanical | |
| AU | AU-9 (2) | AUDIT BACKUP ON SEPARATE PHYSICAL SYSTEMS / COMPONENTS | Unchanged | AU-9(2) | STORE ON SEPARATE PHYSICAL SYSTEMS OR COMPONENTS | mechanical | |
| AU | AU-9 (3) | CRYPTOGRAPHIC PROTECTION | Unchanged | AU-9(3) | CRYPTOGRAPHIC PROTECTION | mechanical | |
| AU | AU-9 (4) | ACCESS BY SUBSET OF PRIVILEGED USERS | Unchanged | AU-9(4) | ACCESS BY SUBSET OF PRIVILEGED USERS | mechanical | |
| AU | AU-9 (5) | DUAL AUTHORIZATION | Unchanged | AU-9(5) | DUAL AUTHORIZATION | mechanical | |
| AU | AU-9 (6) | READ ONLY ACCESS | Unchanged | AU-9(6) | READ-ONLY ACCESS | mechanical | |
| AU | — | New In R5 | AU-9(7) | STORE ON COMPONENT WITH DIFFERENT OPERATING SYSTEM | mechanical | ||
| AU | AU-10 | NON-REPUDIATION | Unchanged | AU-10 | NON-REPUDIATION | mechanical | |
| AU | AU-10 (1) | ASSOCIATION OF IDENTITIES | Unchanged | AU-10(1) | ASSOCIATION OF IDENTITIES | mechanical | |
| AU | AU-10 (2) | VALIDATE BINDING OF INFORMATION PRODUCER IDENTITY | Unchanged | AU-10(2) | VALIDATE BINDING OF INFORMATION PRODUCER IDENTITY | mechanical | |
| AU | AU-10 (3) | CHAIN OF CUSTODY | Unchanged | AU-10(3) | CHAIN OF CUSTODY | mechanical | |
| AU | AU-10 (4) | VALIDATE BINDING OF INFORMATION REVIEWER IDENTITY | Unchanged | AU-10(4) | VALIDATE BINDING OF INFORMATION REVIEWER IDENTITY | mechanical | |
| AU | AU-10 (5) | DIGITAL SIGNATURES | Incorporated Into | SI-7 | Incorporated into SI-7 | mechanical | |
| AU | AU-11 | AUDIT RECORD RETENTION | Unchanged | AU-11 | AUDIT RECORD RETENTION | mechanical | |
| AU | AU-11 (1) | LONG-TERM RETRIEVAL CAPABILITY | Unchanged | AU-11(1) | LONG-TERM RETRIEVAL CAPABILITY | mechanical | |
| AU | AU-12 | AUDIT GENERATION | Unchanged | AU-12 | AUDIT RECORD GENERATION | mechanical | |
| AU | AU-12 (1) | SYSTEM-WIDE / TIME-CORRELATED AUDIT TRAIL | Unchanged | AU-12(1) | SYSTEM-WIDE AND TIME-CORRELATED AUDIT TRAIL | mechanical | |
| AU | AU-12 (2) | STANDARDIZED FORMATS | Unchanged | AU-12(2) | STANDARDIZED FORMATS | mechanical | |
| AU | AU-12 (3) | CHANGES BY AUTHORIZED INDIVIDUALS | Unchanged | AU-12(3) | CHANGES BY AUTHORIZED INDIVIDUALS | mechanical | |
| AU | — | New In R5 | AU-12(4) | QUERY PARAMETER AUDITS OF PERSONALLY IDENTIFIABLE INFORMATION | mechanical | ||
| AU | AU-13 | MONITORING FOR INFORMATION DISCLOSURE | Unchanged | AU-13 | MONITORING FOR INFORMATION DISCLOSURE | mechanical | |
| AU | AU-13 (1) | USE OF AUTOMATED TOOLS | Unchanged | AU-13(1) | USE OF AUTOMATED TOOLS | mechanical | |
| AU | AU-13 (2) | REVIEW OF MONITORED SITES | Unchanged | AU-13(2) | REVIEW OF MONITORED SITES | mechanical | |
| AU | — | New In R5 | AU-13(3) | UNAUTHORIZED REPLICATION OF INFORMATION | mechanical | ||
| AU | AU-14 | SESSION AUDIT | Unchanged | AU-14 | SESSION AUDIT | mechanical | |
| AU | AU-14 (1) | SYSTEM START-UP | Unchanged | AU-14(1) | SYSTEM START-UP | mechanical | |
| AU | AU-14 (2) | CAPTURE/RECORD AND LOG CONTENT | Incorporated Into | AU-14 | Incorporated into AU-14 | mechanical | |
| AU | AU-14 (3) | REMOTE VIEWING / LISTENING | Unchanged | AU-14(3) | REMOTE VIEWING AND LISTENING | mechanical | |
| AU | AU-15 | ALTERNATE AUDIT CAPABILITY | Withdrawn | — | mechanical | ||
| AU | AU-16 | CROSS-ORGANIZATIONAL AUDITING | Unchanged | AU-16 | CROSS-ORGANIZATIONAL AUDIT LOGGING | mechanical | |
| AU | AU-16 (1) | IDENTITY PRESERVATION | Unchanged | AU-16(1) | IDENTITY PRESERVATION | mechanical | |
| AU | AU-16 (2) | SHARING OF AUDIT INFORMATION | Unchanged | AU-16(2) | SHARING OF AUDIT INFORMATION | mechanical | |
| AU | — | New In R5 | AU-16(3) | DISASSOCIABILITY | mechanical | ||
| CA | CA-1 | SECURITY ASSESSMENT AND AUTHORIZATION POLICY AND PROCEDURES | Unchanged | CA-1 | POLICY AND PROCEDURES | mechanical | |
| CA | CA-2 | SECURITY ASSESSMENTS | Unchanged | CA-2 | CONTROL ASSESSMENTS | mechanical | |
| CA | CA-2 (1) | INDEPENDENT ASSESSORS | Unchanged | CA-2(1) | INDEPENDENT ASSESSORS | mechanical | |
| CA | CA-2 (2) | SPECIALIZED ASSESSMENTS | Unchanged | CA-2(2) | SPECIALIZED ASSESSMENTS | mechanical | |
| CA | CA-2 (3) | EXTERNAL ORGANIZATIONS | Unchanged | CA-2(3) | LEVERAGING RESULTS FROM EXTERNAL ORGANIZATIONS | mechanical | |
| CA | CA-3 | SYSTEM INTERCONNECTIONS | Unchanged | CA-3 | INFORMATION EXCHANGE | mechanical | |
| CA | CA-3 (1) | UNCLASSIFIED NATIONAL SECURITY SYSTEM CONNECTIONS | Withdrawn | — | mechanical | ||
| CA | CA-3 (2) | CLASSIFIED NATIONAL SECURITY SYSTEM CONNECTIONS | Withdrawn | — | mechanical | ||
| CA | CA-3 (3) | UNCLASSIFIED NON-NATIONAL SECURITY SYSTEM CONNECTIONS | Withdrawn | — | mechanical | ||
| CA | CA-3 (4) | CONNECTIONS TO PUBLIC NETWORKS | Withdrawn | — | mechanical | ||
| CA | CA-3 (5) | RESTRICTIONS ON EXTERNAL SYSTEM CONNECTIONS | Withdrawn | — | mechanical | ||
| CA | — | New In R5 | CA-3(6) | TRANSFER AUTHORIZATIONS | mechanical | ||
| CA | — | New In R5 | CA-3(7) | TRANSITIVE INFORMATION EXCHANGES | mechanical | ||
| CA | CA-4 | SECURITY CERTIFICATION | Incorporated Into | CA-2 | Incorporated into CA-2 | mechanical | |
| CA | CA-5 | PLAN OF ACTION AND MILESTONES | Unchanged | CA-5 | PLAN OF ACTION AND MILESTONES | mechanical | |
| CA | CA-5 (1) | AUTOMATION SUPPORT FOR ACCURACY / CURRENCY | Unchanged | CA-5(1) | AUTOMATION SUPPORT FOR ACCURACY AND CURRENCY | mechanical | |
| CA | CA-6 | SECURITY AUTHORIZATION | Unchanged | CA-6 | AUTHORIZATION | mechanical | |
| CA | — | New In R5 | CA-6(1) | JOINT AUTHORIZATION — INTRA-ORGANIZATION | mechanical | ||
| CA | — | New In R5 | CA-6(2) | JOINT AUTHORIZATION — INTER-ORGANIZATION | mechanical | ||
| CA | CA-7 | CONTINUOUS MONITORING | Unchanged | CA-7 | CONTINUOUS MONITORING | mechanical | |
| CA | CA-7 (1) | INDEPENDENT ASSESSMENT | Unchanged | CA-7(1) | INDEPENDENT ASSESSMENT | mechanical | |
| CA | CA-7 (2) | TYPES OF ASSESSMENTS | Incorporated Into | CA-2 | Incorporated into CA-2 | mechanical | |
| CA | CA-7 (3) | TREND ANALYSES | Unchanged | CA-7(3) | TREND ANALYSES | mechanical | |
| CA | — | New In R5 | CA-7(4) | RISK MONITORING | mechanical | ||
| CA | — | New In R5 | CA-7(5) | CONSISTENCY ANALYSIS | mechanical | ||
| CA | — | New In R5 | CA-7(6) | AUTOMATION SUPPORT FOR MONITORING | mechanical | ||
| CA | CA-8 | PENETRATION TESTING | Unchanged | CA-8 | PENETRATION TESTING | mechanical | |
| CA | CA-8 (1) | INDEPENDENT PENETRATION AGENT OR TEAM | Unchanged | CA-8(1) | INDEPENDENT PENETRATION TESTING AGENT OR TEAM | mechanical | |
| CA | CA-8 (2) | RED TEAM EXERCISES | Unchanged | CA-8(2) | RED TEAM EXERCISES | mechanical | |
| CA | — | New In R5 | CA-8(3) | FACILITY PENETRATION TESTING | mechanical | ||
| CA | CA-9 | INTERNAL SYSTEM CONNECTIONS | Unchanged | CA-9 | INTERNAL SYSTEM CONNECTIONS | mechanical | |
| CA | CA-9 (1) | SECURITY COMPLIANCE CHECKS | Unchanged | CA-9(1) | COMPLIANCE CHECKS | mechanical | |
| CM | CM-1 | CONFIGURATION MANAGEMENT POLICY AND PROCEDURES | Unchanged | CM-1 | POLICY AND PROCEDURES | mechanical | |
| CM | CM-2 | BASELINE CONFIGURATION | Unchanged | CM-2 | BASELINE CONFIGURATION | mechanical | |
| CM | CM-2 (1) | REVIEWS AND UPDATES | Incorporated Into | CM-2 | Incorporated into CM-2 | mechanical | |
| CM | CM-2 (2) | AUTOMATION SUPPORT FOR ACCURACY / CURRENCY | Unchanged | CM-2(2) | AUTOMATION SUPPORT FOR ACCURACY AND CURRENCY | mechanical | |
| CM | CM-2 (3) | RETENTION OF PREVIOUS CONFIGURATIONS | Unchanged | CM-2(3) | RETENTION OF PREVIOUS CONFIGURATIONS | mechanical | |
| CM | CM-2 (4) | UNAUTHORIZED SOFTWARE | Incorporated Into | CM-7(4) | Incorporated into CM-7(4) | mechanical | |
| CM | CM-2 (5) | AUTHORIZED SOFTWARE | Incorporated Into | CM-7(5) | Incorporated into CM-7(5) | mechanical | |
| CM | CM-2 (6) | DEVELOPMENT AND TEST ENVIRONMENTS | Unchanged | CM-2(6) | DEVELOPMENT AND TEST ENVIRONMENTS | mechanical | |
| CM | CM-2 (7) | CONFIGURE SYSTEMS, COMPONENTS, OR DEVICES FOR HIGH-RISK AREAS | Unchanged | CM-2(7) | CONFIGURE SYSTEMS AND COMPONENTS FOR HIGH-RISK AREAS | mechanical | |
| CM | CM-3 | CONFIGURATION CHANGE CONTROL | Unchanged | CM-3 | CONFIGURATION CHANGE CONTROL | mechanical | |
| CM | CM-3 (1) | AUTOMATED DOCUMENT / NOTIFICATION / PROHIBITION OF CHANGES | Unchanged | CM-3(1) | AUTOMATED DOCUMENTATION, NOTIFICATION, AND PROHIBITION OF CHANGES | mechanical | |
| CM | CM-3 (2) | TEST / VALIDATE / DOCUMENT CHANGES | Unchanged | CM-3(2) | TESTING, VALIDATION, AND DOCUMENTATION OF CHANGES | mechanical | |
| CM | CM-3 (3) | AUTOMATED CHANGE IMPLEMENTATION | Unchanged | CM-3(3) | AUTOMATED CHANGE IMPLEMENTATION | mechanical | |
| CM | CM-3 (4) | SECURITY REPRESENTATIVE | Unchanged | CM-3(4) | SECURITY AND PRIVACY REPRESENTATIVES | mechanical | |
| CM | CM-3 (5) | AUTOMATED SECURITY RESPONSE | Unchanged | CM-3(5) | AUTOMATED SECURITY RESPONSE | mechanical | |
| CM | CM-3 (6) | CRYPTOGRAPHY MANAGEMENT | Unchanged | CM-3(6) | CRYPTOGRAPHY MANAGEMENT | mechanical | |
| CM | — | New In R5 | CM-3(7) | REVIEW SYSTEM CHANGES | mechanical | ||
| CM | — | New In R5 | CM-3(8) | PREVENT OR RESTRICT CONFIGURATION CHANGES | mechanical | ||
| CM | CM-4 | SECURITY IMPACT ANALYSIS | Unchanged | CM-4 | IMPACT ANALYSES | mechanical | |
| CM | CM-4 (1) | SEPARATE TEST ENVIRONMENTS | Unchanged | CM-4(1) | SEPARATE TEST ENVIRONMENTS | mechanical | |
| CM | CM-4 (2) | VERIFICATION OF SECURITY FUNCTIONS | Unchanged | CM-4(2) | VERIFICATION OF CONTROLS | mechanical | |
| CM | CM-5 | ACCESS RESTRICTIONS FOR CHANGE | Unchanged | CM-5 | ACCESS RESTRICTIONS FOR CHANGE | mechanical | |
| CM | CM-5 (1) | AUTOMATED ACCESS ENFORCEMENT / AUDITING | Unchanged | CM-5(1) | AUTOMATED ACCESS ENFORCEMENT AND AUDIT RECORDS | mechanical | |
| CM | CM-5 (2) | REVIEW SYSTEM CHANGES | Incorporated Into | CM-3(7) | Incorporated into CM-3(7) | mechanical | |
| CM | CM-5 (3) | SIGNED COMPONENTS | Withdrawn | — | mechanical | ||
| CM | CM-5 (4) | DUAL AUTHORIZATION | Unchanged | CM-5(4) | DUAL AUTHORIZATION | mechanical | |
| CM | CM-5 (5) | LIMIT PRODUCTION / OPERATIONAL PRIVILEGES | Unchanged | CM-5(5) | PRIVILEGE LIMITATION FOR PRODUCTION AND OPERATION | mechanical | |
| CM | CM-5 (6) | LIMIT LIBRARY PRIVILEGES | Unchanged | CM-5(6) | LIMIT LIBRARY PRIVILEGES | mechanical | |
| CM | CM-5 (7) | AUTOMATIC IMPLEMENTATION OF SECURITY SAFEGUARDS | Incorporated Into | SI-7 | Incorporated into SI-7 | mechanical | |
| CM | CM-6 | CONFIGURATION SETTINGS | Unchanged | CM-6 | CONFIGURATION SETTINGS | mechanical | |
| CM | CM-6 (1) | AUTOMATED CENTRAL MANAGEMENT / APPLICATION / VERIFICATION | Unchanged | CM-6(1) | AUTOMATED MANAGEMENT, APPLICATION, AND VERIFICATION | mechanical | |
| CM | CM-6 (2) | RESPOND TO UNAUTHORIZED CHANGES | Unchanged | CM-6(2) | RESPOND TO UNAUTHORIZED CHANGES | mechanical | |
| CM | CM-6 (3) | UNAUTHORIZED CHANGE DETECTION | Incorporated Into | SI-7 | Incorporated into SI-7 | mechanical | |
| CM | CM-6 (4) | CONFORMANCE DEMONSTRATION | Incorporated Into | CM-4 | Incorporated into CM-4 | mechanical | |
| CM | CM-7 | LEAST FUNCTIONALITY | Unchanged | CM-7 | LEAST FUNCTIONALITY | mechanical | |
| CM | CM-7 (1) | PERIODIC REVIEW | Unchanged | CM-7(1) | PERIODIC REVIEW | mechanical | |
| CM | CM-7 (2) | PREVENT PROGRAM EXECUTION | Unchanged | CM-7(2) | PREVENT PROGRAM EXECUTION | mechanical | |
| CM | CM-7 (3) | REGISTRATION COMPLIANCE | Unchanged | CM-7(3) | REGISTRATION COMPLIANCE | mechanical | |
| CM | CM-7 (4) | UNAUTHORIZED SOFTWARE / BLACKLISTING | Unchanged | CM-7(4) | UNAUTHORIZED SOFTWARE — DENY-BY-EXCEPTION | mechanical | |
| CM | CM-7 (5) | AUTHORIZED SOFTWARE / WHITELISTING | Unchanged | CM-7(5) | AUTHORIZED SOFTWARE — ALLOW-BY-EXCEPTION | mechanical | |
| CM | — | New In R5 | CM-7(6) | CONFINED ENVIRONMENTS WITH LIMITED PRIVILEGES | mechanical | ||
| CM | — | New In R5 | CM-7(7) | CODE EXECUTION IN PROTECTED ENVIRONMENTS | mechanical | ||
| CM | — | New In R5 | CM-7(8) | BINARY OR MACHINE EXECUTABLE CODE | mechanical | ||
| CM | — | New In R5 | CM-7(9) | PROHIBITING THE USE OF UNAUTHORIZED HARDWARE | mechanical | ||
| CM | CM-8 | INFORMATION SYSTEM COMPONENT INVENTORY | Unchanged | CM-8 | SYSTEM COMPONENT INVENTORY | mechanical | |
| CM | CM-8 (1) | UPDATES DURING INSTALLATIONS / REMOVALS | Unchanged | CM-8(1) | UPDATES DURING INSTALLATION AND REMOVAL | mechanical | |
| CM | CM-8 (2) | AUTOMATED MAINTENANCE | Unchanged | CM-8(2) | AUTOMATED MAINTENANCE | mechanical | |
| CM | CM-8 (3) | AUTOMATED UNAUTHORIZED COMPONENT DETECTION | Unchanged | CM-8(3) | AUTOMATED UNAUTHORIZED COMPONENT DETECTION | mechanical | |
| CM | CM-8 (4) | ACCOUNTABILITY INFORMATION | Unchanged | CM-8(4) | ACCOUNTABILITY INFORMATION | mechanical | |
| CM | CM-8 (5) | NO DUPLICATE ACCOUNTING OF COMPONENTS | Incorporated Into | CM-8 | Incorporated into CM-8 | mechanical | |
| CM | CM-8 (6) | ASSESSED CONFIGURATIONS / APPROVED DEVIATIONS | Unchanged | CM-8(6) | ASSESSED CONFIGURATIONS AND APPROVED DEVIATIONS | mechanical | |
| CM | CM-8 (7) | CENTRALIZED REPOSITORY | Unchanged | CM-8(7) | CENTRALIZED REPOSITORY | mechanical | |
| CM | CM-8 (8) | AUTOMATED LOCATION TRACKING | Unchanged | CM-8(8) | AUTOMATED LOCATION TRACKING | mechanical | |
| CM | CM-8 (9) | ASSIGNMENT OF COMPONENTS TO SYSTEMS | Unchanged | CM-8(9) | ASSIGNMENT OF COMPONENTS TO SYSTEMS | mechanical | |
| CM | CM-9 | CONFIGURATION MANAGEMENT PLAN | Unchanged | CM-9 | CONFIGURATION MANAGEMENT PLAN | mechanical | |
| CM | CM-9 (1) | ASSIGNMENT OF RESPONSIBILITY | Unchanged | CM-9(1) | ASSIGNMENT OF RESPONSIBILITY | mechanical | |
| CM | CM-10 | SOFTWARE USAGE RESTRICTIONS | Unchanged | CM-10 | SOFTWARE USAGE RESTRICTIONS | mechanical | |
| CM | CM-10 (1) | OPEN SOURCE SOFTWARE | Unchanged | CM-10(1) | OPEN-SOURCE SOFTWARE | mechanical | |
| CM | CM-11 | USER-INSTALLED SOFTWARE | Unchanged | CM-11 | USER-INSTALLED SOFTWARE | mechanical | |
| CM | CM-11 (1) | ALERTS FOR UNAUTHORIZED INSTALLATIONS | Incorporated Into | CM-8(3) | Incorporated into CM-8(3) | mechanical | |
| CM | CM-11 (2) | PROHIBIT INSTALLATION WITHOUT PRIVILEGED STATUS | Unchanged | CM-11(2) | SOFTWARE INSTALLATION WITH PRIVILEGED STATUS | mechanical | |
| CM | — | New In R5 | CM-11(3) | AUTOMATED ENFORCEMENT AND MONITORING | mechanical | ||
| CM | — | New In R5 | CM-12 | INFORMATION LOCATION | mechanical | ||
| CM | — | New In R5 | CM-12(1) | AUTOMATED TOOLS TO SUPPORT INFORMATION LOCATION | mechanical | ||
| CM | — | New In R5 | CM-13 | DATA ACTION MAPPING | mechanical | ||
| CM | — | New In R5 | CM-14 | SIGNED COMPONENTS | mechanical | ||
| CP | CP-1 | CONTINGENCY PLANNING POLICY AND PROCEDURES | Unchanged | CP-1 | POLICY AND PROCEDURES | mechanical | |
| CP | CP-2 | CONTINGENCY PLAN | Unchanged | CP-2 | CONTINGENCY PLAN | mechanical | |
| CP | CP-2 (1) | COORDINATE WITH RELATED PLANS | Unchanged | CP-2(1) | COORDINATE WITH RELATED PLANS | mechanical | |
| CP | CP-2 (2) | CAPACITY PLANNING | Unchanged | CP-2(2) | CAPACITY PLANNING | mechanical | |
| CP | CP-2 (3) | RESUME ESSENTIAL MISSIONS / BUSINESS FUNCTIONS | Unchanged | CP-2(3) | RESUME MISSION AND BUSINESS FUNCTIONS | mechanical | |
| CP | CP-2 (4) | RESUME ALL MISSIONS / BUSINESS FUNCTIONS | Incorporated Into | CP-2(3) | Incorporated into CP-2(3) | mechanical | |
| CP | CP-2 (5) | CONTINUE ESSENTIAL MISSIONS / BUSINESS FUNCTIONS | Unchanged | CP-2(5) | CONTINUE MISSION AND BUSINESS FUNCTIONS | mechanical | |
| CP | CP-2 (6) | ALTERNATE PROCESSING / STORAGE SITE | Unchanged | CP-2(6) | ALTERNATE PROCESSING AND STORAGE SITES | mechanical | |
| CP | CP-2 (7) | COORDINATE WITH EXTERNAL SERVICE PROVIDERS | Unchanged | CP-2(7) | COORDINATE WITH EXTERNAL SERVICE PROVIDERS | mechanical | |
| CP | CP-2 (8) | IDENTIFY CRITICAL ASSETS | Unchanged | CP-2(8) | IDENTIFY CRITICAL ASSETS | mechanical | |
| CP | CP-3 | CONTINGENCY TRAINING | Unchanged | CP-3 | CONTINGENCY TRAINING | mechanical | |
| CP | CP-3 (1) | SIMULATED EVENTS | Unchanged | CP-3(1) | SIMULATED EVENTS | mechanical | |
| CP | CP-3 (2) | AUTOMATED TRAINING ENVIRONMENTS | Unchanged | CP-3(2) | MECHANISMS USED IN TRAINING ENVIRONMENTS | mechanical | |
| CP | CP-4 | CONTINGENCY PLAN TESTING | Unchanged | CP-4 | CONTINGENCY PLAN TESTING | mechanical | |
| CP | CP-4 (1) | COORDINATE WITH RELATED PLANS | Unchanged | CP-4(1) | COORDINATE WITH RELATED PLANS | mechanical | |
| CP | CP-4 (2) | ALTERNATE PROCESSING SITE | Unchanged | CP-4(2) | ALTERNATE PROCESSING SITE | mechanical | |
| CP | CP-4 (3) | AUTOMATED TESTING | Unchanged | CP-4(3) | AUTOMATED TESTING | mechanical | |
| CP | CP-4 (4) | FULL RECOVERY / RECONSTITUTION | Unchanged | CP-4(4) | FULL RECOVERY AND RECONSTITUTION | mechanical | |
| CP | — | New In R5 | CP-4(5) | SELF-CHALLENGE | mechanical | ||
| CP | CP-5 | CONTINGENCY PLAN UPDATE | Incorporated Into | CP-2 | Incorporated into CP-2 | mechanical | |
| CP | CP-6 | ALTERNATE STORAGE SITE | Unchanged | CP-6 | ALTERNATE STORAGE SITE | mechanical | |
| CP | CP-6 (1) | SEPARATION FROM PRIMARY SITE | Unchanged | CP-6(1) | SEPARATION FROM PRIMARY SITE | mechanical | |
| CP | CP-6 (2) | RECOVERY TIME / POINT OBJECTIVES | Unchanged | CP-6(2) | RECOVERY TIME AND RECOVERY POINT OBJECTIVES | mechanical | |
| CP | CP-6 (3) | ACCESSIBILITY | Unchanged | CP-6(3) | ACCESSIBILITY | mechanical | |
| CP | CP-7 | ALTERNATE PROCESSING SITE | Unchanged | CP-7 | ALTERNATE PROCESSING SITE | mechanical | |
| CP | CP-7 (1) | SEPARATION FROM PRIMARY SITE | Unchanged | CP-7(1) | SEPARATION FROM PRIMARY SITE | mechanical | |
| CP | CP-7 (2) | ACCESSIBILITY | Unchanged | CP-7(2) | ACCESSIBILITY | mechanical | |
| CP | CP-7 (3) | PRIORITY OF SERVICE | Unchanged | CP-7(3) | PRIORITY OF SERVICE | mechanical | |
| CP | CP-7 (4) | PREPARATION FOR USE | Unchanged | CP-7(4) | PREPARATION FOR USE | mechanical | |
| CP | CP-7 (5) | EQUIVALENT INFORMATION SECURITY SAFEGUARDS | Incorporated Into | CP-7 | Incorporated into CP-7 | mechanical | |
| CP | CP-7 (6) | INABILITY TO RETURN TO PRIMARY SITE | Unchanged | CP-7(6) | INABILITY TO RETURN TO PRIMARY SITE | mechanical | |
| CP | CP-8 | TELECOMMUNICATIONS SERVICES | Unchanged | CP-8 | TELECOMMUNICATIONS SERVICES | mechanical | |
| CP | CP-8 (1) | PRIORITY OF SERVICE PROVISIONS | Unchanged | CP-8(1) | PRIORITY OF SERVICE PROVISIONS | mechanical | |
| CP | CP-8 (2) | SINGLE POINTS OF FAILURE | Unchanged | CP-8(2) | SINGLE POINTS OF FAILURE | mechanical | |
| CP | CP-8 (3) | SEPARATION OF PRIMARY / ALTERNATE PROVIDERS | Unchanged | CP-8(3) | SEPARATION OF PRIMARY AND ALTERNATE PROVIDERS | mechanical | |
| CP | CP-8 (4) | PROVIDER CONTINGENCY PLAN | Unchanged | CP-8(4) | PROVIDER CONTINGENCY PLAN | mechanical | |
| CP | CP-8 (5) | ALTERNATE TELECOMMUNICATION SERVICE TESTING | Unchanged | CP-8(5) | ALTERNATE TELECOMMUNICATION SERVICE TESTING | mechanical | |
| CP | CP-9 | INFORMATION SYSTEM BACKUP | Unchanged | CP-9 | SYSTEM BACKUP | mechanical | |
| CP | CP-9 (1) | TESTING FOR RELIABILITY / INTEGRITY | Unchanged | CP-9(1) | TESTING FOR RELIABILITY AND INTEGRITY | mechanical | |
| CP | CP-9 (2) | TEST RESTORATION USING SAMPLING | Unchanged | CP-9(2) | TEST RESTORATION USING SAMPLING | mechanical | |
| CP | CP-9 (3) | SEPARATE STORAGE FOR CRITICAL INFORMATION | Unchanged | CP-9(3) | SEPARATE STORAGE FOR CRITICAL INFORMATION | mechanical | |
| CP | CP-9 (4) | PROTECTION FROM UNAUTHORIZED MODIFICATION | Incorporated Into | CP-9 | Incorporated into CP-9 | mechanical | |
| CP | CP-9 (5) | TRANSFER TO ALTERNATE STORAGE SITE | Unchanged | CP-9(5) | TRANSFER TO ALTERNATE STORAGE SITE | mechanical | |
| CP | CP-9 (6) | REDUNDANT SECONDARY SYSTEM | Unchanged | CP-9(6) | REDUNDANT SECONDARY SYSTEM | mechanical | |
| CP | CP-9 (7) | DUAL AUTHORIZATION | Unchanged | CP-9(7) | DUAL AUTHORIZATION FOR DELETION OR DESTRUCTION | mechanical | |
| CP | — | New In R5 | CP-9(8) | CRYPTOGRAPHIC PROTECTION | mechanical | ||
| CP | CP-10 | INFORMATION SYSTEM RECOVERY AND RECONSTITUTION | Unchanged | CP-10 | SYSTEM RECOVERY AND RECONSTITUTION | mechanical | |
| CP | CP-10 (1) | CONTINGENCY PLAN TESTING | Incorporated Into | CP-4 | Incorporated into CP-4 | mechanical | |
| CP | CP-10 (2) | TRANSACTION RECOVERY | Unchanged | CP-10(2) | TRANSACTION RECOVERY | mechanical | |
| CP | CP-10 (3) | COMPENSATING SECURITY CONTROLS | Withdrawn | — | mechanical | ||
| CP | CP-10 (4) | RESTORE WITHIN TIME PERIOD | Unchanged | CP-10(4) | RESTORE WITHIN TIME PERIOD | mechanical | |
| CP | CP-10 (5) | FAILOVER CAPABILITY | Incorporated Into | SI-13 | Incorporated into SI-13 | mechanical | |
| CP | CP-10 (6) | COMPONENT PROTECTION | Unchanged | CP-10(6) | COMPONENT PROTECTION | mechanical | |
| CP | CP-11 | ALTERNATE COMMUNICATIONS PROTOCOLS | Unchanged | CP-11 | ALTERNATE COMMUNICATIONS PROTOCOLS | mechanical | |
| CP | CP-12 | SAFE MODE | Unchanged | CP-12 | SAFE MODE | mechanical | |
| CP | CP-13 | ALTERNATIVE SECURITY MECHANISMS | Unchanged | CP-13 | ALTERNATIVE SECURITY MECHANISMS | mechanical | |
| IA | IA-1 | IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES | Unchanged | IA-1 | POLICY AND PROCEDURES | mechanical | |
| IA | IA-2 | IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | Unchanged | IA-2 | IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | mechanical | |
| IA | IA-2 (1) | NETWORK ACCESS TO PRIVILEGED ACCOUNTS | Unchanged | IA-2(1) | MULTI-FACTOR AUTHENTICATION TO PRIVILEGED ACCOUNTS | mechanical | |
| IA | IA-2 (2) | NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS | Unchanged | IA-2(2) | MULTI-FACTOR AUTHENTICATION TO NON-PRIVILEGED ACCOUNTS | mechanical | |
| IA | IA-2 (3) | LOCAL ACCESS TO PRIVILEGED ACCOUNTS | Incorporated Into | IA-2(1) | Incorporated into IA-2(1) | mechanical | |
| IA | IA-2 (4) | LOCAL ACCESS TO NON-PRIVILEGED ACCOUNTS | Incorporated Into | IA-2(2) | Incorporated into IA-2(2) | mechanical | |
| IA | IA-2 (5) | GROUP AUTHENTICATION | Unchanged | IA-2(5) | INDIVIDUAL AUTHENTICATION WITH GROUP AUTHENTICATION | mechanical | |
| IA | IA-2 (6) | NETWORK ACCESS TO PRIVILEGED ACCOUNTS - SEPARATE DEVICE | Unchanged | IA-2(6) | ACCESS TO ACCOUNTS —SEPARATE DEVICE | mechanical | |
| IA | IA-2 (7) | NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS - SEPARATE DEVICE | Incorporated Into | IA-2(6) | Incorporated into IA-2(6) | mechanical | |
| IA | IA-2 (8) | NETWORK ACCESS TO PRIVILEGED ACCOUNTS - REPLAY RESISTANT | Unchanged | IA-2(8) | ACCESS TO ACCOUNTS — REPLAY RESISTANT | mechanical | |
| IA | IA-2 (9) | NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS - REPLAY RESISTANT | Incorporated Into | IA-2(8) | Incorporated into IA-2(8) | mechanical | |
| IA | IA-2 (10) | SINGLE SIGN-ON | Unchanged | IA-2(10) | SINGLE SIGN-ON | mechanical | |
| IA | IA-2 (11) | REMOTE ACCESS - SEPARATE DEVICE | Incorporated Into | IA-2(6) | Incorporated into IA-2(6) | mechanical | |
| IA | IA-2 (12) | ACCEPTANCE OF PIV CREDENTIALS | Unchanged | IA-2(12) | ACCEPTANCE OF PIV CREDENTIALS | mechanical | |
| IA | IA-2 (13) | OUT-OF-BAND AUTHENTICATION | Unchanged | IA-2(13) | OUT-OF-BAND AUTHENTICATION | mechanical | |
| IA | IA-3 | DEVICE IDENTIFICATION AND AUTHENTICATION | Unchanged | IA-3 | DEVICE IDENTIFICATION AND AUTHENTICATION | mechanical | |
| IA | IA-3 (1) | CRYPTOGRAPHIC BIDIRECTIONAL AUTHENTICATION | Unchanged | IA-3(1) | CRYPTOGRAPHIC BIDIRECTIONAL AUTHENTICATION | mechanical | |
| IA | IA-3 (2) | CRYPTOGRAPHIC BIDIRECTIONAL NETWORK AUTHENTICATION | Incorporated Into | IA-3(1) | Incorporated into IA-3(1) | mechanical | |
| IA | IA-3 (3) | DYNAMIC ADDRESS ALLOCATION | Unchanged | IA-3(3) | DYNAMIC ADDRESS ALLOCATION | mechanical | |
| IA | IA-3 (4) | DEVICE ATTESTATION | Unchanged | IA-3(4) | DEVICE ATTESTATION | mechanical | |
| IA | IA-4 | IDENTIFIER MANAGEMENT | Unchanged | IA-4 | IDENTIFIER MANAGEMENT | mechanical | |
| IA | IA-4 (1) | PROHIBIT ACCOUNT IDENTIFIERS AS PUBLIC IDENTIFIERS | Unchanged | IA-4(1) | PROHIBIT ACCOUNT IDENTIFIERS AS PUBLIC IDENTIFIERS | mechanical | |
| IA | IA-4 (2) | SUPERVISOR AUTHORIZATION | Incorporated Into | IA-12(1) | Incorporated into IA-12(1) | mechanical | |
| IA | IA-4 (3) | MULTIPLE FORMS OF CERTIFICATION | Incorporated Into | IA-12(2) | Incorporated into IA-12(2) | mechanical | |
| IA | IA-4 (4) | IDENTIFY USER STATUS | Unchanged | IA-4(4) | IDENTIFY USER STATUS | mechanical | |
| IA | IA-4 (5) | DYNAMIC MANAGEMENT | Unchanged | IA-4(5) | DYNAMIC MANAGEMENT | mechanical | |
| IA | IA-4 (6) | CROSS-ORGANIZATION MANAGEMENT | Unchanged | IA-4(6) | CROSS-ORGANIZATION MANAGEMENT | mechanical | |
| IA | IA-4 (7) | IN-PERSON REGISTRATION | Incorporated Into | IA-12(4) | Incorporated into IA-12(4) | mechanical | |
| IA | — | New In R5 | IA-4(8) | PAIRWISE PSEUDONYMOUS IDENTIFIERS | mechanical | ||
| IA | — | New In R5 | IA-4(9) | ATTRIBUTE MAINTENANCE AND PROTECTION | mechanical | ||
| IA | IA-5 | AUTHENTICATOR MANAGEMENT | Unchanged | IA-5 | AUTHENTICATOR MANAGEMENT | mechanical | |
| IA | IA-5 (1) | PASSWORD-BASED AUTHENTICATION | Unchanged | IA-5(1) | PASSWORD-BASED AUTHENTICATION | mechanical | |
| IA | IA-5 (2) | PKI-BASED AUTHENTICATION | Unchanged | IA-5(2) | PUBLIC KEY-BASED AUTHENTICATION | mechanical | |
| IA | IA-5 (3) | IN-PERSON OR TRUSTED THIRD-PARTY REGISTRATION | Incorporated Into | IA-12(4) | Incorporated into IA-12(4) | mechanical | |
| IA | IA-5 (4) | AUTOMATED SUPPORT FOR PASSWORD STRENGTH DETERMINATION | Incorporated Into | IA-5(1) | Incorporated into IA-5(1) | mechanical | |
| IA | IA-5 (5) | CHANGE AUTHENTICATORS PRIOR TO DELIVERY | Unchanged | IA-5(5) | CHANGE AUTHENTICATORS PRIOR TO DELIVERY | mechanical | |
| IA | IA-5 (6) | PROTECTION OF AUTHENTICATORS | Unchanged | IA-5(6) | PROTECTION OF AUTHENTICATORS | mechanical | |
| IA | IA-5 (7) | NO EMBEDDED UNENCRYPTED STATIC AUTHENTICATORS | Unchanged | IA-5(7) | NO EMBEDDED UNENCRYPTED STATIC AUTHENTICATORS | mechanical | |
| IA | IA-5 (8) | MULTIPLE INFORMATION SYSTEM ACCOUNTS | Unchanged | IA-5(8) | MULTIPLE SYSTEM ACCOUNTS | mechanical | |
| IA | IA-5 (9) | CROSS-ORGANIZATION CREDENTIAL MANAGEMENT | Unchanged | IA-5(9) | FEDERATED CREDENTIAL MANAGEMENT | mechanical | |
| IA | IA-5 (10) | DYNAMIC CREDENTIAL ASSOCIATION | Unchanged | IA-5(10) | DYNAMIC CREDENTIAL BINDING | mechanical | |
| IA | IA-5 (11) | HARDWARE TOKEN-BASED AUTHENTICATION | Incorporated Into | IA-2(1), IA-2(2) | Incorporated into IA-2(1), IA-2(2) | mechanical | |
| IA | IA-5 (12) | BIOMETRIC-BASED AUTHENTICATION | Unchanged | IA-5(12) | BIOMETRIC AUTHENTICATION PERFORMANCE | mechanical | |
| IA | IA-5 (13) | EXPIRATION OF CACHED AUTHENTICATORS | Unchanged | IA-5(13) | EXPIRATION OF CACHED AUTHENTICATORS | mechanical | |
| IA | IA-5 (14) | MANAGING CONTENT OF PKI TRUST STORES | Unchanged | IA-5(14) | MANAGING CONTENT OF PKI TRUST STORES | mechanical | |
| IA | IA-5 (15) | FICAM-APPROVED PRODUCTS AND SERVICES | Unchanged | IA-5(15) | GSA-APPROVED PRODUCTS AND SERVICES | mechanical | |
| IA | — | New In R5 | IA-5(16) | IN-PERSON OR TRUSTED EXTERNAL PARTY AUTHENTICATOR ISSUANCE | mechanical | ||
| IA | — | New In R5 | IA-5(17) | PRESENTATION ATTACK DETECTION FOR BIOMETRIC AUTHENTICATORS | mechanical | ||
| IA | — | New In R5 | IA-5(18) | PASSWORD MANAGERS | mechanical | ||
| IA | IA-6 | AUTHENTICATOR FEEDBACK | Unchanged | IA-6 | AUTHENTICATION FEEDBACK | mechanical | |
| IA | IA-7 | CRYPTOGRAPHIC MODULE AUTHENTICATION | Unchanged | IA-7 | CRYPTOGRAPHIC MODULE AUTHENTICATION | mechanical | |
| IA | IA-8 | IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) | Unchanged | IA-8 | IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) | mechanical | |
| IA | IA-8 (1) | ACCEPTANCE OF PIV CREDENTIALS FROM OTHER AGENCIES | Unchanged | IA-8(1) | ACCEPTANCE OF PIV CREDENTIALS FROM OTHER AGENCIES | mechanical | |
| IA | IA-8 (2) | ACCEPTANCE OF THIRD-PARTY CREDENTIALS | Unchanged | IA-8(2) | ACCEPTANCE OF EXTERNAL AUTHENTICATORS | mechanical | |
| IA | IA-8 (3) | USE OF FICAM-APPROVED PRODUCTS | Incorporated Into | IA-8(2) | Incorporated into IA-8(2) | mechanical | |
| IA | IA-8 (4) | USE OF FICAM-ISSUED PROFILES | Unchanged | IA-8(4) | USE OF DEFINED PROFILES | mechanical | |
| IA | IA-8 (5) | ACCEPTANCE OF PIV-I CREDENTIALS | Unchanged | IA-8(5) | ACCEPTANCE OF PIV-I CREDENTIALS | mechanical | |
| IA | — | New In R5 | IA-8(6) | DISASSOCIABILITY | mechanical | ||
| IA | IA-9 | SERVICE IDENTIFICATION AND AUTHENTICATION | Unchanged | IA-9 | SERVICE IDENTIFICATION AND AUTHENTICATION | mechanical | |
| IA | IA-9 (1) | INFORMATION EXCHANGE | Incorporated Into | IA-9 | Incorporated into IA-9 | mechanical | |
| IA | IA-9 (2) | TRANSMISSION OF DECISIONS | Incorporated Into | IA-9 | Incorporated into IA-9 | mechanical | |
| IA | IA-10 | ADAPTIVE IDENTIFICATION AND AUTHENTICATION | Unchanged | IA-10 | ADAPTIVE AUTHENTICATION | mechanical | |
| IA | IA-11 | RE-AUTHENTICATION | Unchanged | IA-11 | RE-AUTHENTICATION | mechanical | |
| IA | — | New In R5 | IA-12 | IDENTITY PROOFING | mechanical | ||
| IA | — | New In R5 | IA-12(1) | SUPERVISOR AUTHORIZATION | mechanical | ||
| IA | — | New In R5 | IA-12(2) | IDENTITY EVIDENCE | mechanical | ||
| IA | — | New In R5 | IA-12(3) | IDENTITY EVIDENCE VALIDATION AND VERIFICATION | mechanical | ||
| IA | — | New In R5 | IA-12(4) | IN-PERSON VALIDATION AND VERIFICATION | mechanical | ||
| IA | — | New In R5 | IA-12(5) | ADDRESS CONFIRMATION | mechanical | ||
| IA | — | New In R5 | IA-12(6) | ACCEPT EXTERNALLY-PROOFED IDENTITIES | mechanical | ||
| IR | IR-1 | INCIDENT RESPONSE POLICY AND PROCEDURES | Unchanged | IR-1 | POLICY AND PROCEDURES | mechanical | |
| IR | IR-2 | INCIDENT RESPONSE TRAINING | Unchanged | IR-2 | INCIDENT RESPONSE TRAINING | mechanical | |
| IR | IR-2 (1) | SIMULATED EVENTS | Unchanged | IR-2(1) | SIMULATED EVENTS | mechanical | |
| IR | IR-2 (2) | AUTOMATED TRAINING ENVIRONMENTS | Unchanged | IR-2(2) | AUTOMATED TRAINING ENVIRONMENTS | mechanical | |
| IR | — | New In R5 | IR-2(3) | BREACH | mechanical | ||
| IR | IR-3 | INCIDENT RESPONSE TESTING | Unchanged | IR-3 | INCIDENT RESPONSE TESTING | mechanical | |
| IR | IR-3 (1) | AUTOMATED TESTING | Unchanged | IR-3(1) | AUTOMATED TESTING | mechanical | |
| IR | IR-3 (2) | COORDINATION WITH RELATED PLANS | Unchanged | IR-3(2) | COORDINATION WITH RELATED PLANS | mechanical | |
| IR | — | New In R5 | IR-3(3) | CONTINUOUS IMPROVEMENT | mechanical | ||
| IR | IR-4 | INCIDENT HANDLING | Unchanged | IR-4 | INCIDENT HANDLING | mechanical | |
| IR | IR-4 (1) | AUTOMATED INCIDENT HANDLING PROCESSES | Unchanged | IR-4(1) | AUTOMATED INCIDENT HANDLING PROCESSES | mechanical | |
| IR | IR-4 (2) | DYNAMIC RECONFIGURATION | Unchanged | IR-4(2) | DYNAMIC RECONFIGURATION | mechanical | |
| IR | IR-4 (3) | CONTINUITY OF OPERATIONS | Unchanged | IR-4(3) | CONTINUITY OF OPERATIONS | mechanical | |
| IR | IR-4 (4) | INFORMATION CORRELATION | Unchanged | IR-4(4) | INFORMATION CORRELATION | mechanical | |
| IR | IR-4 (5) | AUTOMATIC DISABLING OF INFORMATION SYSTEM | Unchanged | IR-4(5) | AUTOMATIC DISABLING OF SYSTEM | mechanical | |
| IR | IR-4 (6) | INSIDER THREATS - SPECIFIC CAPABILITIES | Unchanged | IR-4(6) | INSIDER THREATS | mechanical | |
| IR | IR-4 (7) | INSIDER THREATS - INTRA-ORGANIZATION COORDINATION | Unchanged | IR-4(7) | INSIDER THREATS — INTRA-ORGANIZATION COORDINATION | mechanical | |
| IR | IR-4 (8) | CORRELATION WITH EXTERNAL ORGANIZATIONS | Unchanged | IR-4(8) | CORRELATION WITH EXTERNAL ORGANIZATIONS | mechanical | |
| IR | IR-4 (9) | DYNAMIC RESPONSE CAPABILITY | Unchanged | IR-4(9) | DYNAMIC RESPONSE CAPABILITY | mechanical | |
| IR | IR-4 (10) | SUPPLY CHAIN COORDINATION | Unchanged | IR-4(10) | SUPPLY CHAIN COORDINATION | mechanical | |
| IR | — | New In R5 | IR-4(11) | INTEGRATED INCIDENT RESPONSE TEAM | mechanical | ||
| IR | — | New In R5 | IR-4(12) | MALICIOUS CODE AND FORENSIC ANALYSIS | mechanical | ||
| IR | — | New In R5 | IR-4(13) | BEHAVIOR ANALYSIS | mechanical | ||
| IR | — | New In R5 | IR-4(14) | SECURITY OPERATIONS CENTER | mechanical | ||
| IR | — | New In R5 | IR-4(15) | PUBLIC RELATIONS AND REPUTATION REPAIR | mechanical | ||
| IR | IR-5 | INCIDENT MONITORING | Unchanged | IR-5 | INCIDENT MONITORING | mechanical | |
| IR | IR-5 (1) | AUTOMATED TRACKING / DATA COLLECTION / ANALYSIS | Unchanged | IR-5(1) | AUTOMATED TRACKING, DATA COLLECTION, AND ANALYSIS | mechanical | |
| IR | IR-6 | INCIDENT REPORTING | Unchanged | IR-6 | INCIDENT REPORTING | mechanical | |
| IR | IR-6 (1) | AUTOMATED REPORTING | Unchanged | IR-6(1) | AUTOMATED REPORTING | mechanical | |
| IR | IR-6 (2) | VULNERABILITIES RELATED TO INCIDENTS | Unchanged | IR-6(2) | VULNERABILITIES RELATED TO INCIDENTS | mechanical | |
| IR | IR-6 (3) | COORDINATION WITH SUPPLY CHAIN | Unchanged | IR-6(3) | SUPPLY CHAIN COORDINATION | mechanical | |
| IR | IR-7 | INCIDENT RESPONSE ASSISTANCE | Unchanged | IR-7 | INCIDENT RESPONSE ASSISTANCE | mechanical | |
| IR | IR-7 (1) | AUTOMATION SUPPORT FOR AVAILABILITY OF INFORMATION / SUPPORT | Unchanged | IR-7(1) | AUTOMATION SUPPORT FOR AVAILABILITY OF INFORMATION AND SUPPORT | mechanical | |
| IR | IR-7 (2) | COORDINATION WITH EXTERNAL PROVIDERS | Unchanged | IR-7(2) | COORDINATION WITH EXTERNAL PROVIDERS | mechanical | |
| IR | IR-8 | INCIDENT RESPONSE PLAN | Unchanged | IR-8 | INCIDENT RESPONSE PLAN | mechanical | |
| IR | — | New In R5 | IR-8(1) | BREACHES | mechanical | ||
| IR | IR-9 | INFORMATION SPILLAGE RESPONSE | Unchanged | IR-9 | INFORMATION SPILLAGE RESPONSE | mechanical | |
| IR | IR-9 (1) | RESPONSIBLE PERSONNEL | Incorporated Into | IR-9 | Incorporated into IR-9 | mechanical | |
| IR | IR-9 (2) | TRAINING | Unchanged | IR-9(2) | TRAINING | mechanical | |
| IR | IR-9 (3) | POST-SPILL OPERATIONS | Unchanged | IR-9(3) | POST-SPILL OPERATIONS | mechanical | |
| IR | IR-9 (4) | EXPOSURE TO UNAUTHORIZED PERSONNEL | Unchanged | IR-9(4) | EXPOSURE TO UNAUTHORIZED PERSONNEL | mechanical | |
| IR | IR-10 | INTEGRATED INFORMATION SECURITY ANALYSIS TEAM | Withdrawn | — | mechanical | ||
| MA | MA-1 | SYSTEM MAINTENANCE POLICY AND PROCEDURES | Unchanged | MA-1 | POLICY AND PROCEDURES | mechanical | |
| MA | MA-2 | CONTROLLED MAINTENANCE | Unchanged | MA-2 | CONTROLLED MAINTENANCE | mechanical | |
| MA | MA-2 (1) | RECORD CONTENT | Incorporated Into | MA-2 | Incorporated into MA-2 | mechanical | |
| MA | MA-2 (2) | AUTOMATED MAINTENANCE ACTIVITIES | Unchanged | MA-2(2) | AUTOMATED MAINTENANCE ACTIVITIES | mechanical | |
| MA | MA-3 | MAINTENANCE TOOLS | Unchanged | MA-3 | MAINTENANCE TOOLS | mechanical | |
| MA | MA-3 (1) | INSPECT TOOLS | Unchanged | MA-3(1) | INSPECT TOOLS | mechanical | |
| MA | MA-3 (2) | INSPECT MEDIA | Unchanged | MA-3(2) | INSPECT MEDIA | mechanical | |
| MA | MA-3 (3) | PREVENT UNAUTHORIZED REMOVAL | Unchanged | MA-3(3) | PREVENT UNAUTHORIZED REMOVAL | mechanical | |
| MA | MA-3 (4) | RESTRICTED TOOL USE | Unchanged | MA-3(4) | RESTRICTED TOOL USE | mechanical | |
| MA | — | New In R5 | MA-3(5) | EXECUTION WITH PRIVILEGE | mechanical | ||
| MA | — | New In R5 | MA-3(6) | SOFTWARE UPDATES AND PATCHES | mechanical | ||
| MA | MA-4 | NONLOCAL MAINTENANCE | Unchanged | MA-4 | NONLOCAL MAINTENANCE | mechanical | |
| MA | MA-4 (1) | AUDITING AND REVIEW | Unchanged | MA-4(1) | LOGGING AND REVIEW | mechanical | |
| MA | MA-4 (2) | DOCUMENT NONLOCAL MAINTENANCE | Incorporated Into | MA-1, MA-4 | Incorporated into MA-1, MA-4 | mechanical | |
| MA | MA-4 (3) | COMPARABLE SECURITY / SANITIZATION | Unchanged | MA-4(3) | COMPARABLE SECURITY AND SANITIZATION | mechanical | |
| MA | MA-4 (4) | AUTHENTICATION / SEPARATION OF MAINTENANCE SESSIONS | Unchanged | MA-4(4) | AUTHENTICATION AND SEPARATION OF MAINTENANCE SESSIONS | mechanical | |
| MA | MA-4 (5) | APPROVALS AND NOTIFICATIONS | Unchanged | MA-4(5) | APPROVALS AND NOTIFICATIONS | mechanical | |
| MA | MA-4 (6) | CRYPTOGRAPHIC PROTECTION | Unchanged | MA-4(6) | CRYPTOGRAPHIC PROTECTION | mechanical | |
| MA | MA-4 (7) | REMOTE DISCONNECT VERIFICATION | Unchanged | MA-4(7) | DISCONNECT VERIFICATION | mechanical | |
| MA | MA-5 | MAINTENANCE PERSONNEL | Unchanged | MA-5 | MAINTENANCE PERSONNEL | mechanical | |
| MA | MA-5 (1) | INDIVIDUALS WITHOUT APPROPRIATE ACCESS | Unchanged | MA-5(1) | INDIVIDUALS WITHOUT APPROPRIATE ACCESS | mechanical | |
| MA | MA-5 (2) | SECURITY CLEARANCES FOR CLASSIFIED SYSTEMS | Unchanged | MA-5(2) | SECURITY CLEARANCES FOR CLASSIFIED SYSTEMS | mechanical | |
| MA | MA-5 (3) | CITIZENSHIP REQUIREMENTS FOR CLASSIFIED SYSTEMS | Unchanged | MA-5(3) | CITIZENSHIP REQUIREMENTS FOR CLASSIFIED SYSTEMS | mechanical | |
| MA | MA-5 (4) | FOREIGN NATIONALS | Unchanged | MA-5(4) | FOREIGN NATIONALS | mechanical | |
| MA | MA-5 (5) | NONSYSTEM-RELATED MAINTENANCE | Unchanged | MA-5(5) | NON-SYSTEM MAINTENANCE | mechanical | |
| MA | MA-6 | TIMELY MAINTENANCE | Unchanged | MA-6 | TIMELY MAINTENANCE | mechanical | |
| MA | MA-6 (1) | PREVENTIVE MAINTENANCE | Unchanged | MA-6(1) | PREVENTIVE MAINTENANCE | mechanical | |
| MA | MA-6 (2) | PREDICTIVE MAINTENANCE | Unchanged | MA-6(2) | PREDICTIVE MAINTENANCE | mechanical | |
| MA | MA-6 (3) | AUTOMATED SUPPORT FOR PREDICTIVE MAINTENANCE | Unchanged | MA-6(3) | AUTOMATED SUPPORT FOR PREDICTIVE MAINTENANCE | mechanical | |
| MA | — | New In R5 | MA-7 | FIELD MAINTENANCE | mechanical | ||
| MP | MP-1 | MEDIA PROTECTION POLICY AND PROCEDURES | Unchanged | MP-1 | POLICY AND PROCEDURES | mechanical | |
| MP | MP-2 | MEDIA ACCESS | Unchanged | MP-2 | MEDIA ACCESS | mechanical | |
| MP | MP-2 (1) | AUTOMATED RESTRICTED ACCESS | Incorporated Into | MP-4(2) | Incorporated into MP-4(2) | mechanical | |
| MP | MP-2 (2) | CRYPTOGRAPHIC PROTECTION | Incorporated Into | SC-28(1) | Incorporated into SC-28(1) | mechanical | |
| MP | MP-3 | MEDIA MARKING | Unchanged | MP-3 | MEDIA MARKING | mechanical | |
| MP | MP-4 | MEDIA STORAGE | Unchanged | MP-4 | MEDIA STORAGE | mechanical | |
| MP | MP-4 (1) | CRYPTOGRAPHIC PROTECTION | Incorporated Into | SC-28(1) | Incorporated into SC-28(1) | mechanical | |
| MP | MP-4 (2) | AUTOMATED RESTRICTED ACCESS | Unchanged | MP-4(2) | AUTOMATED RESTRICTED ACCESS | mechanical | |
| MP | MP-5 | MEDIA TRANSPORT | Unchanged | MP-5 | MEDIA TRANSPORT | mechanical | |
| MP | MP-5 (1) | PROTECTION OUTSIDE OF CONTROLLED AREAS | Incorporated Into | MP-5 | Incorporated into MP-5 | mechanical | |
| MP | MP-5 (2) | DOCUMENTATION OF ACTIVITIES | Incorporated Into | MP-5 | Incorporated into MP-5 | mechanical | |
| MP | MP-5 (3) | CUSTODIANS | Unchanged | MP-5(3) | CUSTODIANS | mechanical | |
| MP | MP-5 (4) | CRYPTOGRAPHIC PROTECTION | Incorporated Into | SC-28(1) | Incorporated into SC-28(1) | mechanical | |
| MP | MP-6 | MEDIA SANITIZATION | Unchanged | MP-6 | MEDIA SANITIZATION | mechanical | |
| MP | MP-6 (1) | REVIEW / APPROVE / TRACK / DOCUMENT / VERIFY | Unchanged | MP-6(1) | REVIEW, APPROVE, TRACK, DOCUMENT, AND VERIFY | mechanical | |
| MP | MP-6 (2) | EQUIPMENT TESTING | Unchanged | MP-6(2) | EQUIPMENT TESTING | mechanical | |
| MP | MP-6 (3) | NONDESTRUCTIVE TECHNIQUES | Unchanged | MP-6(3) | NONDESTRUCTIVE TECHNIQUES | mechanical | |
| MP | MP-6 (4) | CONTROLLED UNCLASSIFIED INFORMATION | Incorporated Into | MP-6 | Incorporated into MP-6 | mechanical | |
| MP | MP-6 (5) | CLASSIFIED INFORMATION | Incorporated Into | MP-6 | Incorporated into MP-6 | mechanical | |
| MP | MP-6 (6) | MEDIA DESTRUCTION | Incorporated Into | MP-6 | Incorporated into MP-6 | mechanical | |
| MP | MP-6 (7) | DUAL AUTHORIZATION | Unchanged | MP-6(7) | DUAL AUTHORIZATION | mechanical | |
| MP | MP-6 (8) | REMOTE PURGING / WIPING OF INFORMATION | Unchanged | MP-6(8) | REMOTE PURGING OR WIPING OF INFORMATION | mechanical | |
| MP | MP-7 | MEDIA USE | Unchanged | MP-7 | MEDIA USE | mechanical | |
| MP | MP-7 (1) | PROHIBIT USE WITHOUT OWNER | Incorporated Into | MP-7 | Incorporated into MP-7 | mechanical | |
| MP | MP-7 (2) | PROHIBIT USE OF SANITIZATION-RESISTANT MEDIA | Unchanged | MP-7(2) | PROHIBIT USE OF SANITIZATION-RESISTANT MEDIA | mechanical | |
| MP | MP-8 | MEDIA DOWNGRADING | Unchanged | MP-8 | MEDIA DOWNGRADING | mechanical | |
| MP | MP-8 (1) | DOCUMENTATION OF PROCESS | Unchanged | MP-8(1) | DOCUMENTATION OF PROCESS | mechanical | |
| MP | MP-8 (2) | EQUIPMENT TESTING | Unchanged | MP-8(2) | EQUIPMENT TESTING | mechanical | |
| MP | MP-8 (3) | CONTROLLED UNCLASSIFIED INFORMATION | Unchanged | MP-8(3) | CONTROLLED UNCLASSIFIED INFORMATION | mechanical | |
| MP | MP-8 (4) | CLASSIFIED INFORMATION | Unchanged | MP-8(4) | CLASSIFIED INFORMATION | mechanical | |
| PE | PE-1 | PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES | Unchanged | PE-1 | POLICY AND PROCEDURES | mechanical | |
| PE | PE-2 | PHYSICAL ACCESS AUTHORIZATIONS | Unchanged | PE-2 | PHYSICAL ACCESS AUTHORIZATIONS | mechanical | |
| PE | PE-2 (1) | ACCESS BY POSITION / ROLE | Unchanged | PE-2(1) | ACCESS BY POSITION OR ROLE | mechanical | |
| PE | PE-2 (2) | TWO FORMS OF IDENTIFICATION | Unchanged | PE-2(2) | TWO FORMS OF IDENTIFICATION | mechanical | |
| PE | PE-2 (3) | RESTRICT UNESCORTED ACCESS | Unchanged | PE-2(3) | RESTRICT UNESCORTED ACCESS | mechanical | |
| PE | PE-3 | PHYSICAL ACCESS CONTROL | Unchanged | PE-3 | PHYSICAL ACCESS CONTROL | mechanical | |
| PE | PE-3 (1) | INFORMATION SYSTEM ACCESS | Unchanged | PE-3(1) | SYSTEM ACCESS | mechanical | |
| PE | PE-3 (2) | FACILITY / INFORMATION SYSTEM BOUNDARIES | Unchanged | PE-3(2) | FACILITY AND SYSTEMS | mechanical | |
| PE | PE-3 (3) | CONTINUOUS GUARDS / ALARMS / MONITORING | Unchanged | PE-3(3) | CONTINUOUS GUARDS | mechanical | |
| PE | PE-3 (4) | LOCKABLE CASINGS | Unchanged | PE-3(4) | LOCKABLE CASINGS | mechanical | |
| PE | PE-3 (5) | TAMPER PROTECTION | Unchanged | PE-3(5) | TAMPER PROTECTION | mechanical | |
| PE | PE-3 (6) | FACILITY PENETRATION TESTING | Incorporated Into | CA-8 | Incorporated into CA-8 | mechanical | |
| PE | — | New In R5 | PE-3(7) | PHYSICAL BARRIERS | mechanical | ||
| PE | — | New In R5 | PE-3(8) | ACCESS CONTROL VESTIBULES | mechanical | ||
| PE | PE-4 | ACCESS CONTROL FOR TRANSMISSION MEDIUM | Unchanged | PE-4 | ACCESS CONTROL FOR TRANSMISSION | mechanical | |
| PE | PE-5 | ACCESS CONTROL FOR OUTPUT DEVICES | Unchanged | PE-5 | ACCESS CONTROL FOR OUTPUT DEVICES | mechanical | |
| PE | PE-5 (1) | ACCESS TO OUTPUT BY AUTHORIZED INDIVIDUALS | Incorporated Into | PE-5 | Incorporated into PE-5 | mechanical | |
| PE | PE-5 (2) | ACCESS TO OUTPUT BY INDIVIDUAL IDENTITY | Unchanged | PE-5(2) | LINK TO INDIVIDUAL IDENTITY | mechanical | |
| PE | PE-5 (3) | MARKING OUTPUT DEVICES | Incorporated Into | PE-22 | Incorporated into PE-22 | mechanical | |
| PE | PE-6 | MONITORING PHYSICAL ACCESS | Unchanged | PE-6 | MONITORING PHYSICAL ACCESS | mechanical | |
| PE | PE-6 (1) | INTRUSION ALARMS / SURVEILLANCE EQUIPMENT | Unchanged | PE-6(1) | INTRUSION ALARMS AND SURVEILLANCE EQUIPMENT | mechanical | |
| PE | PE-6 (2) | AUTOMATED INTRUSION RECOGNITION / RESPONSES | Unchanged | PE-6(2) | AUTOMATED INTRUSION RECOGNITION AND RESPONSES | mechanical | |
| PE | PE-6 (3) | VIDEO SURVEILLANCE | Unchanged | PE-6(3) | VIDEO SURVEILLANCE | mechanical | |
| PE | PE-6 (4) | MONITORING PHYSICAL ACCESS TO INFORMATION SYSTEMS | Unchanged | PE-6(4) | MONITORING PHYSICAL ACCESS TO SYSTEMS | mechanical | |
| PE | PE-7 | VISITOR CONTROL | Incorporated Into | PE-2, PE-3 | Incorporated into PE-2, PE-3 | mechanical | |
| PE | PE-8 | VISITOR ACCESS RECORDS | Unchanged | PE-8 | VISITOR ACCESS RECORDS | mechanical | |
| PE | PE-8 (1) | AUTOMATED RECORDS MAINTENANCE / REVIEW | Unchanged | PE-8(1) | AUTOMATED RECORDS MAINTENANCE AND REVIEW | mechanical | |
| PE | PE-8 (2) | PHYSICAL ACCESS RECORDS | Incorporated Into | PE-2 | Incorporated into PE-2 | mechanical | |
| PE | — | New In R5 | PE-8(3) | LIMIT PERSONALLY IDENTIFIABLE INFORMATION ELEMENTS | mechanical | ||
| PE | PE-9 | POWER EQUIPMENT AND CABLING | Unchanged | PE-9 | POWER EQUIPMENT AND CABLING | mechanical | |
| PE | PE-9 (1) | REDUNDANT CABLING | Unchanged | PE-9(1) | REDUNDANT CABLING | mechanical | |
| PE | PE-9 (2) | AUTOMATIC VOLTAGE CONTROLS | Unchanged | PE-9(2) | AUTOMATIC VOLTAGE CONTROLS | mechanical | |
| PE | PE-10 | EMERGENCY SHUTOFF | Unchanged | PE-10 | EMERGENCY SHUTOFF | mechanical | |
| PE | PE-10 (1) | ACCIDENTAL / UNAUTHORIZED ACTIVATION | Incorporated Into | PE-10 | Incorporated into PE-10 | mechanical | |
| PE | PE-11 | EMERGENCY POWER | Unchanged | PE-11 | EMERGENCY POWER | mechanical | |
| PE | PE-11 (1) | LONG-TERM ALTERNATE POWER SUPPLY - MINIMAL OPERATIONAL CAPABILITY | Unchanged | PE-11(1) | ALTERNATE POWER SUPPLY — MINIMAL OPERATIONAL CAPABILITY | mechanical | |
| PE | PE-11 (2) | LONG-TERM ALTERNATE POWER SUPPLY - SELF-CONTAINED | Unchanged | PE-11(2) | ALTERNATE POWER SUPPLY — SELF-CONTAINED | mechanical | |
| PE | PE-12 | EMERGENCY LIGHTING | Unchanged | PE-12 | EMERGENCY LIGHTING | mechanical | |
| PE | PE-12 (1) | ESSENTIAL MISSIONS / BUSINESS FUNCTIONS | Unchanged | PE-12(1) | ESSENTIAL MISSION AND BUSINESS FUNCTIONS | mechanical | |
| PE | PE-13 | FIRE PROTECTION | Unchanged | PE-13 | FIRE PROTECTION | mechanical | |
| PE | PE-13 (1) | DETECTION DEVICES / SYSTEMS | Unchanged | PE-13(1) | DETECTION SYSTEMS — AUTOMATIC ACTIVATION AND NOTIFICATION | mechanical | |
| PE | PE-13 (2) | SUPPRESSION DEVICES / SYSTEMS | Unchanged | PE-13(2) | SUPPRESSION SYSTEMS — AUTOMATIC ACTIVATION AND NOTIFICATION | mechanical | |
| PE | PE-13 (3) | AUTOMATIC FIRE SUPPRESSION | Incorporated Into | PE-13(2) | Incorporated into PE-13(2) | mechanical | |
| PE | PE-13 (4) | INSPECTIONS | Unchanged | PE-13(4) | INSPECTIONS | mechanical | |
| PE | PE-14 | TEMPERATURE AND HUMIDITY CONTROLS | Unchanged | PE-14 | ENVIRONMENTAL CONTROLS | mechanical | |
| PE | PE-14 (1) | AUTOMATIC CONTROLS | Unchanged | PE-14(1) | AUTOMATIC CONTROLS | mechanical | |
| PE | PE-14 (2) | MONITORING WITH ALARMS / NOTIFICATIONS | Unchanged | PE-14(2) | MONITORING WITH ALARMS AND NOTIFICATIONS | mechanical | |
| PE | PE-15 | WATER DAMAGE PROTECTION | Unchanged | PE-15 | WATER DAMAGE PROTECTION | mechanical | |
| PE | PE-15 (1) | AUTOMATION SUPPORT | Unchanged | PE-15(1) | AUTOMATION SUPPORT | mechanical | |
| PE | PE-16 | DELIVERY AND REMOVAL | Unchanged | PE-16 | DELIVERY AND REMOVAL | mechanical | |
| PE | PE-17 | ALTERNATE WORK SITE | Unchanged | PE-17 | ALTERNATE WORK SITE | mechanical | |
| PE | PE-18 | LOCATION OF INFORMATION SYSTEM COMPONENTS | Unchanged | PE-18 | LOCATION OF SYSTEM COMPONENTS | mechanical | |
| PE | PE-18 (1) | FACILITY SITE | Withdrawn | — | mechanical | ||
| PE | PE-19 | INFORMATION LEAKAGE | Unchanged | PE-19 | INFORMATION LEAKAGE | mechanical | |
| PE | PE-19 (1) | NATIONAL EMISSIONS / TEMPEST POLICIES AND PROCEDURES | Unchanged | PE-19(1) | NATIONAL EMISSIONS POLICIES AND PROCEDURES | mechanical | |
| PE | PE-20 | ASSET MONITORING AND TRACKING | Unchanged | PE-20 | ASSET MONITORING AND TRACKING | mechanical | |
| PE | — | New In R5 | PE-21 | ELECTROMAGNETIC PULSE PROTECTION | mechanical | ||
| PE | — | New In R5 | PE-22 | COMPONENT MARKING | mechanical | ||
| PE | — | New In R5 | PE-23 | FACILITY LOCATION | mechanical | ||
| PL | PL-1 | SECURITY PLANNING POLICY AND PROCEDURES | Unchanged | PL-1 | POLICY AND PROCEDURES | mechanical | |
| PL | PL-2 | SYSTEM SECURITY PLAN | Unchanged | PL-2 | SYSTEM SECURITY AND PRIVACY PLANS | mechanical | |
| PL | PL-2 (1) | CONCEPT OF OPERATIONS | Incorporated Into | PL-7 | Incorporated into PL-7 | mechanical | |
| PL | PL-2 (2) | FUNCTIONAL ARCHITECTURE | Incorporated Into | PL-8 | Incorporated into PL-8 | mechanical | |
| PL | PL-2 (3) | PLAN / COORDINATE WITH OTHER ORGANIZATIONAL ENTITIES | Incorporated Into | PL-2 | Incorporated into PL-2 | mechanical | |
| PL | PL-3 | SYSTEM SECURITY PLAN UPDATE | Incorporated Into | PL-2 | Incorporated into PL-2 | mechanical | |
| PL | PL-4 | RULES OF BEHAVIOR | Unchanged | PL-4 | RULES OF BEHAVIOR | mechanical | |
| PL | PL-4 (1) | SOCIAL MEDIA AND NETWORKING RESTRICTIONS | Unchanged | PL-4(1) | SOCIAL MEDIA AND EXTERNAL SITE/APPLICATION USAGE RESTRICTIONS | mechanical | |
| PL | PL-5 | PRIVACY IMPACT ASSESSMENT | Incorporated Into | RA-8 | Incorporated into RA-8 | mechanical | |
| PL | PL-6 | SECURITY-RELATED ACTIVITY PLANNING | Incorporated Into | PL-2 | Incorporated into PL-2 | mechanical | |
| PL | PL-7 | SECURITY CONCEPT OF OPERATIONS | Unchanged | PL-7 | CONCEPT OF OPERATIONS | mechanical | |
| PL | PL-8 | INFORMATION SECURITY ARCHITECTURE | Unchanged | PL-8 | SECURITY AND PRIVACY ARCHITECTURES | mechanical | |
| PL | PL-8 (1) | DEFENSE-IN-DEPTH | Unchanged | PL-8(1) | DEFENSE IN DEPTH | mechanical | |
| PL | PL-8 (2) | SUPPLIER DIVERSITY | Unchanged | PL-8(2) | SUPPLIER DIVERSITY | mechanical | |
| PL | PL-9 | CENTRAL MANAGEMENT | Unchanged | PL-9 | CENTRAL MANAGEMENT | mechanical | |
| PL | — | New In R5 | PL-10 | BASELINE SELECTION | mechanical | ||
| PL | — | New In R5 | PL-11 | BASELINE TAILORING | mechanical | ||
| PM | PM-1 | INFORMATION SECURITY PROGRAM PLAN | Unchanged | PM-1 | INFORMATION SECURITY PROGRAM PLAN | mechanical | |
| PM | PM-2 | SENIOR INFORMATION SECURITY OFFICER | Unchanged | PM-2 | INFORMATION SECURITY PROGRAM LEADERSHIP ROLE | mechanical | |
| PM | PM-3 | INFORMATION SECURITY RESOURCES | Unchanged | PM-3 | INFORMATION SECURITY AND PRIVACY RESOURCES | mechanical | |
| PM | PM-4 | PLAN OF ACTION AND MILESTONES PROCESS | Unchanged | PM-4 | PLAN OF ACTION AND MILESTONES PROCESS | mechanical | |
| PM | PM-5 | INFORMATION SYSTEM INVENTORY | Unchanged | PM-5 | SYSTEM INVENTORY | mechanical | |
| PM | — | New In R5 | PM-5(1) | INVENTORY OF PERSONALLY IDENTIFIABLE INFORMATION | mechanical | ||
| PM | PM-6 | INFORMATION SECURITY MEASURES OF PERFORMANCE | Unchanged | PM-6 | MEASURES OF PERFORMANCE | mechanical | |
| PM | PM-7 | ENTERPRISE ARCHITECTURE | Unchanged | PM-7 | ENTERPRISE ARCHITECTURE | mechanical | |
| PM | — | New In R5 | PM-7(1) | OFFLOADING | mechanical | ||
| PM | PM-8 | CRITICAL INFRASTRUCTURE PLAN | Unchanged | PM-8 | CRITICAL INFRASTRUCTURE PLAN | mechanical | |
| PM | PM-9 | RISK MANAGEMENT STRATEGY | Unchanged | PM-9 | RISK MANAGEMENT STRATEGY | mechanical | |
| PM | PM-10 | SECURITY AUTHORIZATION PROCESS | Unchanged | PM-10 | AUTHORIZATION PROCESS | mechanical | |
| PM | PM-11 | MISSION/BUSINESS PROCESS DEFINITION | Unchanged | PM-11 | MISSION AND BUSINESS PROCESS DEFINITION | mechanical | |
| PM | PM-12 | INSIDER THREAT PROGRAM | Unchanged | PM-12 | INSIDER THREAT PROGRAM | mechanical | |
| PM | PM-13 | INFORMATION SECURITY WORKFORCE | Unchanged | PM-13 | SECURITY AND PRIVACY WORKFORCE | mechanical | |
| PM | PM-14 | TESTING, TRAINING, AND MONITORING | Unchanged | PM-14 | TESTING, TRAINING, AND MONITORING | mechanical | |
| PM | PM-15 | CONTACTS WITH SECURITY GROUPS AND ASSOCIATIONS | Unchanged | PM-15 | SECURITY AND PRIVACY GROUPS AND ASSOCIATIONS | mechanical | |
| PM | PM-16 | THREAT AWARENESS PROGRAM | Unchanged | PM-16 | THREAT AWARENESS PROGRAM | mechanical | |
| PM | — | New In R5 | PM-16(1) | AUTOMATED MEANS FOR SHARING THREAT INTELLIGENCE | mechanical | ||
| PM | — | New In R5 | PM-17 | PROTECTING CONTROLLED UNCLASSIFIED INFORMATION ON EXTERNAL SYSTEMS | mechanical | ||
| PM | — | New In R5 | PM-18 | PRIVACY PROGRAM PLAN | mechanical | ||
| PM | — | New In R5 | PM-19 | PRIVACY PROGRAM LEADERSHIP ROLE | mechanical | ||
| PM | — | New In R5 | PM-20 | DISSEMINATION OF PRIVACY PROGRAM INFORMATION | mechanical | ||
| PM | — | New In R5 | PM-20(1) | PRIVACY POLICIES ON WEBSITES, APPLICATIONS, AND DIGITAL SERVICES | mechanical | ||
| PM | — | New In R5 | PM-21 | ACCOUNTING OF DISCLOSURES | mechanical | ||
| PM | — | New In R5 | PM-22 | PERSONALLY IDENTIFIABLE INFORMATION QUALITY MANAGEMENT | mechanical | ||
| PM | — | New In R5 | PM-23 | DATA GOVERNANCE BODY | mechanical | ||
| PM | — | New In R5 | PM-24 | DATA INTEGRITY BOARD | mechanical | ||
| PM | — | New In R5 | PM-25 | MINIMIZATION OF PERSONALLY IDENTIFIABLE INFORMATION USED IN TESTING, TRAINING, AND RESEARCH | mechanical | ||
| PM | — | New In R5 | PM-26 | COMPLAINT MANAGEMENT | mechanical | ||
| PM | — | New In R5 | PM-27 | PRIVACY REPORTING | mechanical | ||
| PM | — | New In R5 | PM-28 | RISK FRAMING | mechanical | ||
| PM | — | New In R5 | PM-29 | RISK MANAGEMENT PROGRAM LEADERSHIP ROLES | mechanical | ||
| PM | — | New In R5 | PM-30 | SUPPLY CHAIN RISK MANAGEMENT STRATEGY | mechanical | ||
| PM | — | New In R5 | PM-30(1) | SUPPLIERS OF CRITICAL OR MISSION-ESSENTIAL ITEMS | mechanical | ||
| PM | — | New In R5 | PM-31 | CONTINUOUS MONITORING STRATEGY | mechanical | ||
| PM | — | New In R5 | PM-32 | PURPOSING | mechanical | ||
| PS | PS-1 | PERSONNEL SECURITY POLICY AND PROCEDURES | Unchanged | PS-1 | POLICY AND PROCEDURES | mechanical | |
| PS | PS-2 | POSITION RISK DESIGNATION | Unchanged | PS-2 | POSITION RISK DESIGNATION | mechanical | |
| PS | PS-3 | PERSONNEL SCREENING | Unchanged | PS-3 | PERSONNEL SCREENING | mechanical | |
| PS | PS-3 (1) | CLASSIFIED INFORMATION | Unchanged | PS-3(1) | CLASSIFIED INFORMATION | mechanical | |
| PS | PS-3 (2) | FORMAL INDOCTRINATION | Unchanged | PS-3(2) | FORMAL INDOCTRINATION | mechanical | |
| PS | PS-3 (3) | INFORMATION WITH SPECIAL PROTECTION MEASURES | Unchanged | PS-3(3) | INFORMATION REQUIRING SPECIAL PROTECTIVE MEASURES | mechanical | |
| PS | — | New In R5 | PS-3(4) | CITIZENSHIP REQUIREMENTS | mechanical | ||
| PS | PS-4 | PERSONNEL TERMINATION | Unchanged | PS-4 | PERSONNEL TERMINATION | mechanical | |
| PS | PS-4 (1) | POST-EMPLOYMENT REQUIREMENTS | Unchanged | PS-4(1) | POST-EMPLOYMENT REQUIREMENTS | mechanical | |
| PS | PS-4 (2) | AUTOMATED NOTIFICATION | Unchanged | PS-4(2) | AUTOMATED ACTIONS | mechanical | |
| PS | PS-5 | PERSONNEL TRANSFER | Unchanged | PS-5 | PERSONNEL TRANSFER | mechanical | |
| PS | PS-6 | ACCESS AGREEMENTS | Unchanged | PS-6 | ACCESS AGREEMENTS | mechanical | |
| PS | PS-6 (1) | INFORMATION REQUIRING SPECIAL PROTECTION | Incorporated Into | PS-3 | Incorporated into PS-3 | mechanical | |
| PS | PS-6 (2) | CLASSIFIED INFORMATION REQUIRING SPECIAL PROTECTION | Unchanged | PS-6(2) | CLASSIFIED INFORMATION REQUIRING SPECIAL PROTECTION | mechanical | |
| PS | PS-6 (3) | POST-EMPLOYMENT REQUIREMENTS | Unchanged | PS-6(3) | POST-EMPLOYMENT REQUIREMENTS | mechanical | |
| PS | PS-7 | THIRD-PARTY PERSONNEL SECURITY | Unchanged | PS-7 | EXTERNAL PERSONNEL SECURITY | mechanical | |
| PS | PS-8 | PERSONNEL SANCTIONS | Unchanged | PS-8 | PERSONNEL SANCTIONS | mechanical | |
| PS | — | New In R5 | PS-9 | POSITION DESCRIPTIONS | mechanical | ||
| PT | — | New In R5 | PT-1 | POLICY AND PROCEDURES | mechanical | ||
| PT | — | New In R5 | PT-2 | AUTHORITY TO PROCESS PERSONALLY IDENTIFIABLE INFORMATION | mechanical | ||
| PT | — | New In R5 | PT-2(1) | DATA TAGGING | mechanical | ||
| PT | — | New In R5 | PT-2(2) | AUTOMATION | mechanical | ||
| PT | — | New In R5 | PT-3 | PERSONALLY IDENTIFIABLE INFORMATION PROCESSING PURPOSES | mechanical | ||
| PT | — | New In R5 | PT-3(1) | DATA TAGGING | mechanical | ||
| PT | — | New In R5 | PT-3(2) | AUTOMATION | mechanical | ||
| PT | — | New In R5 | PT-4 | CONSENT | mechanical | ||
| PT | — | New In R5 | PT-4(1) | TAILORED CONSENT | mechanical | ||
| PT | — | New In R5 | PT-4(2) | JUST-IN-TIME CONSENT | mechanical | ||
| PT | — | New In R5 | PT-4(3) | REVOCATION | mechanical | ||
| PT | — | New In R5 | PT-5 | PRIVACY NOTICE | mechanical | ||
| PT | — | New In R5 | PT-5(1) | JUST-IN-TIME NOTICE | mechanical | ||
| PT | — | New In R5 | PT-5(2) | PRIVACY ACT STATEMENTS | mechanical | ||
| PT | — | New In R5 | PT-6 | SYSTEM OF RECORDS NOTICE | mechanical | ||
| PT | — | New In R5 | PT-6(1) | ROUTINE USES | mechanical | ||
| PT | — | New In R5 | PT-6(2) | EXEMPTION RULES | mechanical | ||
| PT | — | New In R5 | PT-7 | SPECIFIC CATEGORIES OF PERSONALLY IDENTIFIABLE INFORMATION | mechanical | ||
| PT | — | New In R5 | PT-7(1) | SOCIAL SECURITY NUMBERS | mechanical | ||
| PT | — | New In R5 | PT-7(2) | FIRST AMENDMENT INFORMATION | mechanical | ||
| PT | — | New In R5 | PT-8 | COMPUTER MATCHING REQUIREMENTS | mechanical | ||
| RA | RA-1 | RISK ASSESSMENT POLICY AND PROCEDURES | Unchanged | RA-1 | POLICY AND PROCEDURES | mechanical | |
| RA | RA-2 | SECURITY CATEGORIZATION | Unchanged | RA-2 | SECURITY CATEGORIZATION | mechanical | |
| RA | — | New In R5 | RA-2(1) | IMPACT-LEVEL PRIORITIZATION | mechanical | ||
| RA | RA-3 | RISK ASSESSMENT | Unchanged | RA-3 | RISK ASSESSMENT | mechanical | |
| RA | — | New In R5 | RA-3(1) | SUPPLY CHAIN RISK ASSESSMENT | mechanical | ||
| RA | — | New In R5 | RA-3(2) | USE OF ALL-SOURCE INTELLIGENCE | mechanical | ||
| RA | — | New In R5 | RA-3(3) | DYNAMIC THREAT AWARENESS | mechanical | ||
| RA | — | New In R5 | RA-3(4) | PREDICTIVE CYBER ANALYTICS | mechanical | ||
| RA | RA-4 | RISK ASSESSMENT UPDATE | Incorporated Into | RA-3 | Incorporated into RA-3 | mechanical | |
| RA | RA-5 | VULNERABILITY SCANNING | Unchanged | RA-5 | VULNERABILITY MONITORING AND SCANNING | mechanical | |
| RA | RA-5 (1) | UPDATE TOOL CAPABILITY | Incorporated Into | RA-5 | Incorporated into RA-5 | mechanical | |
| RA | RA-5 (2) | UPDATE BY FREQUENCY / PRIOR TO NEW SCAN / WHEN IDENTIFIED | Unchanged | RA-5(2) | UPDATE VULNERABILITIES TO BE SCANNED | mechanical | |
| RA | RA-5 (3) | BREADTH / DEPTH OF COVERAGE | Unchanged | RA-5(3) | BREADTH AND DEPTH OF COVERAGE | mechanical | |
| RA | RA-5 (4) | DISCOVERABLE INFORMATION | Unchanged | RA-5(4) | DISCOVERABLE INFORMATION | mechanical | |
| RA | RA-5 (5) | PRIVILEGED ACCESS | Unchanged | RA-5(5) | PRIVILEGED ACCESS | mechanical | |
| RA | RA-5 (6) | AUTOMATED TREND ANALYSES | Unchanged | RA-5(6) | AUTOMATED TREND ANALYSES | mechanical | |
| RA | RA-5 (7) | AUTOMATED DETECTION AND NOTIFICATION OF UNAUTHORIZED COMPONENTS | Incorporated Into | CM-8 | Incorporated into CM-8 | mechanical | |
| RA | RA-5 (8) | REVIEW HISTORIC AUDIT LOGS | Unchanged | RA-5(8) | REVIEW HISTORIC AUDIT LOGS | mechanical | |
| RA | RA-5 (9) | PENETRATION TESTING AND ANALYSES | Incorporated Into | CA-8 | Incorporated into CA-8 | mechanical | |
| RA | RA-5 (10) | CORRELATE SCANNING INFORMATION | Unchanged | RA-5(10) | CORRELATE SCANNING INFORMATION | mechanical | |
| RA | — | New In R5 | RA-5(11) | PUBLIC DISCLOSURE PROGRAM | mechanical | ||
| RA | RA-6 | TECHNICAL SURVEILLANCE COUNTERMEASURES SURVEY | Unchanged | RA-6 | TECHNICAL SURVEILLANCE COUNTERMEASURES SURVEY | mechanical | |
| RA | — | New In R5 | RA-7 | RISK RESPONSE | mechanical | ||
| RA | — | New In R5 | RA-8 | PRIVACY IMPACT ASSESSMENTS | mechanical | ||
| RA | — | New In R5 | RA-9 | CRITICALITY ANALYSIS | mechanical | ||
| RA | — | New In R5 | RA-10 | THREAT HUNTING | mechanical | ||
| SA | SA-1 | SYSTEM AND SERVICES ACQUISITION POLICY AND PROCEDURES | Unchanged | SA-1 | POLICY AND PROCEDURES | mechanical | |
| SA | SA-2 | ALLOCATION OF RESOURCES | Unchanged | SA-2 | ALLOCATION OF RESOURCES | mechanical | |
| SA | SA-3 | SYSTEM DEVELOPMENT LIFE CYCLE | Unchanged | SA-3 | SYSTEM DEVELOPMENT LIFE CYCLE | mechanical | |
| SA | — | New In R5 | SA-3(1) | MANAGE PREPRODUCTION ENVIRONMENT | mechanical | ||
| SA | — | New In R5 | SA-3(2) | USE OF LIVE OR OPERATIONAL DATA | mechanical | ||
| SA | — | New In R5 | SA-3(3) | TECHNOLOGY REFRESH | mechanical | ||
| SA | SA-4 | ACQUISITION PROCESS | Unchanged | SA-4 | ACQUISITION PROCESS | mechanical | |
| SA | SA-4 (1) | FUNCTIONAL PROPERTIES OF SECURITY CONTROLS | Unchanged | SA-4(1) | FUNCTIONAL PROPERTIES OF CONTROLS | mechanical | |
| SA | SA-4 (2) | DESIGN / IMPLEMENTATION INFORMATION FOR SECURITY CONTROLS | Unchanged | SA-4(2) | DESIGN AND IMPLEMENTATION INFORMATION FOR CONTROLS | mechanical | |
| SA | SA-4 (3) | DEVELOPMENT METHODS / TECHNIQUES / PRACTICES | Unchanged | SA-4(3) | DEVELOPMENT METHODS, TECHNIQUES, AND PRACTICES | mechanical | |
| SA | SA-4 (4) | ASSIGNMENT OF COMPONENTS TO SYSTEMS | Incorporated Into | CM-8(9) | Incorporated into CM-8(9) | mechanical | |
| SA | SA-4 (5) | SYSTEM / COMPONENT / SERVICE CONFIGURATIONS | Unchanged | SA-4(5) | SYSTEM, COMPONENT, AND SERVICE CONFIGURATIONS | mechanical | |
| SA | SA-4 (6) | USE OF INFORMATION ASSURANCE PRODUCTS | Unchanged | SA-4(6) | USE OF INFORMATION ASSURANCE PRODUCTS | mechanical | |
| SA | SA-4 (7) | NIAP-APPROVED PROTECTION PROFILES | Unchanged | SA-4(7) | NIAP-APPROVED PROTECTION PROFILES | mechanical | |
| SA | SA-4 (8) | CONTINUOUS MONITORING PLAN | Unchanged | SA-4(8) | CONTINUOUS MONITORING PLAN FOR CONTROLS | mechanical | |
| SA | SA-4 (9) | FUNCTIONS / PORTS / PROTOCOLS / SERVICES IN USE | Unchanged | SA-4(9) | FUNCTIONS, PORTS, PROTOCOLS, AND SERVICES IN USE | mechanical | |
| SA | SA-4 (10) | USE OF APPROVED PIV PRODUCTS | Unchanged | SA-4(10) | USE OF APPROVED PIV PRODUCTS | mechanical | |
| SA | — | New In R5 | SA-4(11) | SYSTEM OF RECORDS | mechanical | ||
| SA | — | New In R5 | SA-4(12) | DATA OWNERSHIP | mechanical | ||
| SA | SA-5 | INFORMATION SYSTEM DOCUMENTATION | Unchanged | SA-5 | SYSTEM DOCUMENTATION | mechanical | |
| SA | SA-5 (1) | FUNCTIONAL PROPERTIES OF SECURITY CONTROLS | Incorporated Into | SA-4(1) | Incorporated into SA-4(1) | mechanical | |
| SA | SA-5 (2) | SECURITY-RELEVANT EXTERNAL SYSTEM INTERFACES | Incorporated Into | SA-4(2) | Incorporated into SA-4(2) | mechanical | |
| SA | SA-5 (3) | HIGH-LEVEL DESIGN | Incorporated Into | SA-4(2) | Incorporated into SA-4(2) | mechanical | |
| SA | SA-5 (4) | LOW-LEVEL DESIGN | Incorporated Into | SA-4(2) | Incorporated into SA-4(2) | mechanical | |
| SA | SA-5 (5) | SOURCE CODE | Incorporated Into | SA-4(2) | Incorporated into SA-4(2) | mechanical | |
| SA | SA-6 | SOFTWARE USAGE RESTRICTIONS | Incorporated Into | CM-10, SI-7 | Incorporated into CM-10, SI-7 | mechanical | |
| SA | SA-7 | USER-INSTALLED SOFTWARE | Incorporated Into | CM-11, SI-7 | Incorporated into CM-11, SI-7 | mechanical | |
| SA | SA-8 | SECURITY ENGINEERING PRINCIPLES | Unchanged | SA-8 | SECURITY AND PRIVACY ENGINEERING PRINCIPLES | mechanical | |
| SA | — | New In R5 | SA-8(1) | CLEAR ABSTRACTIONS | mechanical | ||
| SA | — | New In R5 | SA-8(2) | LEAST COMMON MECHANISM | mechanical | ||
| SA | — | New In R5 | SA-8(3) | MODULARITY AND LAYERING | mechanical | ||
| SA | — | New In R5 | SA-8(4) | PARTIALLY ORDERED DEPENDENCIES | mechanical | ||
| SA | — | New In R5 | SA-8(5) | EFFICIENTLY MEDIATED ACCESS | mechanical | ||
| SA | — | New In R5 | SA-8(6) | MINIMIZED SHARING | mechanical | ||
| SA | — | New In R5 | SA-8(7) | REDUCED COMPLEXITY | mechanical | ||
| SA | — | New In R5 | SA-8(8) | SECURE EVOLVABILITY | mechanical | ||
| SA | — | New In R5 | SA-8(9) | TRUSTED COMPONENTS | mechanical | ||
| SA | — | New In R5 | SA-8(10) | HIERARCHICAL TRUST | mechanical | ||
| SA | — | New In R5 | SA-8(11) | INVERSE MODIFICATION THRESHOLD | mechanical | ||
| SA | — | New In R5 | SA-8(12) | HIERARCHICAL PROTECTION | mechanical | ||
| SA | — | New In R5 | SA-8(13) | MINIMIZED SECURITY ELEMENTS | mechanical | ||
| SA | — | New In R5 | SA-8(14) | LEAST PRIVILEGE | mechanical | ||
| SA | — | New In R5 | SA-8(15) | PREDICATE PERMISSION | mechanical | ||
| SA | — | New In R5 | SA-8(16) | SELF-RELIANT TRUSTWORTHINESS | mechanical | ||
| SA | — | New In R5 | SA-8(17) | SECURE DISTRIBUTED COMPOSITION | mechanical | ||
| SA | — | New In R5 | SA-8(18) | TRUSTED COMMUNICATIONS CHANNELS | mechanical | ||
| SA | — | New In R5 | SA-8(19) | CONTINUOUS PROTECTION | mechanical | ||
| SA | — | New In R5 | SA-8(20) | SECURE METADATA MANAGEMENT | mechanical | ||
| SA | — | New In R5 | SA-8(21) | SELF-ANALYSIS | mechanical | ||
| SA | — | New In R5 | SA-8(22) | ACCOUNTABILITY AND TRACEABILITY | mechanical | ||
| SA | — | New In R5 | SA-8(23) | SECURE DEFAULTS | mechanical | ||
| SA | — | New In R5 | SA-8(24) | SECURE FAILURE AND RECOVERY | mechanical | ||
| SA | — | New In R5 | SA-8(25) | ECONOMIC SECURITY | mechanical | ||
| SA | — | New In R5 | SA-8(26) | PERFORMANCE SECURITY | mechanical | ||
| SA | — | New In R5 | SA-8(27) | HUMAN FACTORED SECURITY | mechanical | ||
| SA | — | New In R5 | SA-8(28) | ACCEPTABLE SECURITY | mechanical | ||
| SA | — | New In R5 | SA-8(29) | REPEATABLE AND DOCUMENTED PROCEDURES | mechanical | ||
| SA | — | New In R5 | SA-8(30) | PROCEDURAL RIGOR | mechanical | ||
| SA | — | New In R5 | SA-8(31) | SECURE SYSTEM MODIFICATION | mechanical | ||
| SA | — | New In R5 | SA-8(32) | SUFFICIENT DOCUMENTATION | mechanical | ||
| SA | — | New In R5 | SA-8(33) | MINIMIZATION | mechanical | ||
| SA | SA-9 | EXTERNAL INFORMATION SYSTEM SERVICES | Unchanged | SA-9 | EXTERNAL SYSTEM SERVICES | mechanical | |
| SA | SA-9 (1) | RISK ASSESSMENTS / ORGANIZATIONAL APPROVALS | Unchanged | SA-9(1) | RISK ASSESSMENTS AND ORGANIZATIONAL APPROVALS | mechanical | |
| SA | SA-9 (2) | IDENTIFICATION OF FUNCTIONS / PORTS / PROTOCOLS / SERVICES | Unchanged | SA-9(2) | IDENTIFICATION OF FUNCTIONS, PORTS, PROTOCOLS, AND SERVICES | mechanical | |
| SA | SA-9 (3) | ESTABLISH / MAINTAIN TRUST RELATIONSHIP WITH PROVIDERS | Unchanged | SA-9(3) | ESTABLISH AND MAINTAIN TRUST RELATIONSHIP WITH PROVIDERS | mechanical | |
| SA | SA-9 (4) | CONSISTENT INTERESTS OF CONSUMERS AND PROVIDERS | Unchanged | SA-9(4) | CONSISTENT INTERESTS OF CONSUMERS AND PROVIDERS | mechanical | |
| SA | SA-9 (5) | PROCESSING, STORAGE, AND SERVICE LOCATION | Unchanged | SA-9(5) | PROCESSING, STORAGE, AND SERVICE LOCATION | mechanical | |
| SA | — | New In R5 | SA-9(6) | ORGANIZATION-CONTROLLED CRYPTOGRAPHIC KEYS | mechanical | ||
| SA | — | New In R5 | SA-9(7) | ORGANIZATION-CONTROLLED INTEGRITY CHECKING | mechanical | ||
| SA | — | New In R5 | SA-9(8) | PROCESSING AND STORAGE LOCATION — U.S. JURISDICTION | mechanical | ||
| SA | SA-10 | DEVELOPER CONFIGURATION MANAGEMENT | Unchanged | SA-10 | DEVELOPER CONFIGURATION MANAGEMENT | mechanical | |
| SA | SA-10 (1) | SOFTWARE / FIRMWARE INTEGRITY VERIFICATION | Unchanged | SA-10(1) | SOFTWARE AND FIRMWARE INTEGRITY VERIFICATION | mechanical | |
| SA | SA-10 (2) | ALTERNATIVE CONFIGURATION MANAGEMENT PROCESSES | Unchanged | SA-10(2) | ALTERNATIVE CONFIGURATION MANAGEMENT PROCESSES | mechanical | |
| SA | SA-10 (3) | HARDWARE INTEGRITY VERIFICATION | Unchanged | SA-10(3) | HARDWARE INTEGRITY VERIFICATION | mechanical | |
| SA | SA-10 (4) | TRUSTED GENERATION | Unchanged | SA-10(4) | TRUSTED GENERATION | mechanical | |
| SA | SA-10 (5) | MAPPING INTEGRITY FOR VERSION CONTROL | Unchanged | SA-10(5) | MAPPING INTEGRITY FOR VERSION CONTROL | mechanical | |
| SA | SA-10 (6) | TRUSTED DISTRIBUTION | Unchanged | SA-10(6) | TRUSTED DISTRIBUTION | mechanical | |
| SA | — | New In R5 | SA-10(7) | SECURITY AND PRIVACY REPRESENTATIVES | mechanical | ||
| SA | SA-11 | DEVELOPER SECURITY TESTING AND EVALUATION | Unchanged | SA-11 | DEVELOPER TESTING AND EVALUATION | mechanical | |
| SA | SA-11 (1) | STATIC CODE ANALYSIS | Unchanged | SA-11(1) | STATIC CODE ANALYSIS | mechanical | |
| SA | SA-11 (2) | THREAT AND VULNERABILITY ANALYSES | Unchanged | SA-11(2) | THREAT MODELING AND VULNERABILITY ANALYSES | mechanical | |
| SA | SA-11 (3) | INDEPENDENT VERIFICATION OF ASSESSMENT PLANS / EVIDENCE | Unchanged | SA-11(3) | INDEPENDENT VERIFICATION OF ASSESSMENT PLANS AND EVIDENCE | mechanical | |
| SA | SA-11 (4) | MANUAL CODE REVIEWS | Unchanged | SA-11(4) | MANUAL CODE REVIEWS | mechanical | |
| SA | SA-11 (5) | PENETRATION TESTING | Unchanged | SA-11(5) | PENETRATION TESTING | mechanical | |
| SA | SA-11 (6) | ATTACK SURFACE REVIEWS | Unchanged | SA-11(6) | ATTACK SURFACE REVIEWS | mechanical | |
| SA | SA-11 (7) | VERIFY SCOPE OF TESTING / EVALUATION | Unchanged | SA-11(7) | VERIFY SCOPE OF TESTING AND EVALUATION | mechanical | |
| SA | SA-11 (8) | DYNAMIC CODE ANALYSIS | Unchanged | SA-11(8) | DYNAMIC CODE ANALYSIS | mechanical | |
| SA | — | New In R5 | SA-11(9) | INTERACTIVE APPLICATION SECURITY TESTING | mechanical | ||
| SA | SA-12 | SUPPLY CHAIN PROTECTION | Withdrawn | — | mechanical | ||
| SA | SA-12 (1) | ACQUISITION STRATEGIES / TOOLS / METHODS | Withdrawn | — | mechanical | ||
| SA | SA-12 (2) | SUPPLIER REVIEWS | Withdrawn | — | mechanical | ||
| SA | SA-12 (3) | TRUSTED SHIPPING AND WAREHOUSING | Incorporated Into | SR-3 | Incorporated into SR-3 | mechanical | |
| SA | SA-12 (4) | DIVERSITY OF SUPPLIERS | Withdrawn | — | mechanical | ||
| SA | SA-12 (5) | LIMITATION OF HARM | Withdrawn | — | mechanical | ||
| SA | SA-12 (6) | MINIMIZING PROCUREMENT TIME | Incorporated Into | SR-5(1) | Incorporated into SR-5(1) | mechanical | |
| SA | SA-12 (7) | ASSESSMENTS PRIOR TO SELECTION / ACCEPTANCE / UPDATE | Withdrawn | — | mechanical | ||
| SA | SA-12 (8) | USE OF ALL-SOURCE INTELLIGENCE | Incorporated Into | RA-3(2) | Incorporated into RA-3(2) | mechanical | |
| SA | SA-12 (9) | OPERATIONS SECURITY | Withdrawn | — | mechanical | ||
| SA | SA-12 (10) | VALIDATE AS GENUINE AND NOT ALTERED | Withdrawn | — | mechanical | ||
| SA | SA-12 (11) | PENETRATION TESTING / ANALYSIS OF ELEMENTS, PROCESSES, AND ACTORS | Withdrawn | — | mechanical | ||
| SA | SA-12 (12) | INTER-ORGANIZATIONAL AGREEMENTS | Withdrawn | — | mechanical | ||
| SA | SA-12 (13) | CRITICAL INFORMATION SYSTEM COMPONENTS | Incorporated Into | MA-6, RA-9 | Incorporated into MA-6, RA-9 | mechanical | |
| SA | SA-12 (14) | IDENTITY AND TRACEABILITY | Incorporated Into | SR-4(1), SR-4(2) | Incorporated into SR-4(1), SR-4(2) | mechanical | |
| SA | SA-12 (15) | PROCESSES TO ADDRESS WEAKNESSES OR DEFICIENCIES | Incorporated Into | SR-3 | Incorporated into SR-3 | mechanical | |
| SA | SA-13 | TRUSTWORTHINESS | Incorporated Into | SA-8 | Incorporated into SA-8 | mechanical | |
| SA | SA-14 | CRITICALITY ANALYSIS | Incorporated Into | RA-9 | Incorporated into RA-9 | mechanical | |
| SA | SA-14 (1) | CRITICAL COMPONENTS WITH NO VIABLE ALTERNATIVE SOURCING | Incorporated Into | SA-20 | Incorporated into SA-20 | mechanical | |
| SA | SA-15 | DEVELOPMENT PROCESS, STANDARDS, AND TOOLS | Unchanged | SA-15 | DEVELOPMENT PROCESS, STANDARDS, AND TOOLS | mechanical | |
| SA | SA-15 (1) | QUALITY METRICS | Unchanged | SA-15(1) | QUALITY METRICS | mechanical | |
| SA | SA-15 (2) | SECURITY TRACKING TOOLS | Unchanged | SA-15(2) | SECURITY AND PRIVACY TRACKING TOOLS | mechanical | |
| SA | SA-15 (3) | CRITICALITY ANALYSIS | Unchanged | SA-15(3) | CRITICALITY ANALYSIS | mechanical | |
| SA | SA-15 (4) | THREAT MODELING / VULNERABILITY ANALYSIS | Incorporated Into | SA-11(2) | Incorporated into SA-11(2) | mechanical | |
| SA | SA-15 (5) | ATTACK SURFACE REDUCTION | Unchanged | SA-15(5) | ATTACK SURFACE REDUCTION | mechanical | |
| SA | SA-15 (6) | CONTINUOUS IMPROVEMENT | Unchanged | SA-15(6) | CONTINUOUS IMPROVEMENT | mechanical | |
| SA | SA-15 (7) | AUTOMATED VULNERABILITY ANALYSIS | Unchanged | SA-15(7) | AUTOMATED VULNERABILITY ANALYSIS | mechanical | |
| SA | SA-15 (8) | REUSE OF THREAT / VULNERABILITY INFORMATION | Unchanged | SA-15(8) | REUSE OF THREAT AND VULNERABILITY INFORMATION | mechanical | |
| SA | SA-15 (9) | USE OF LIVE DATA | Incorporated Into | SA-3(2) | Incorporated into SA-3(2) | mechanical | |
| SA | SA-15 (10) | INCIDENT RESPONSE PLAN | Unchanged | SA-15(10) | INCIDENT RESPONSE PLAN | mechanical | |
| SA | SA-15 (11) | ARCHIVE INFORMATION SYSTEM / COMPONENT | Unchanged | SA-15(11) | ARCHIVE SYSTEM OR COMPONENT | mechanical | |
| SA | — | New In R5 | SA-15(12) | MINIMIZE PERSONALLY IDENTIFIABLE INFORMATION | mechanical | ||
| SA | SA-16 | DEVELOPER-PROVIDED TRAINING | Unchanged | SA-16 | DEVELOPER-PROVIDED TRAINING | mechanical | |
| SA | SA-17 | DEVELOPER SECURITY ARCHITECTURE AND DESIGN | Unchanged | SA-17 | DEVELOPER SECURITY AND PRIVACY ARCHITECTURE AND DESIGN | mechanical | |
| SA | SA-17 (1) | FORMAL POLICY MODEL | Unchanged | SA-17(1) | FORMAL POLICY MODEL | mechanical | |
| SA | SA-17 (2) | SECURITY-RELEVANT COMPONENTS | Unchanged | SA-17(2) | SECURITY-RELEVANT COMPONENTS | mechanical | |
| SA | SA-17 (3) | FORMAL CORRESPONDENCE | Unchanged | SA-17(3) | FORMAL CORRESPONDENCE | mechanical | |
| SA | SA-17 (4) | INFORMAL CORRESPONDENCE | Unchanged | SA-17(4) | INFORMAL CORRESPONDENCE | mechanical | |
| SA | SA-17 (5) | CONCEPTUALLY SIMPLE DESIGN | Unchanged | SA-17(5) | CONCEPTUALLY SIMPLE DESIGN | mechanical | |
| SA | SA-17 (6) | STRUCTURE FOR TESTING | Unchanged | SA-17(6) | STRUCTURE FOR TESTING | mechanical | |
| SA | SA-17 (7) | STRUCTURE FOR LEAST PRIVILEGE | Unchanged | SA-17(7) | STRUCTURE FOR LEAST PRIVILEGE | mechanical | |
| SA | — | New In R5 | SA-17(8) | ORCHESTRATION | mechanical | ||
| SA | — | New In R5 | SA-17(9) | DESIGN DIVERSITY | mechanical | ||
| SA | SA-18 | TAMPER RESISTANCE AND DETECTION | Withdrawn | — | mechanical | ||
| SA | SA-18 (1) | MULTIPLE PHASES OF SDLC | Withdrawn | — | mechanical | ||
| SA | SA-18 (2) | INSPECTION OF INFORMATION SYSTEMS, COMPONENTS, OR DEVICES | Withdrawn | — | mechanical | ||
| SA | SA-19 | COMPONENT AUTHENTICITY | Withdrawn | — | mechanical | ||
| SA | SA-19 (1) | ANTI-COUNTERFEIT TRAINING | Withdrawn | — | mechanical | ||
| SA | SA-19 (2) | CONFIGURATION CONTROL FOR COMPONENT SERVICE / REPAIR | Withdrawn | — | mechanical | ||
| SA | SA-19 (3) | COMPONENT DISPOSAL | Withdrawn | — | mechanical | ||
| SA | SA-19 (4) | ANTI-COUNTERFEIT SCANNING | Withdrawn | — | mechanical | ||
| SA | SA-20 | CUSTOMIZED DEVELOPMENT OF CRITICAL COMPONENTS | Unchanged | SA-20 | CUSTOMIZED DEVELOPMENT OF CRITICAL COMPONENTS | mechanical | |
| SA | SA-21 | DEVELOPER SCREENING | Unchanged | SA-21 | DEVELOPER SCREENING | mechanical | |
| SA | SA-21 (1) | VALIDATION OF SCREENING | Incorporated Into | SA-21 | Incorporated into SA-21 | mechanical | |
| SA | SA-22 | UNSUPPORTED SYSTEM COMPONENTS | Unchanged | SA-22 | UNSUPPORTED SYSTEM COMPONENTS | mechanical | |
| SA | SA-22 (1) | ALTERNATIVE SOURCES FOR CONTINUED SUPPORT | Incorporated Into | SA-22 | Incorporated into SA-22 | mechanical | |
| SA | — | New In R5 | SA-23 | SPECIALIZATION | mechanical | ||
| SC | SC-1 | SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURES | Unchanged | SC-1 | POLICY AND PROCEDURES | mechanical | |
| SC | SC-2 | APPLICATION PARTITIONING | Unchanged | SC-2 | SEPARATION OF SYSTEM AND USER FUNCTIONALITY | mechanical | |
| SC | SC-2 (1) | INTERFACES FOR NON-PRIVILEGED USERS | Unchanged | SC-2(1) | INTERFACES FOR NON-PRIVILEGED USERS | mechanical | |
| SC | — | New In R5 | SC-2(2) | DISASSOCIABILITY | mechanical | ||
| SC | SC-3 | SECURITY FUNCTION ISOLATION | Unchanged | SC-3 | SECURITY FUNCTION ISOLATION | mechanical | |
| SC | SC-3 (1) | HARDWARE SEPARATION | Unchanged | SC-3(1) | HARDWARE SEPARATION | mechanical | |
| SC | SC-3 (2) | ACCESS / FLOW CONTROL FUNCTIONS | Unchanged | SC-3(2) | ACCESS AND FLOW CONTROL FUNCTIONS | mechanical | |
| SC | SC-3 (3) | MINIMIZE NONSECURITY FUNCTIONALITY | Unchanged | SC-3(3) | MINIMIZE NONSECURITY FUNCTIONALITY | mechanical | |
| SC | SC-3 (4) | MODULE COUPLING AND COHESIVENESS | Unchanged | SC-3(4) | MODULE COUPLING AND COHESIVENESS | mechanical | |
| SC | SC-3 (5) | LAYERED STRUCTURES | Unchanged | SC-3(5) | LAYERED STRUCTURES | mechanical | |
| SC | SC-4 | INFORMATION IN SHARED RESOURCES | Unchanged | SC-4 | INFORMATION IN SHARED SYSTEM RESOURCES | mechanical | |
| SC | SC-4 (1) | SECURITY LEVELS | Incorporated Into | SC-4 | Incorporated into SC-4 | mechanical | |
| SC | SC-4 (2) | PERIODS PROCESSING | Unchanged | SC-4(2) | MULTILEVEL OR PERIODS PROCESSING | mechanical | |
| SC | SC-5 | DENIAL OF SERVICE PROTECTION | Unchanged | SC-5 | DENIAL-OF-SERVICE PROTECTION | mechanical | |
| SC | SC-5 (1) | RESTRICT INTERNAL USERS | Unchanged | SC-5(1) | RESTRICT ABILITY TO ATTACK OTHER SYSTEMS | mechanical | |
| SC | SC-5 (2) | EXCESS CAPACITY / BANDWIDTH / REDUNDANCY | Unchanged | SC-5(2) | CAPACITY, BANDWIDTH, AND REDUNDANCY | mechanical | |
| SC | SC-5 (3) | DETECTION / MONITORING | Unchanged | SC-5(3) | DETECTION AND MONITORING | mechanical | |
| SC | SC-6 | RESOURCE AVAILABILITY | Unchanged | SC-6 | RESOURCE AVAILABILITY | mechanical | |
| SC | SC-7 | BOUNDARY PROTECTION | Unchanged | SC-7 | BOUNDARY PROTECTION | mechanical | |
| SC | SC-7 (1) | PHYSICALLY SEPARATED SUBNETWORKS | Incorporated Into | SC-7 | Incorporated into SC-7 | mechanical | |
| SC | SC-7 (2) | PUBLIC ACCESS | Incorporated Into | SC-7 | Incorporated into SC-7 | mechanical | |
| SC | SC-7 (3) | ACCESS POINTS | Unchanged | SC-7(3) | ACCESS POINTS | mechanical | |
| SC | SC-7 (4) | EXTERNAL TELECOMMUNICATIONS SERVICES | Unchanged | SC-7(4) | EXTERNAL TELECOMMUNICATIONS SERVICES | mechanical | |
| SC | SC-7 (5) | DENY BY DEFAULT / ALLOW BY EXCEPTION | Unchanged | SC-7(5) | DENY BY DEFAULT — ALLOW BY EXCEPTION | mechanical | |
| SC | SC-7 (6) | RESPONSE TO RECOGNIZED FAILURES | Incorporated Into | SC-7(18) | Incorporated into SC-7(18) | mechanical | |
| SC | SC-7 (7) | PREVENT SPLIT TUNNELING FOR REMOTE DEVICES | Unchanged | SC-7(7) | SPLIT TUNNELING FOR REMOTE DEVICES | mechanical | |
| SC | SC-7 (8) | ROUTE TRAFFIC TO AUTHENTICATED PROXY SERVERS | Unchanged | SC-7(8) | ROUTE TRAFFIC TO AUTHENTICATED PROXY SERVERS | mechanical | |
| SC | SC-7 (9) | RESTRICT THREATENING OUTGOING COMMUNICATIONS TRAFFIC | Unchanged | SC-7(9) | RESTRICT THREATENING OUTGOING COMMUNICATIONS TRAFFIC | mechanical | |
| SC | SC-7 (10) | PREVENT UNAUTHORIZED EXFILTRATION | Unchanged | SC-7(10) | PREVENT EXFILTRATION | mechanical | |
| SC | SC-7 (11) | RESTRICT INCOMING COMMUNICATIONS TRAFFIC | Unchanged | SC-7(11) | RESTRICT INCOMING COMMUNICATIONS TRAFFIC | mechanical | |
| SC | SC-7 (12) | HOST-BASED PROTECTION | Unchanged | SC-7(12) | HOST-BASED PROTECTION | mechanical | |
| SC | SC-7 (13) | ISOLATION OF SECURITY TOOLS / MECHANISMS / SUPPORT COMPONENTS | Unchanged | SC-7(13) | ISOLATION OF SECURITY TOOLS, MECHANISMS, AND SUPPORT COMPONENTS | mechanical | |
| SC | SC-7 (14) | PROTECTS AGAINST UNAUTHORIZED PHYSICAL CONNECTIONS | Unchanged | SC-7(14) | PROTECT AGAINST UNAUTHORIZED PHYSICAL CONNECTIONS | mechanical | |
| SC | SC-7 (15) | ROUTE PRIVILEGED NETWORK ACCESSES | Unchanged | SC-7(15) | NETWORKED PRIVILEGED ACCESSES | mechanical | |
| SC | SC-7 (16) | PREVENT DISCOVERY OF COMPONENTS / DEVICES | Unchanged | SC-7(16) | PREVENT DISCOVERY OF SYSTEM COMPONENTS | mechanical | |
| SC | SC-7 (17) | AUTOMATED ENFORCEMENT OF PROTOCOL FORMATS | Unchanged | SC-7(17) | AUTOMATED ENFORCEMENT OF PROTOCOL FORMATS | mechanical | |
| SC | SC-7 (18) | FAIL SECURE | Unchanged | SC-7(18) | FAIL SECURE | mechanical | |
| SC | SC-7 (19) | BLOCKS COMMUNICATION FROM NON-ORGANIZATIONALLY CONFIGURED HOSTS | Unchanged | SC-7(19) | BLOCK COMMUNICATION FROM NON-ORGANIZATIONALLY CONFIGURED HOSTS | mechanical | |
| SC | SC-7 (20) | DYNAMIC ISOLATION / SEGREGATION | Unchanged | SC-7(20) | DYNAMIC ISOLATION AND SEGREGATION | mechanical | |
| SC | SC-7 (21) | ISOLATION OF INFORMATION SYSTEM COMPONENTS | Unchanged | SC-7(21) | ISOLATION OF SYSTEM COMPONENTS | mechanical | |
| SC | SC-7 (22) | SEPARATE SUBNETS FOR CONNECTING TO DIFFERENT SECURITY DOMAINS | Unchanged | SC-7(22) | SEPARATE SUBNETS FOR CONNECTING TO DIFFERENT SECURITY DOMAINS | mechanical | |
| SC | SC-7 (23) | DISABLE SENDER FEEDBACK ON PROTOCOL VALIDATION FAILURE | Unchanged | SC-7(23) | DISABLE SENDER FEEDBACK ON PROTOCOL VALIDATION FAILURE | mechanical | |
| SC | — | New In R5 | SC-7(24) | PERSONALLY IDENTIFIABLE INFORMATION | mechanical | ||
| SC | — | New In R5 | SC-7(25) | UNCLASSIFIED NATIONAL SECURITY SYSTEM CONNECTIONS | mechanical | ||
| SC | — | New In R5 | SC-7(26) | CLASSIFIED NATIONAL SECURITY SYSTEM CONNECTIONS | mechanical | ||
| SC | — | New In R5 | SC-7(27) | UNCLASSIFIED NON-NATIONAL SECURITY SYSTEM CONNECTIONS | mechanical | ||
| SC | — | New In R5 | SC-7(28) | CONNECTIONS TO PUBLIC NETWORKS | mechanical | ||
| SC | — | New In R5 | SC-7(29) | SEPARATE SUBNETS TO ISOLATE FUNCTIONS | mechanical | ||
| SC | SC-8 | TRANSMISSION CONFIDENTIALITY AND INTEGRITY | Unchanged | SC-8 | TRANSMISSION CONFIDENTIALITY AND INTEGRITY | mechanical | |
| SC | SC-8 (1) | CRYPTOGRAPHIC OR ALTERNATE PHYSICAL PROTECTION | Unchanged | SC-8(1) | CRYPTOGRAPHIC PROTECTION | mechanical | |
| SC | SC-8 (2) | PRE / POST TRANSMISSION HANDLING | Unchanged | SC-8(2) | PRE- AND POST-TRANSMISSION HANDLING | mechanical | |
| SC | SC-8 (3) | CRYPTOGRAPHIC PROTECTION FOR MESSAGE EXTERNALS | Unchanged | SC-8(3) | CRYPTOGRAPHIC PROTECTION FOR MESSAGE EXTERNALS | mechanical | |
| SC | SC-8 (4) | CONCEAL / RANDOMIZE COMMUNICATIONS | Unchanged | SC-8(4) | CONCEAL OR RANDOMIZE COMMUNICATIONS | mechanical | |
| SC | — | New In R5 | SC-8(5) | PROTECTED DISTRIBUTION SYSTEM | mechanical | ||
| SC | SC-9 | TRANSMISSION CONFIDENTIALITY | Incorporated Into | SC-8 | Incorporated into SC-8 | mechanical | |
| SC | SC-10 | NETWORK DISCONNECT | Unchanged | SC-10 | NETWORK DISCONNECT | mechanical | |
| SC | SC-11 | TRUSTED PATH | Unchanged | SC-11 | TRUSTED PATH | mechanical | |
| SC | SC-11 (1) | LOGICAL ISOLATION | Unchanged | SC-11(1) | IRREFUTABLE COMMUNICATIONS PATH | mechanical | |
| SC | SC-12 | CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT | Unchanged | SC-12 | CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT | mechanical | |
| SC | SC-12 (1) | AVAILABILITY | Unchanged | SC-12(1) | AVAILABILITY | mechanical | |
| SC | SC-12 (2) | SYMMETRIC KEYS | Unchanged | SC-12(2) | SYMMETRIC KEYS | mechanical | |
| SC | SC-12 (3) | ASYMMETRIC KEYS | Unchanged | SC-12(3) | ASYMMETRIC KEYS | mechanical | |
| SC | SC-12 (4) | PKI CERTIFICATES | Incorporated Into | SC-12(3) | Incorporated into SC-12(3) | mechanical | |
| SC | SC-12 (5) | PKI CERTIFICATES / HARDWARE TOKENS | Incorporated Into | SC-12(3) | Incorporated into SC-12(3) | mechanical | |
| SC | — | New In R5 | SC-12(6) | PHYSICAL CONTROL OF KEYS | mechanical | ||
| SC | SC-13 | CRYPTOGRAPHIC PROTECTION | Unchanged | SC-13 | CRYPTOGRAPHIC PROTECTION | mechanical | |
| SC | SC-13 (1) | FIPS-VALIDATED CRYPTOGRAPHY | Incorporated Into | SC-13 | Incorporated into SC-13 | mechanical | |
| SC | SC-13 (2) | NSA-APPROVED CRYPTOGRAPHY | Incorporated Into | SC-13 | Incorporated into SC-13 | mechanical | |
| SC | SC-13 (3) | INDIVIDUALS WITHOUT FORMAL ACCESS APPROVALS | Incorporated Into | SC-13 | Incorporated into SC-13 | mechanical | |
| SC | SC-13 (4) | DIGITAL SIGNATURES | Incorporated Into | SC-13 | Incorporated into SC-13 | mechanical | |
| SC | SC-14 | PUBLIC ACCESS PROTECTIONS | Incorporated Into | AC-2, AC-3, AC-5, AC-6, SI-10, SI-3, SI-4, SI-5, SI-7 | Incorporated into AC-2, AC-3, AC-5, AC-6, SI-10, SI-3, SI-4, SI-5, SI-7 | mechanical | |
| SC | SC-15 | COLLABORATIVE COMPUTING DEVICES | Unchanged | SC-15 | COLLABORATIVE COMPUTING DEVICES AND APPLICATIONS | mechanical | |
| SC | SC-15 (1) | PHYSICAL DISCONNECT | Unchanged | SC-15(1) | PHYSICAL OR LOGICAL DISCONNECT | mechanical | |
| SC | SC-15 (2) | BLOCKING INBOUND / OUTBOUND COMMUNICATIONS TRAFFIC | Incorporated Into | SC-7 | Incorporated into SC-7 | mechanical | |
| SC | SC-15 (3) | DISABLING / REMOVAL IN SECURE WORK AREAS | Unchanged | SC-15(3) | DISABLING AND REMOVAL IN SECURE WORK AREAS | mechanical | |
| SC | SC-15 (4) | EXPLICITLY INDICATE CURRENT PARTICIPANTS | Unchanged | SC-15(4) | EXPLICITLY INDICATE CURRENT PARTICIPANTS | mechanical | |
| SC | SC-16 | TRANSMISSION OF SECURITY ATTRIBUTES | Unchanged | SC-16 | TRANSMISSION OF SECURITY AND PRIVACY ATTRIBUTES | mechanical | |
| SC | SC-16 (1) | INTEGRITY VALIDATION | Unchanged | SC-16(1) | INTEGRITY VERIFICATION | mechanical | |
| SC | — | New In R5 | SC-16(2) | ANTI-SPOOFING MECHANISMS | mechanical | ||
| SC | — | New In R5 | SC-16(3) | CRYPTOGRAPHIC BINDING | mechanical | ||
| SC | SC-17 | PUBLIC KEY INFRASTRUCTURE CERTIFICATES | Unchanged | SC-17 | PUBLIC KEY INFRASTRUCTURE CERTIFICATES | mechanical | |
| SC | SC-18 | MOBILE CODE | Unchanged | SC-18 | MOBILE CODE | mechanical | |
| SC | SC-18 (1) | IDENTIFY UNACCEPTABLE CODE / TAKE CORRECTIVE ACTIONS | Unchanged | SC-18(1) | IDENTIFY UNACCEPTABLE CODE AND TAKE CORRECTIVE ACTIONS | mechanical | |
| SC | SC-18 (2) | ACQUISITION / DEVELOPMENT / USE | Unchanged | SC-18(2) | ACQUISITION, DEVELOPMENT, AND USE | mechanical | |
| SC | SC-18 (3) | PREVENT DOWNLOADING / EXECUTION | Unchanged | SC-18(3) | PREVENT DOWNLOADING AND EXECUTION | mechanical | |
| SC | SC-18 (4) | PREVENT AUTOMATIC EXECUTION | Unchanged | SC-18(4) | PREVENT AUTOMATIC EXECUTION | mechanical | |
| SC | SC-18 (5) | ALLOW EXECUTION ONLY IN CONFINED ENVIRONMENTS | Unchanged | SC-18(5) | ALLOW EXECUTION ONLY IN CONFINED ENVIRONMENTS | mechanical | |
| SC | SC-19 | VOICE OVER INTERNET PROTOCOL | Withdrawn | — | mechanical | ||
| SC | SC-20 | SECURE NAME / ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE) | Unchanged | SC-20 | SECURE NAME/ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE) | mechanical | |
| SC | SC-20 (1) | CHILD SUBSPACES | Incorporated Into | SC-20 | Incorporated into SC-20 | mechanical | |
| SC | SC-20 (2) | DATA ORIGIN / INTEGRITY | Unchanged | SC-20(2) | DATA ORIGIN AND INTEGRITY | mechanical | |
| SC | SC-21 | SECURE NAME / ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER) | Unchanged | SC-21 | SECURE NAME/ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER) | mechanical | |
| SC | SC-21 (1) | DATA ORIGIN / INTEGRITY | Incorporated Into | SC-21 | Incorporated into SC-21 | mechanical | |
| SC | SC-22 | ARCHITECTURE AND PROVISIONING FOR NAME / ADDRESS RESOLUTION SERVICE | Unchanged | SC-22 | ARCHITECTURE AND PROVISIONING FOR NAME/ADDRESS RESOLUTION SERVICE | mechanical | |
| SC | SC-23 | SESSION AUTHENTICITY | Unchanged | SC-23 | SESSION AUTHENTICITY | mechanical | |
| SC | SC-23 (1) | INVALIDATE SESSION IDENTIFIERS AT LOGOUT | Unchanged | SC-23(1) | INVALIDATE SESSION IDENTIFIERS AT LOGOUT | mechanical | |
| SC | SC-23 (2) | USER-INITIATED LOGOUTS / MESSAGE DISPLAYS | Incorporated Into | AC-12(1) | Incorporated into AC-12(1) | mechanical | |
| SC | SC-23 (3) | UNIQUE SESSION IDENTIFIERS WITH RANDOMIZATION | Unchanged | SC-23(3) | UNIQUE SYSTEM-GENERATED SESSION IDENTIFIERS | mechanical | |
| SC | SC-23 (4) | UNIQUE SESSION IDENTIFIERS WITH RANDOMIZATION | Incorporated Into | SC-23(3) | Incorporated into SC-23(3) | mechanical | |
| SC | SC-23 (5) | ALLOWED CERTIFICATE AUTHORITIES | Unchanged | SC-23(5) | ALLOWED CERTIFICATE AUTHORITIES | mechanical | |
| SC | SC-24 | FAIL IN KNOWN STATE | Unchanged | SC-24 | FAIL IN KNOWN STATE | mechanical | |
| SC | SC-25 | THIN NODES | Unchanged | SC-25 | THIN NODES | mechanical | |
| SC | SC-26 | HONEYPOTS | Unchanged | SC-26 | DECOYS | mechanical | |
| SC | SC-26 (1) | DETECTION OF MALICIOUS CODE | Incorporated Into | SC-35 | Incorporated into SC-35 | mechanical | |
| SC | SC-27 | PLATFORM-INDEPENDENT APPLICATIONS | Unchanged | SC-27 | PLATFORM-INDEPENDENT APPLICATIONS | mechanical | |
| SC | SC-28 | PROTECTION OF INFORMATION AT REST | Unchanged | SC-28 | PROTECTION OF INFORMATION AT REST | mechanical | |
| SC | SC-28 (1) | CRYPTOGRAPHIC PROTECTION | Unchanged | SC-28(1) | CRYPTOGRAPHIC PROTECTION | mechanical | |
| SC | SC-28 (2) | OFF-LINE STORAGE | Unchanged | SC-28(2) | OFFLINE STORAGE | mechanical | |
| SC | — | New In R5 | SC-28(3) | CRYPTOGRAPHIC KEYS | mechanical | ||
| SC | SC-29 | HETEROGENEITY | Unchanged | SC-29 | HETEROGENEITY | mechanical | |
| SC | SC-29 (1) | VIRTUALIZATION TECHNIQUES | Unchanged | SC-29(1) | VIRTUALIZATION TECHNIQUES | mechanical | |
| SC | SC-30 | CONCEALMENT AND MISDIRECTION | Unchanged | SC-30 | CONCEALMENT AND MISDIRECTION | mechanical | |
| SC | SC-30 (1) | VIRTUALIZATION TECHNIQUES | Incorporated Into | SC-29(1) | Incorporated into SC-29(1) | mechanical | |
| SC | SC-30 (2) | RANDOMNESS | Unchanged | SC-30(2) | RANDOMNESS | mechanical | |
| SC | SC-30 (3) | CHANGE PROCESSING / STORAGE LOCATIONS | Unchanged | SC-30(3) | CHANGE PROCESSING AND STORAGE LOCATIONS | mechanical | |
| SC | SC-30 (4) | MISLEADING INFORMATION | Unchanged | SC-30(4) | MISLEADING INFORMATION | mechanical | |
| SC | SC-30 (5) | CONCEALMENT OF SYSTEM COMPONENTS | Unchanged | SC-30(5) | CONCEALMENT OF SYSTEM COMPONENTS | mechanical | |
| SC | SC-31 | COVERT CHANNEL ANALYSIS | Unchanged | SC-31 | COVERT CHANNEL ANALYSIS | mechanical | |
| SC | SC-31 (1) | TEST COVERT CHANNELS FOR EXPLOITABILITY | Unchanged | SC-31(1) | TEST COVERT CHANNELS FOR EXPLOITABILITY | mechanical | |
| SC | SC-31 (2) | MAXIMUM BANDWIDTH | Unchanged | SC-31(2) | MAXIMUM BANDWIDTH | mechanical | |
| SC | SC-31 (3) | MEASURE BANDWIDTH IN OPERATIONAL ENVIRONMENTS | Unchanged | SC-31(3) | MEASURE BANDWIDTH IN OPERATIONAL ENVIRONMENTS | mechanical | |
| SC | SC-32 | INFORMATION SYSTEM PARTITIONING | Unchanged | SC-32 | SYSTEM PARTITIONING | mechanical | |
| SC | — | New In R5 | SC-32(1) | SEPARATE PHYSICAL DOMAINS FOR PRIVILEGED FUNCTIONS | mechanical | ||
| SC | SC-33 | TRANSMISSION PREPARATION INTEGRITY | Incorporated Into | SC-8 | Incorporated into SC-8 | mechanical | |
| SC | SC-34 | NON-MODIFIABLE EXECUTABLE PROGRAMS | Unchanged | SC-34 | NON-MODIFIABLE EXECUTABLE PROGRAMS | mechanical | |
| SC | SC-34 (1) | NO WRITABLE STORAGE | Unchanged | SC-34(1) | NO WRITABLE STORAGE | mechanical | |
| SC | SC-34 (2) | INTEGRITY PROTECTION / READ-ONLY MEDIA | Unchanged | SC-34(2) | INTEGRITY PROTECTION ON READ-ONLY MEDIA | mechanical | |
| SC | SC-34 (3) | HARDWARE-BASED PROTECTION | Withdrawn | — | mechanical | ||
| SC | SC-35 | HONEYCLIENTS | Unchanged | SC-35 | EXTERNAL MALICIOUS CODE IDENTIFICATION | mechanical | |
| SC | SC-36 | DISTRIBUTED PROCESSING AND STORAGE | Unchanged | SC-36 | DISTRIBUTED PROCESSING AND STORAGE | mechanical | |
| SC | SC-36 (1) | POLLING TECHNIQUES | Unchanged | SC-36(1) | POLLING TECHNIQUES | mechanical | |
| SC | — | New In R5 | SC-36(2) | SYNCHRONIZATION | mechanical | ||
| SC | SC-37 | OUT-OF-BAND CHANNELS | Unchanged | SC-37 | OUT-OF-BAND CHANNELS | mechanical | |
| SC | SC-37 (1) | ENSURE DELIVERY / TRANSMISSION | Unchanged | SC-37(1) | ENSURE DELIVERY AND TRANSMISSION | mechanical | |
| SC | SC-38 | OPERATIONS SECURITY | Unchanged | SC-38 | OPERATIONS SECURITY | mechanical | |
| SC | SC-39 | PROCESS ISOLATION | Unchanged | SC-39 | PROCESS ISOLATION | mechanical | |
| SC | SC-39 (1) | HARDWARE SEPARATION | Unchanged | SC-39(1) | HARDWARE SEPARATION | mechanical | |
| SC | SC-39 (2) | THREAD ISOLATION | Unchanged | SC-39(2) | SEPARATE EXECUTION DOMAIN PER THREAD | mechanical | |
| SC | SC-40 | WIRELESS LINK PROTECTION | Unchanged | SC-40 | WIRELESS LINK PROTECTION | mechanical | |
| SC | SC-40 (1) | ELECTROMAGNETIC INTERFERENCE | Unchanged | SC-40(1) | ELECTROMAGNETIC INTERFERENCE | mechanical | |
| SC | SC-40 (2) | REDUCE DETECTION POTENTIAL | Unchanged | SC-40(2) | REDUCE DETECTION POTENTIAL | mechanical | |
| SC | SC-40 (3) | IMITATIVE OR MANIPULATIVE COMMUNICATIONS DECEPTION | Unchanged | SC-40(3) | IMITATIVE OR MANIPULATIVE COMMUNICATIONS DECEPTION | mechanical | |
| SC | SC-40 (4) | SIGNAL PARAMETER IDENTIFICATION | Unchanged | SC-40(4) | SIGNAL PARAMETER IDENTIFICATION | mechanical | |
| SC | SC-41 | PORT AND I/O DEVICE ACCESS | Unchanged | SC-41 | PORT AND I/O DEVICE ACCESS | mechanical | |
| SC | SC-42 | SENSOR CAPABILITY AND DATA | Unchanged | SC-42 | SENSOR CAPABILITY AND DATA | mechanical | |
| SC | SC-42 (1) | REPORTING TO AUTHORIZED INDIVIDUALS OR ROLES | Unchanged | SC-42(1) | REPORTING TO AUTHORIZED INDIVIDUALS OR ROLES | mechanical | |
| SC | SC-42 (2) | AUTHORIZED USE | Unchanged | SC-42(2) | AUTHORIZED USE | mechanical | |
| SC | SC-42 (3) | PROHIBIT USE OF DEVICES | Incorporated Into | SC-42 | Incorporated into SC-42 | mechanical | |
| SC | — | New In R5 | SC-42(4) | NOTICE OF COLLECTION | mechanical | ||
| SC | — | New In R5 | SC-42(5) | COLLECTION MINIMIZATION | mechanical | ||
| SC | SC-43 | USAGE RESTRICTIONS | Unchanged | SC-43 | USAGE RESTRICTIONS | mechanical | |
| SC | SC-44 | DETONATION CHAMBERS | Unchanged | SC-44 | DETONATION CHAMBERS | mechanical | |
| SC | — | New In R5 | SC-45 | SYSTEM TIME SYNCHRONIZATION | mechanical | ||
| SC | — | New In R5 | SC-45(1) | SYNCHRONIZATION WITH AUTHORITATIVE TIME SOURCE | mechanical | ||
| SC | — | New In R5 | SC-45(2) | SECONDARY AUTHORITATIVE TIME SOURCE | mechanical | ||
| SC | — | New In R5 | SC-46 | CROSS DOMAIN POLICY ENFORCEMENT | mechanical | ||
| SC | — | New In R5 | SC-47 | ALTERNATE COMMUNICATIONS PATHS | mechanical | ||
| SC | — | New In R5 | SC-48 | SENSOR RELOCATION | mechanical | ||
| SC | — | New In R5 | SC-48(1) | DYNAMIC RELOCATION OF SENSORS OR MONITORING CAPABILITIES | mechanical | ||
| SC | — | New In R5 | SC-49 | HARDWARE-ENFORCED SEPARATION AND POLICY ENFORCEMENT | mechanical | ||
| SC | — | New In R5 | SC-50 | SOFTWARE-ENFORCED SEPARATION AND POLICY ENFORCEMENT | mechanical | ||
| SC | — | New In R5 | SC-51 | HARDWARE-BASED PROTECTION | mechanical | ||
| SI | SI-1 | SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES | Unchanged | SI-1 | POLICY AND PROCEDURES | mechanical | |
| SI | SI-2 | FLAW REMEDIATION | Unchanged | SI-2 | FLAW REMEDIATION | mechanical | |
| SI | SI-2 (1) | CENTRAL MANAGEMENT | Incorporated Into | PL-9 | Incorporated into PL-9 | mechanical | |
| SI | SI-2 (2) | AUTOMATED FLAW REMEDIATION STATUS | Unchanged | SI-2(2) | AUTOMATED FLAW REMEDIATION STATUS | mechanical | |
| SI | SI-2 (3) | TIME TO REMEDIATE FLAWS / BENCHMARKS FOR CORRECTIVE ACTIONS | Unchanged | SI-2(3) | TIME TO REMEDIATE FLAWS AND BENCHMARKS FOR CORRECTIVE ACTIONS | mechanical | |
| SI | SI-2 (4) | AUTOMATED PATCH MANAGEMENT TOOLS | Unchanged | SI-2(4) | AUTOMATED PATCH MANAGEMENT TOOLS | mechanical | |
| SI | SI-2 (5) | AUTOMATIC SOFTWARE / FIRMWARE UPDATES | Unchanged | SI-2(5) | AUTOMATIC SOFTWARE AND FIRMWARE UPDATES | mechanical | |
| SI | SI-2 (6) | REMOVAL OF PREVIOUS VERSIONS OF SOFTWARE / FIRMWARE | Unchanged | SI-2(6) | REMOVAL OF PREVIOUS VERSIONS OF SOFTWARE AND FIRMWARE | mechanical | |
| SI | SI-3 | MALICIOUS CODE PROTECTION | Unchanged | SI-3 | MALICIOUS CODE PROTECTION | mechanical | |
| SI | SI-3 (1) | CENTRAL MANAGEMENT | Incorporated Into | PL-9 | Incorporated into PL-9 | mechanical | |
| SI | SI-3 (2) | AUTOMATIC UPDATES | Incorporated Into | SI-3 | Incorporated into SI-3 | mechanical | |
| SI | SI-3 (3) | NON-PRIVILEGED USERS | Incorporated Into | AC-6(10) | Incorporated into AC-6(10) | mechanical | |
| SI | SI-3 (4) | UPDATES ONLY BY PRIVILEGED USERS | Unchanged | SI-3(4) | UPDATES ONLY BY PRIVILEGED USERS | mechanical | |
| SI | SI-3 (5) | PORTABLE STORAGE DEVICES | Incorporated Into | MP-7 | Incorporated into MP-7 | mechanical | |
| SI | SI-3 (6) | TESTING / VERIFICATION | Unchanged | SI-3(6) | TESTING AND VERIFICATION | mechanical | |
| SI | SI-3 (7) | NONSIGNATURE-BASED DETECTION | Incorporated Into | SI-3 | Incorporated into SI-3 | mechanical | |
| SI | SI-3 (8) | DETECT UNAUTHORIZED COMMANDS | Unchanged | SI-3(8) | DETECT UNAUTHORIZED COMMANDS | mechanical | |
| SI | SI-3 (9) | AUTHENTICATE REMOTE COMMANDS | Withdrawn | — | mechanical | ||
| SI | SI-3 (10) | MALICIOUS CODE ANALYSIS | Unchanged | SI-3(10) | MALICIOUS CODE ANALYSIS | mechanical | |
| SI | SI-4 | INFORMATION SYSTEM MONITORING | Unchanged | SI-4 | SYSTEM MONITORING | mechanical | |
| SI | SI-4 (1) | SYSTEM-WIDE INTRUSION DETECTION SYSTEM | Unchanged | SI-4(1) | SYSTEM-WIDE INTRUSION DETECTION SYSTEM | mechanical | |
| SI | SI-4 (2) | AUTOMATED TOOLS FOR REAL-TIME ANALYSIS | Unchanged | SI-4(2) | AUTOMATED TOOLS AND MECHANISMS FOR REAL-TIME ANALYSIS | mechanical | |
| SI | SI-4 (3) | AUTOMATED TOOL INTEGRATION | Unchanged | SI-4(3) | AUTOMATED TOOL AND MECHANISM INTEGRATION | mechanical | |
| SI | SI-4 (4) | INBOUND AND OUTBOUND COMMUNICATIONS TRAFFIC | Unchanged | SI-4(4) | INBOUND AND OUTBOUND COMMUNICATIONS TRAFFIC | mechanical | |
| SI | SI-4 (5) | SYSTEM-GENERATED ALERTS | Unchanged | SI-4(5) | SYSTEM-GENERATED ALERTS | mechanical | |
| SI | SI-4 (6) | RESTRICT NON-PRIVILEGED USERS | Incorporated Into | AC-6(10) | Incorporated into AC-6(10) | mechanical | |
| SI | SI-4 (7) | AUTOMATED RESPONSE TO SUSPICIOUS EVENTS | Unchanged | SI-4(7) | AUTOMATED RESPONSE TO SUSPICIOUS EVENTS | mechanical | |
| SI | SI-4 (8) | PROTECTION OF MONITORING INFORMATION | Incorporated Into | SI-4 | Incorporated into SI-4 | mechanical | |
| SI | SI-4 (9) | TESTING OF MONITORING TOOLS | Unchanged | SI-4(9) | TESTING OF MONITORING TOOLS AND MECHANISMS | mechanical | |
| SI | SI-4 (10) | VISIBILITY OF ENCRYPTED COMMUNICATIONS | Unchanged | SI-4(10) | VISIBILITY OF ENCRYPTED COMMUNICATIONS | mechanical | |
| SI | SI-4 (11) | ANALYZE COMMUNICATIONS TRAFFIC ANOMALIES | Unchanged | SI-4(11) | ANALYZE COMMUNICATIONS TRAFFIC ANOMALIES | mechanical | |
| SI | SI-4 (12) | AUTOMATED ALERTS | Unchanged | SI-4(12) | AUTOMATED ORGANIZATION-GENERATED ALERTS | mechanical | |
| SI | SI-4 (13) | ANALYZE TRAFFIC / EVENT PATTERNS | Unchanged | SI-4(13) | ANALYZE TRAFFIC AND EVENT PATTERNS | mechanical | |
| SI | SI-4 (14) | WIRELESS INTRUSION DETECTION | Unchanged | SI-4(14) | WIRELESS INTRUSION DETECTION | mechanical | |
| SI | SI-4 (15) | WIRELESS TO WIRELINE COMMUNICATIONS | Unchanged | SI-4(15) | WIRELESS TO WIRELINE COMMUNICATIONS | mechanical | |
| SI | SI-4 (16) | CORRELATE MONITORING INFORMATION | Unchanged | SI-4(16) | CORRELATE MONITORING INFORMATION | mechanical | |
| SI | SI-4 (17) | INTEGRATED SITUATIONAL AWARENESS | Unchanged | SI-4(17) | INTEGRATED SITUATIONAL AWARENESS | mechanical | |
| SI | SI-4 (18) | ANALYZE TRAFFIC / COVERT EXFILTRATION | Unchanged | SI-4(18) | ANALYZE TRAFFIC AND COVERT EXFILTRATION | mechanical | |
| SI | SI-4 (19) | INDIVIDUALS POSING GREATER RISK | Unchanged | SI-4(19) | RISK FOR INDIVIDUALS | mechanical | |
| SI | SI-4 (20) | PRIVILEGED USERS | Unchanged | SI-4(20) | PRIVILEGED USERS | mechanical | |
| SI | SI-4 (21) | PROBATIONARY PERIODS | Unchanged | SI-4(21) | PROBATIONARY PERIODS | mechanical | |
| SI | SI-4 (22) | UNAUTHORIZED NETWORK SERVICES | Unchanged | SI-4(22) | UNAUTHORIZED NETWORK SERVICES | mechanical | |
| SI | SI-4 (23) | HOST-BASED DEVICES | Unchanged | SI-4(23) | HOST-BASED DEVICES | mechanical | |
| SI | SI-4 (24) | INDICATORS OF COMPROMISE | Unchanged | SI-4(24) | INDICATORS OF COMPROMISE | mechanical | |
| SI | — | New In R5 | SI-4(25) | OPTIMIZE NETWORK TRAFFIC ANALYSIS | mechanical | ||
| SI | SI-5 | SECURITY ALERTS, ADVISORIES, AND DIRECTIVES | Unchanged | SI-5 | SECURITY ALERTS, ADVISORIES, AND DIRECTIVES | mechanical | |
| SI | SI-5 (1) | AUTOMATED ALERTS AND ADVISORIES | Unchanged | SI-5(1) | AUTOMATED ALERTS AND ADVISORIES | mechanical | |
| SI | SI-6 | SECURITY FUNCTION VERIFICATION | Unchanged | SI-6 | SECURITY AND PRIVACY FUNCTION VERIFICATION | mechanical | |
| SI | SI-6 (1) | NOTIFICATION OF FAILED SECURITY TESTS | Incorporated Into | SI-6 | Incorporated into SI-6 | mechanical | |
| SI | SI-6 (2) | AUTOMATION SUPPORT FOR DISTRIBUTED TESTING | Unchanged | SI-6(2) | AUTOMATION SUPPORT FOR DISTRIBUTED TESTING | mechanical | |
| SI | SI-6 (3) | REPORT VERIFICATION RESULTS | Unchanged | SI-6(3) | REPORT VERIFICATION RESULTS | mechanical | |
| SI | SI-7 | SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | Unchanged | SI-7 | SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | mechanical | |
| SI | SI-7 (1) | INTEGRITY CHECKS | Unchanged | SI-7(1) | INTEGRITY CHECKS | mechanical | |
| SI | SI-7 (2) | AUTOMATED NOTIFICATIONS OF INTEGRITY VIOLATIONS | Unchanged | SI-7(2) | AUTOMATED NOTIFICATIONS OF INTEGRITY VIOLATIONS | mechanical | |
| SI | SI-7 (3) | CENTRALLY-MANAGED INTEGRITY TOOLS | Unchanged | SI-7(3) | CENTRALLY MANAGED INTEGRITY TOOLS | mechanical | |
| SI | SI-7 (4) | TAMPER-EVIDENT PACKAGING | Incorporated Into | SR-9 | Incorporated into SR-9 | mechanical | |
| SI | SI-7 (5) | AUTOMATED RESPONSE TO INTEGRITY VIOLATIONS | Unchanged | SI-7(5) | AUTOMATED RESPONSE TO INTEGRITY VIOLATIONS | mechanical | |
| SI | SI-7 (6) | CRYPTOGRAPHIC PROTECTION | Unchanged | SI-7(6) | CRYPTOGRAPHIC PROTECTION | mechanical | |
| SI | SI-7 (7) | INTEGRATION OF DETECTION AND RESPONSE | Unchanged | SI-7(7) | INTEGRATION OF DETECTION AND RESPONSE | mechanical | |
| SI | SI-7 (8) | AUDITING CAPABILITY FOR SIGNIFICANT EVENTS | Unchanged | SI-7(8) | AUDITING CAPABILITY FOR SIGNIFICANT EVENTS | mechanical | |
| SI | SI-7 (9) | VERIFY BOOT PROCESS | Unchanged | SI-7(9) | VERIFY BOOT PROCESS | mechanical | |
| SI | SI-7 (10) | PROTECTION OF BOOT FIRMWARE | Unchanged | SI-7(10) | PROTECTION OF BOOT FIRMWARE | mechanical | |
| SI | SI-7 (11) | CONFINED ENVIRONMENTS WITH LIMITED PRIVILEGES | Withdrawn | — | mechanical | ||
| SI | SI-7 (12) | INTEGRITY VERIFICATION | Unchanged | SI-7(12) | INTEGRITY VERIFICATION | mechanical | |
| SI | SI-7 (13) | CODE EXECUTION IN PROTECTED ENVIRONMENTS | Withdrawn | — | mechanical | ||
| SI | SI-7 (14) | BINARY OR MACHINE EXECUTABLE CODE | Withdrawn | — | mechanical | ||
| SI | SI-7 (15) | CODE AUTHENTICATION | Unchanged | SI-7(15) | CODE AUTHENTICATION | mechanical | |
| SI | SI-7 (16) | TIME LIMIT ON PROCESS EXECUTION W/O SUPERVISION | Unchanged | SI-7(16) | TIME LIMIT ON PROCESS EXECUTION WITHOUT SUPERVISION | mechanical | |
| SI | — | New In R5 | SI-7(17) | RUNTIME APPLICATION SELF-PROTECTION | mechanical | ||
| SI | SI-8 | SPAM PROTECTION | Unchanged | SI-8 | SPAM PROTECTION | mechanical | |
| SI | SI-8 (1) | CENTRAL MANAGEMENT | Incorporated Into | PL-9 | Incorporated into PL-9 | mechanical | |
| SI | SI-8 (2) | AUTOMATIC UPDATES | Unchanged | SI-8(2) | AUTOMATIC UPDATES | mechanical | |
| SI | SI-8 (3) | CONTINUOUS LEARNING CAPABILITY | Unchanged | SI-8(3) | CONTINUOUS LEARNING CAPABILITY | mechanical | |
| SI | SI-9 | INFORMATION INPUT RESTRICTIONS | Incorporated Into | AC-2, AC-3, AC-5, AC-6 | Incorporated into AC-2, AC-3, AC-5, AC-6 | mechanical | |
| SI | SI-10 | INFORMATION INPUT VALIDATION | Unchanged | SI-10 | INFORMATION INPUT VALIDATION | mechanical | |
| SI | SI-10 (1) | MANUAL OVERRIDE CAPABILITY | Unchanged | SI-10(1) | MANUAL OVERRIDE CAPABILITY | mechanical | |
| SI | SI-10 (2) | REVIEW / RESOLUTION OF ERRORS | Unchanged | SI-10(2) | REVIEW AND RESOLVE ERRORS | mechanical | |
| SI | SI-10 (3) | PREDICTABLE BEHAVIOR | Unchanged | SI-10(3) | PREDICTABLE BEHAVIOR | mechanical | |
| SI | SI-10 (4) | REVIEW / TIMING INTERACTIONS | Unchanged | SI-10(4) | TIMING INTERACTIONS | mechanical | |
| SI | SI-10 (5) | RESTRICT INPUTS TO TRUSTED SOURCES AND APPROVED FORMATS | Unchanged | SI-10(5) | RESTRICT INPUTS TO TRUSTED SOURCES AND APPROVED FORMATS | mechanical | |
| SI | — | New In R5 | SI-10(6) | INJECTION PREVENTION | mechanical | ||
| SI | SI-11 | ERROR HANDLING | Unchanged | SI-11 | ERROR HANDLING | mechanical | |
| SI | SI-12 | INFORMATION HANDLING AND RETENTION | Unchanged | SI-12 | INFORMATION MANAGEMENT AND RETENTION | mechanical | |
| SI | — | New In R5 | SI-12(1) | LIMIT PERSONALLY IDENTIFIABLE INFORMATION ELEMENTS | mechanical | ||
| SI | — | New In R5 | SI-12(2) | MINIMIZE PERSONALLY IDENTIFIABLE INFORMATION IN TESTING, TRAINING, AND RESEARCH | mechanical | ||
| SI | — | New In R5 | SI-12(3) | INFORMATION DISPOSAL | mechanical | ||
| SI | SI-13 | PREDICTABLE FAILURE PREVENTION | Unchanged | SI-13 | PREDICTABLE FAILURE PREVENTION | mechanical | |
| SI | SI-13 (1) | TRANSFERRING COMPONENT RESPONSIBILITIES | Unchanged | SI-13(1) | TRANSFERRING COMPONENT RESPONSIBILITIES | mechanical | |
| SI | SI-13 (2) | TIME LIMIT ON PROCESS EXECUTION WITHOUT SUPERVISION | Incorporated Into | SI-7(16) | Incorporated into SI-7(16) | mechanical | |
| SI | SI-13 (3) | MANUAL TRANSFER BETWEEN COMPONENTS | Unchanged | SI-13(3) | MANUAL TRANSFER BETWEEN COMPONENTS | mechanical | |
| SI | SI-13 (4) | STANDBY COMPONENT INSTALLATION / NOTIFICATION | Unchanged | SI-13(4) | STANDBY COMPONENT INSTALLATION AND NOTIFICATION | mechanical | |
| SI | SI-13 (5) | FAILOVER CAPABILITY | Unchanged | SI-13(5) | FAILOVER CAPABILITY | mechanical | |
| SI | SI-14 | NON-PERSISTENCE | Unchanged | SI-14 | NON-PERSISTENCE | mechanical | |
| SI | SI-14 (1) | REFRESH FROM TRUSTED SOURCES | Unchanged | SI-14(1) | REFRESH FROM TRUSTED SOURCES | mechanical | |
| SI | — | New In R5 | SI-14(2) | NON-PERSISTENT INFORMATION | mechanical | ||
| SI | — | New In R5 | SI-14(3) | NON-PERSISTENT CONNECTIVITY | mechanical | ||
| SI | SI-15 | INFORMATION OUTPUT FILTERING | Unchanged | SI-15 | INFORMATION OUTPUT FILTERING | mechanical | |
| SI | SI-16 | MEMORY PROTECTION | Unchanged | SI-16 | MEMORY PROTECTION | mechanical | |
| SI | SI-17 | FAIL-SAFE PROCEDURES | Unchanged | SI-17 | FAIL-SAFE PROCEDURES | mechanical | |
| SI | — | New In R5 | SI-18 | PERSONALLY IDENTIFIABLE INFORMATION QUALITY OPERATIONS | mechanical | ||
| SI | — | New In R5 | SI-18(1) | AUTOMATION SUPPORT | mechanical | ||
| SI | — | New In R5 | SI-18(2) | DATA TAGS | mechanical | ||
| SI | — | New In R5 | SI-18(3) | COLLECTION | mechanical | ||
| SI | — | New In R5 | SI-18(4) | INDIVIDUAL REQUESTS | mechanical | ||
| SI | — | New In R5 | SI-18(5) | NOTICE OF CORRECTION OR DELETION | mechanical | ||
| SI | — | New In R5 | SI-19 | DE-IDENTIFICATION | mechanical | ||
| SI | — | New In R5 | SI-19(1) | COLLECTION | mechanical | ||
| SI | — | New In R5 | SI-19(2) | ARCHIVING | mechanical | ||
| SI | — | New In R5 | SI-19(3) | RELEASE | mechanical | ||
| SI | — | New In R5 | SI-19(4) | REMOVAL, MASKING, ENCRYPTION, HASHING, OR REPLACEMENT OF DIRECT IDENTIFIERS | mechanical | ||
| SI | — | New In R5 | SI-19(5) | STATISTICAL DISCLOSURE CONTROL | mechanical | ||
| SI | — | New In R5 | SI-19(6) | DIFFERENTIAL PRIVACY | mechanical | ||
| SI | — | New In R5 | SI-19(7) | VALIDATED ALGORITHMS AND SOFTWARE | mechanical | ||
| SI | — | New In R5 | SI-19(8) | MOTIVATED INTRUDER | mechanical | ||
| SI | — | New In R5 | SI-20 | TAINTING | mechanical | ||
| SI | — | New In R5 | SI-21 | INFORMATION REFRESH | mechanical | ||
| SI | — | New In R5 | SI-22 | INFORMATION DIVERSITY | mechanical | ||
| SI | — | New In R5 | SI-23 | INFORMATION FRAGMENTATION | mechanical | ||
| SR | — | New In R5 | SR-1 | POLICY AND PROCEDURES | mechanical | ||
| SR | — | New In R5 | SR-2 | SUPPLY CHAIN RISK MANAGEMENT PLAN | mechanical | ||
| SR | — | New In R5 | SR-2(1) | ESTABLISH SCRM TEAM | mechanical | ||
| SR | — | New In R5 | SR-3 | SUPPLY CHAIN CONTROLS AND PROCESSES | mechanical | ||
| SR | — | New In R5 | SR-3(1) | DIVERSE SUPPLY BASE | mechanical | ||
| SR | — | New In R5 | SR-3(2) | LIMITATION OF HARM | mechanical | ||
| SR | — | New In R5 | SR-3(3) | SUB-TIER FLOW DOWN | mechanical | ||
| SR | — | New In R5 | SR-4 | PROVENANCE | mechanical | ||
| SR | — | New In R5 | SR-4(1) | IDENTITY | mechanical | ||
| SR | — | New In R5 | SR-4(2) | TRACK AND TRACE | mechanical | ||
| SR | — | New In R5 | SR-4(3) | VALIDATE AS GENUINE AND NOT ALTERED | mechanical | ||
| SR | — | New In R5 | SR-4(4) | SUPPLY CHAIN INTEGRITY — PEDIGREE | mechanical | ||
| SR | — | New In R5 | SR-5 | ACQUISITION STRATEGIES, TOOLS, AND METHODS | mechanical | ||
| SR | — | New In R5 | SR-5(1) | ADEQUATE SUPPLY | mechanical | ||
| SR | — | New In R5 | SR-5(2) | ASSESSMENTS PRIOR TO SELECTION, ACCEPTANCE, MODIFICATION, OR UPDATE | mechanical | ||
| SR | — | New In R5 | SR-6 | SUPPLIER ASSESSMENTS AND REVIEWS | mechanical | ||
| SR | — | New In R5 | SR-6(1) | TESTING AND ANALYSIS | mechanical | ||
| SR | — | New In R5 | SR-7 | SUPPLY CHAIN OPERATIONS SECURITY | mechanical | ||
| SR | — | New In R5 | SR-8 | NOTIFICATION AGREEMENTS | mechanical | ||
| SR | — | New In R5 | SR-9 | TAMPER RESISTANCE AND DETECTION | mechanical | ||
| SR | — | New In R5 | SR-9(1) | MULTIPLE STAGES OF SYSTEM DEVELOPMENT LIFE CYCLE | mechanical | ||
| SR | — | New In R5 | SR-10 | INSPECTION OF SYSTEMS OR COMPONENTS | mechanical | ||
| SR | — | New In R5 | SR-11 | COMPONENT AUTHENTICITY | mechanical | ||
| SR | — | New In R5 | SR-11(1) | ANTI-COUNTERFEIT TRAINING | mechanical | ||
| SR | — | New In R5 | SR-11(2) | CONFIGURATION CONTROL FOR COMPONENT SERVICE AND REPAIR | mechanical | ||
| SR | — | New In R5 | SR-11(3) | ANTI-COUNTERFEIT SCANNING | mechanical | ||
| SR | — | New In R5 | SR-12 | COMPONENT DISPOSAL | mechanical |