Untitled

[{"controlNum": "AC-1", "question": "Does the organization develops and documents an access control policy that addresses purpose?", "type": "non-technical"}, {"controlNum": "AC-1", "question": "Does the organization develops and documents an access control policy that addresses scope?", "type": "non-technical"}, {"controlNum": "AC-1", "question": "Does the organization develops and documents an access control policy that addresses roles?", "type": "non-technical"}, {"controlNum": "AC-1", "question": "Does the organization develops and documents an access control policy that addresses responsibilities?", "type": "non-technical"}, {"controlNum": "AC-1", "question": "Does the organization develops and documents an access control policy that addresses management commitment?", "type": "non-technical"}, {"controlNum": "AC-1", "question": "Does the organization develops and documents an access control policy that addresses coordination among organizational entities?", "type": "non-technical"}, {"controlNum": "AC-1", "question": "Does the organization develops and documents an access control policy that addresses compliance?", "type": "non-technical"}, {"controlNum": "AC-1", "question": "Does the organization defines personnel or roles to whom the access control policy are to be disseminated?", "type": "non-technical"}, {"controlNum": "AC-1", "question": "Does the organization disseminates the access control policy to organization-defined personnel or roles?", "type": "non-technical"}, {"controlNum": "AC-1", "question": "Does the organization develops and documents procedures to facilitate the implementation of the access control policy and associated access control controls?", "type": "non-technical"}, {"controlNum": "AC-1", "question": "Does the organization defines personnel or roles to whom the procedures are to be disseminated?", "type": "non-technical"}, {"controlNum": "AC-1", "question": "Does the organization disseminates the procedures to organization-defined personnel or roles?", "type": "non-technical"}, {"controlNum": "AC-1", "question": "Does the organization defines the frequency to review and update the current access control policy?", "type": "non-technical"}, {"controlNum": "AC-1", "question": "Does the organization reviews and updates the current access control policy with the organization-defined frequency?", "type": "non-technical"}, {"controlNum": "AC-1", "question": "Does the organization defines the frequency to review and update the current access control procedures?", "type": "non-technical"}, {"controlNum": "AC-1", "question": "Does the organization reviews and updates the current access control procedures with the organization-defined frequency?", "type": "non-technical"}, {"controlNum": "AC-2", "question": "Does the organization defines information system account types to be identified and selected to support organizational missions/business functions?", "type": "non-technical"}, {"controlNum": "AC-2", "question": "Does the organization identifies and selects organization-defined information system account types to support organizational missions/business functions?", "type": "non-technical"}, {"controlNum": "AC-2", "question": "Does the organization assigns account managers for information system accounts?", "type": "non-technical"}, {"controlNum": "AC-2", "question": "Does the organization establishes conditions for group and role membership?", "type": "non-technical"}, {"controlNum": "AC-2", "question": "Does the organization specifies for each account (as required) authorized users of the information system?", "type": "non-technical"}, {"controlNum": "AC-2", "question": "Does the organization specifies for each account (as required) group and role membership?", "type": "non-technical"}, {"controlNum": "AC-2", "question": "Does the organization specifies for each account (as required) access authorizations (i.e., privileges)?", "type": "non-technical"}, {"controlNum": "AC-2", "question": "Does the organization specifies for each account (as required) other attributes?", "type": "non-technical"}, {"controlNum": "AC-2", "question": "Does the organization specifies for each account (as required) defines personnel or roles required to approve requests to create information system accounts?", "type": "non-technical"}, {"controlNum": "AC-2", "question": "Does the organization specifies for each account (as required) requires approvals by organization-defined personnel or roles for requests to create information system accounts?", "type": "non-technical"}, {"controlNum": "AC-2", "question": "Does the organization specifies for each account (as required) defines procedures or conditions to create information system accounts?", "type": "non-technical"}, {"controlNum": "AC-2", "question": "Does the organization specifies for each account (as required) defines procedures or conditions to enable information system accounts?", "type": "non-technical"}, {"controlNum": "AC-2", "question": "Does the organization specifies for each account (as required) defines procedures or conditions to modify information system accounts?", "type": "non-technical"}, {"controlNum": "AC-2", "question": "Does the organization specifies for each account (as required) defines procedures or conditions to disable information system accounts?", "type": "non-technical"}, {"controlNum": "AC-2", "question": "Does the organization specifies for each account (as required) defines procedures or conditions to remove information system accounts?", "type": "non-technical"}, {"controlNum": "AC-2", "question": "Does the organization specifies for each account (as required) in accordance with organization-defined procedures or conditions creates information system accounts?", "type": "non-technical"}, {"controlNum": "AC-2", "question": "Does the organization specifies for each account (as required) in accordance with organization-defined procedures or conditions enables information system accounts?", "type": "non-technical"}, {"controlNum": "AC-2", "question": "Does the organization specifies for each account (as required) in accordance with organization-defined procedures or conditions modifies information system accounts?", "type": "non-technical"}, {"controlNum": "AC-2", "question": "Does the organization specifies for each account (as required) in accordance with organization-defined procedures or conditions disables information system accounts?", "type": "non-technical"}, {"controlNum": "AC-2", "question": "Does the organization specifies for each account (as required) in accordance with organization-defined procedures or conditions removes information system accounts?", "type": "non-technical"}, {"controlNum": "AC-2", "question": "Does the organization monitors the use of information system accounts?", "type": "non-technical"}, {"controlNum": "AC-2", "question": "Does the organization notifies account managers when accounts are no longer required?", "type": "non-technical"}, {"controlNum": "AC-2", "question": "Does the organization notifies account managers when users are terminated or transferred?", "type": "non-technical"}, {"controlNum": "AC-2", "question": "Does the organization notifies account managers when individual information system usage or need to know changes?", "type": "non-technical"}, {"controlNum": "AC-2", "question": "Does the organization authorizes access to the information system based on?", "type": "non-technical"}, {"controlNum": "AC-2", "question": "Does the organization notifies account managers a valid access authorization?", "type": "non-technical"}, {"controlNum": "AC-2", "question": "Does the organization notifies account managers intended system usage?", "type": "non-technical"}, {"controlNum": "AC-2", "question": "Does the organization notifies account managers other attributes as required by the organization or associated missions/business functions?", "type": "non-technical"}, {"controlNum": "AC-2", "question": "Does the organization notifies account managers defines the frequency to review accounts for compliance with account management requirements?", "type": "non-technical"}, {"controlNum": "AC-2", "question": "Does the organization notifies account managers reviews accounts for compliance with account management requirements with the organization-defined frequency?", "type": "non-technical"}, {"controlNum": "AC-2", "question": "Does the organization establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group?", "type": "non-technical"}, {"controlNum": "AC-3", "question": "Does the information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies?", "type": "technical"}, {"controlNum": "AC-4", "question": "Does the organization defines information flow control policies to control the flow of information within the system and between interconnected systems?", "type": "non-technical"}, {"controlNum": "AC-4", "question": "Does the information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on organization-defined information flow control policies?", "type": "technical"}, {"controlNum": "AC-5", "question": "Does the organization defines duties of individuals to be separated?", "type": "non-technical"}, {"controlNum": "AC-5", "question": "Does the organization separates organization-defined duties of individuals?", "type": "non-technical"}, {"controlNum": "AC-5", "question": "Does the organization documents separation of duties?", "type": "non-technical"}, {"controlNum": "AC-5", "question": "Does the organization defines information system access authorizations to support separation of duties?", "type": "non-technical"}, {"controlNum": "AC-6", "question": "Does the organization employs the principle of least privilege, allowing only authorized access for users (and processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions?", "type": "non-technical"}, {"controlNum": "AC-7", "question": "Does the organization defines the number of consecutive invalid logon attempts allowed to the information system by a user during an organization-defined time period?", "type": "non-technical"}, {"controlNum": "AC-7", "question": "Does the organization defines the time period allowed by a user of  the information system for an organization-defined number of consecutive invalid logon attempts?", "type": "non-technical"}, {"controlNum": "AC-7", "question": "Does the information system enforces a limit of organization-defined number of consecutive invalid logon attempts by a user during an organization-defined time period?", "type": "technical"}, {"controlNum": "AC-7", "question": "Does the organization defines account/node lockout time period or logon delay algorithm to be automatically enforced by the information system when the maximum number of unsuccessful logon attempts is exceeded?", "type": "non-technical"}, {"controlNum": "AC-7", "question": "Does the information system, when the maximum number of unsuccessful logon attempts is exceeded, automatically locks the account/node for the organization-defined time period?", "type": "technical"}, {"controlNum": "AC-7", "question": "Does the information system, when the maximum number of unsuccessful logon attempts is exceeded, automatically delays next logon prompt according to the organization-defined delay algorithm?", "type": "technical"}, {"controlNum": "AC-8", "question": "Does the organization defines a system use notification message or banner to be displayed by the information system to users before granting access to the system?", "type": "non-technical"}, {"controlNum": "AC-8", "question": "Does the information system displays to users the organization-defined  system use notification message or banner before granting access to the information system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance, and states that users are accessing a U.S. Government information system?", "type": "technical"}, {"controlNum": "AC-8", "question": "Does the information system displays to users the organization-defined  system use notification message or banner before granting access to the information system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance, and states that information system usage may be monitored, recorded, and subject to audit?", "type": "technical"}, {"controlNum": "AC-8", "question": "Does the information system displays to users the organization-defined  system use notification message or banner before granting access to the information system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance, and states that unauthorized use of the information system is prohibited and subject to criminal and civil penalties?", "type": "technical"}, {"controlNum": "AC-8", "question": "Does the information system displays to users the organization-defined  system use notification message or banner before granting access to the information system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance, and states that use of the information system indicates consent to monitoring and recording?", "type": "technical"}, {"controlNum": "AC-8", "question": "Does the information system retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system?", "type": "technical"}, {"controlNum": "AC-8", "question": "Does for publicly accessible systems the information system displays to users the organization-defined  system use notification message or banner before granting access to the information system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance, and states that the organization defines conditions for system use to be displayed by the information system before granting further access?", "type": "non-technical"}, {"controlNum": "AC-8", "question": "Does for publicly accessible systems the information system displays to users the organization-defined  system use notification message or banner before granting access to the information system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance, and states that the information system displays organization-defined conditions before granting further access?", "type": "non-technical"}, {"controlNum": "AC-8", "question": "Does for publicly accessible systems the information system displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities?", "type": "non-technical"}, {"controlNum": "AC-8", "question": "Does for publicly accessible systems the information system includes a description of the authorized uses of the system?", "type": "non-technical"}, {"controlNum": "AC-9", "question": "Does the information system notifies the user, upon successful logon (access) to the system, of the date and time of the last logon (access)?", "type": "technical"}, {"controlNum": "AC-10", "question": "Does the organization defines account and/or account types for the information system?", "type": "non-technical"}, {"controlNum": "AC-10", "question": "Does the organization defines the number of concurrent sessions to be allowed for each organization-defined account and/or account type?", "type": "non-technical"}, {"controlNum": "AC-10", "question": "Does the information system limits the number of concurrent sessions for each organization-defined account and/or account type to the organization-defined number of concurrent sessions allowed?", "type": "technical"}, {"controlNum": "AC-11", "question": "Does the organization defines the time period of user inactivity after which the information system initiates a session lock?", "type": "non-technical"}, {"controlNum": "AC-11", "question": "Does the information system prevents further access to the system by initiating a session lock after organization-defined time period of user inactivity or upon receiving a request from a user?", "type": "technical"}, {"controlNum": "AC-11", "question": "Does the information system retains the session lock until the user reestablishes access using established identification and authentication procedures?", "type": "technical"}, {"controlNum": "AC-12", "question": "Does the organization defines conditions or trigger events requiring session disconnect?", "type": "non-technical"}, {"controlNum": "AC-12", "question": "Does the information system automatically terminates a user session after organization-defined conditions or trigger events requiring session disconnect occurs?", "type": "technical"}, {"controlNum": "AC-14", "question": "Does the organization defines user actions that can be performed on the information system without identification or authentication consistent with organizational missions/business functions?", "type": "non-technical"}, {"controlNum": "AC-14", "question": "Does the organization identifies organization-defined user actions that can be performed on the information system without identification or authentication consistent with organizational missions/business functions?", "type": "non-technical"}, {"controlNum": "AC-14", "question": "Does the organization documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification or authentication?", "type": "non-technical"}, {"controlNum": "AC-16", "question": "Does the organization defines types of security attributes to be associated with information in storage?", "type": "non-technical"}, {"controlNum": "AC-16", "question": "Does the organization defines types of security attributes to be associated with information in transmission?", "type": "non-technical"}, {"controlNum": "AC-16", "question": "Does the organization defines security attribute values for organization-defined types of security attributes?", "type": "non-technical"}, {"controlNum": "AC-16", "question": "Does the organization provides the means to associate organization-defined types of security attributes having organization-defined security attribute values with information in storage?", "type": "non-technical"}, {"controlNum": "AC-16", "question": "Does the organization provides the means to associate organization-defined types of security attributes having organization-defined security attribute values with information in transmission?", "type": "non-technical"}, {"controlNum": "AC-16", "question": "Does the organization ensures that the security attribute associations are made and retained with the information?", "type": "non-technical"}, {"controlNum": "AC-16", "question": "Does the organization defines information systems for which the permitted organization-defined security attributes are to be established?", "type": "non-technical"}, {"controlNum": "AC-16", "question": "Does the organization defines security attributes that are permitted for organization-defined information systems?", "type": "non-technical"}, {"controlNum": "AC-16", "question": "Does the organization establishes the permitted organization-defined security attributes for organization-defined information systems?", "type": "non-technical"}, {"controlNum": "AC-16", "question": "Does the organization defines values or ranges for each of the established security attributes?", "type": "non-technical"}, {"controlNum": "AC-16", "question": "Does the organization determines the permitted organization-defined values or ranges for each of the established security attributes?", "type": "non-technical"}, {"controlNum": "AC-17", "question": "Does the organization identifies the types of remote access allowed to the information system?", "type": "non-technical"}, {"controlNum": "AC-17", "question": "Does the organization establishes for each type of remote access allowed usage restrictions?", "type": "non-technical"}, {"controlNum": "AC-17", "question": "Does the organization establishes for each type of remote access allowed configuration/connection requirements?", "type": "non-technical"}, {"controlNum": "AC-17", "question": "Does the organization establishes for each type of remote access allowed implementation guidance?", "type": "non-technical"}, {"controlNum": "AC-17", "question": "Does the organization documents for each type of remote access allowed usage restrictions?", "type": "non-technical"}, {"controlNum": "AC-17", "question": "Does the organization documents for each type of remote access allowed configuration/connection requirements?", "type": "non-technical"}, {"controlNum": "AC-17", "question": "Does the organization documents for each type of remote access allowed implementation guidance?", "type": "non-technical"}, {"controlNum": "AC-17", "question": "Does the organization authorizes remote access to the information system prior to allowing such connections?", "type": "non-technical"}, {"controlNum": "AC-18", "question": "Does the organization establishes for wireless access usage restrictions?", "type": "non-technical"}, {"controlNum": "AC-18", "question": "Does the organization establishes for wireless access configuration/connection requirement?", "type": "non-technical"}, {"controlNum": "AC-18", "question": "Does the organization establishes for wireless access implementation guidance?", "type": "non-technical"}, {"controlNum": "AC-18", "question": "Does the organization authorizes wireless access to the information system prior to allowing such connections?", "type": "non-technical"}, {"controlNum": "AC-19", "question": "Does the organization establishes for organization-controlled mobile devices usage restrictions?", "type": "non-technical"}, {"controlNum": "AC-19", "question": "Does the organization establishes for organization-controlled mobile devices configuration/connection requirement?", "type": "non-technical"}, {"controlNum": "AC-19", "question": "Does the organization establishes for organization-controlled mobile devices implementation guidance?", "type": "non-technical"}, {"controlNum": "AC-19", "question": "Does the organization authorizes the connection of mobile devices to organizational information systems?", "type": "non-technical"}, {"controlNum": "AC-20", "question": "Does the organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to access the information system from the external information systems?", "type": "non-technical"}, {"controlNum": "AC-20", "question": "Does the organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to process, store, or transmit organization-controlled information using external information systems?", "type": "non-technical"}, {"controlNum": "AC-21", "question": "Does the organization defines information sharing circumstances where user discretion is required?", "type": "non-technical"}, {"controlNum": "AC-21", "question": "Does the organization facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information for organization-defined information sharing circumstances?", "type": "non-technical"}, {"controlNum": "AC-21", "question": "Does the organization defines automated mechanisms or manual processes to be employed to assist users in making information sharing/collaboration decisions?", "type": "non-technical"}, {"controlNum": "AC-21", "question": "Does the organization employs organization-defined automated mechanisms or manual processes to assist users in making information sharing/collaboration decisions?", "type": "non-technical"}, {"controlNum": "AC-22", "question": "Does the organization designates individuals authorized to post information onto a  publicly accessible information system?", "type": "non-technical"}, {"controlNum": "AC-22", "question": "Does the organization trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information?", "type": "non-technical"}, {"controlNum": "AC-22", "question": "Does the organization reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included?", "type": "non-technical"}, {"controlNum": "AC-22", "question": "Does the organization defines the frequency to review the content on the publicly accessible information system for nonpublic information?", "type": "non-technical"}, {"controlNum": "AC-22", "question": "Does the organization reviews the content on the publicly accessible information system for nonpublic information with the organization-defined frequency?", "type": "non-technical"}, {"controlNum": "AC-22", "question": "Does the organization removes nonpublic information from the publicly accessible information system, if discovered?", "type": "non-technical"}, {"controlNum": "AC-23", "question": "Does the organization defines data mining prevention and detection techniques to be employed for organization-defined storage objects to adequately detect and protect against data mining?", "type": "non-technical"}, {"controlNum": "AC-23", "question": "Does the organization defines data storage objects to be protected from data mining?", "type": "non-technical"}, {"controlNum": "AC-23", "question": "Does the organization employs organization-defined data mining prevention and detection techniques for organization-defined data storage objects to adequately detect and protect against data mining?", "type": "non-technical"}, {"controlNum": "AC-24", "question": "Does the organization defines access control decisions to be applied to each access request prior to access control enforcement?", "type": "non-technical"}, {"controlNum": "AC-24", "question": "Does the organization establishes procedures to ensure organization-defined access control decisions are applied to each access request prior to access control enforcement?", "type": "non-technical"}, {"controlNum": "AC-25", "question": "Does the organization defines access control policies for which the information system implements a reference monitor to enforce such policies?", "type": "non-technical"}, {"controlNum": "AC-25", "question": "Does the information system implements a reference monitor for organization-defined access control policies that is tamperproof, always invoked, and small enough to be subject to analysis and testing, the completeness of which can be assured?", "type": "technical"}, {"controlNum": "AT-1", "question": "Does the organization develops and documents an security awareness and training policy that addresses purpose?", "type": "non-technical"}, {"controlNum": "AT-1", "question": "Does the organization develops and documents an security awareness and training policy that addresses scope?", "type": "non-technical"}, {"controlNum": "AT-1", "question": "Does the organization develops and documents an security awareness and training policy that addresses roles?", "type": "non-technical"}, {"controlNum": "AT-1", "question": "Does the organization develops and documents an security awareness and training policy that addresses responsibilities?", "type": "non-technical"}, {"controlNum": "AT-1", "question": "Does the organization develops and documents an security awareness and training policy that addresses management commitment?", "type": "non-technical"}, {"controlNum": "AT-1", "question": "Does the organization develops and documents an security awareness and training policy that addresses coordination among organizational entities?", "type": "non-technical"}, {"controlNum": "AT-1", "question": "Does the organization develops and documents an security awareness and training policy that addresses compliance?", "type": "non-technical"}, {"controlNum": "AT-1", "question": "Does the organization defines  personnel or roles to whom the security awareness and training policy are to be disseminated?", "type": "non-technical"}, {"controlNum": "AT-1", "question": "Does the organization disseminates the security awareness and training policy to organization-defined personnel or roles?", "type": "non-technical"}, {"controlNum": "AT-1", "question": "Does the organization develops and documents procedures to facilitate the implementation of the security awareness and training policy and associated awareness and training controls?", "type": "non-technical"}, {"controlNum": "AT-1", "question": "Does the organization defines personnel or roles to whom the procedures are to be disseminated?", "type": "non-technical"}, {"controlNum": "AT-1", "question": "Does the organization disseminates the procedures to organization-defined personnel or roles?", "type": "non-technical"}, {"controlNum": "AT-1", "question": "Does the organization defines the frequency to review and update the current security awareness and training policy?", "type": "non-technical"}, {"controlNum": "AT-1", "question": "Does the organization reviews and updates the current security awareness and training policy with the organization-defined frequency?", "type": "non-technical"}, {"controlNum": "AT-1", "question": "Does the organization defines the frequency to review and update the current security awareness and training procedures?", "type": "non-technical"}, {"controlNum": "AT-1", "question": "Does the organization reviews and updates the current security awareness and training procedures with the organization-defined frequency?", "type": "non-technical"}, {"controlNum": "AT-2", "question": "Does the organization provides basic security awareness training to information system users (including managers, senior executives, and contractors) as part of initial training for new users?", "type": "non-technical"}, {"controlNum": "AT-2", "question": "Does the organization provides basic security awareness training to information system users (including managers, senior executives, and contractors) when required by information system changes?", "type": "non-technical"}, {"controlNum": "AT-2", "question": "Does the organization defines the frequency to provide refresher security awareness training thereafter to information system users (including managers, senior executives, and contractors)?", "type": "non-technical"}, {"controlNum": "AT-2", "question": "Does the organization provides refresher security awareness training to information users (including managers, senior executives, and contractors) with the organization-defined frequency?", "type": "non-technical"}, {"controlNum": "AT-3", "question": "Does the organization provides role-based security training to personnel with assigned security roles and responsibilities before authorizing access to the information system or performing assigned duties?", "type": "non-technical"}, {"controlNum": "AT-3", "question": "Does the organization provides role-based security training to personnel with assigned security roles and responsibilities when required by information system changes?", "type": "non-technical"}, {"controlNum": "AT-3", "question": "Does the organization defines the frequency to provide refresher role-based security training thereafter to personnel with assigned security roles and responsibilities?", "type": "non-technical"}, {"controlNum": "AT-3", "question": "Does the organization provides refresher role-based security training to personnel with assigned security roles and responsibilities with the organization-defined frequency?", "type": "non-technical"}, {"controlNum": "AT-4", "question": "Does the organization documents individual information system security training activities including basic security awareness training?", "type": "non-technical"}, {"controlNum": "AT-4", "question": "Does the organization documents individual information system security training activities including specific role-based information system security training?", "type": "non-technical"}, {"controlNum": "AT-4", "question": "Does the organization monitors individual information system security training activities including basic security awareness training?", "type": "non-technical"}, {"controlNum": "AT-4", "question": "Does the organization monitors individual information system security training activities including specific role-based information system security training?", "type": "non-technical"}, {"controlNum": "AT-4", "question": "Does the organization defines a time period to retain individual training records?", "type": "non-technical"}, {"controlNum": "AT-4", "question": "Does the organization retains individual training records for the organization-defined time period?", "type": "non-technical"}, {"controlNum": "AU-1", "question": "Does the organization develops and documents an audit and accountability policy that addresses purpose?", "type": "non-technical"}, {"controlNum": "AU-1", "question": "Does the organization develops and documents an audit and accountability policy that addresses scope?", "type": "non-technical"}, {"controlNum": "AU-1", "question": "Does the organization develops and documents an audit and accountability policy that addresses roles?", "type": "non-technical"}, {"controlNum": "AU-1", "question": "Does the organization develops and documents an audit and accountability policy that addresses responsibilities?", "type": "non-technical"}, {"controlNum": "AU-1", "question": "Does the organization develops and documents an audit and accountability policy that addresses management commitment?", "type": "non-technical"}, {"controlNum": "AU-1", "question": "Does the organization develops and documents an audit and accountability policy that addresses coordination among organizational entities?", "type": "non-technical"}, {"controlNum": "AU-1", "question": "Does the organization develops and documents an audit and accountability policy that addresses compliance?", "type": "non-technical"}, {"controlNum": "AU-1", "question": "Does the organization defines personnel or roles to whom the audit and accountability policy are to be disseminated?", "type": "non-technical"}, {"controlNum": "AU-1", "question": "Does the organization disseminates the audit and accountability policy to organization-defined personnel or roles?", "type": "non-technical"}, {"controlNum": "AU-1", "question": "Does the organization develops and documents procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls?", "type": "non-technical"}, {"controlNum": "AU-1", "question": "Does the organization defines personnel or roles to whom the procedures are to be disseminated?", "type": "non-technical"}, {"controlNum": "AU-1", "question": "Does the organization disseminates the procedures to organization-defined personnel or roles?", "type": "non-technical"}, {"controlNum": "AU-1", "question": "Does the organization defines the frequency to review and update the current audit and accountability policy?", "type": "non-technical"}, {"controlNum": "AU-1", "question": "Does the organization reviews and updates the current audit and accountability policy with the organization-defined frequency?", "type": "non-technical"}, {"controlNum": "AU-1", "question": "Does the organization defines the frequency to review and update the current audit and accountability procedures?", "type": "non-technical"}, {"controlNum": "AU-1", "question": "Does the organization reviews and updates the current audit and accountability procedures in accordance with the organization-defined frequency?", "type": "non-technical"}, {"controlNum": "AU-2", "question": "Does the organization defines the auditable events that the information system must be capable of auditing?", "type": "non-technical"}, {"controlNum": "AU-2", "question": "Does the organization determines that the information system is capable of auditing organization-defined auditable events?", "type": "non-technical"}, {"controlNum": "AU-2", "question": "Does the organization coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events?", "type": "non-technical"}, {"controlNum": "AU-2", "question": "Does the organization provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents?", "type": "non-technical"}, {"controlNum": "AU-2", "question": "Does the organization defines the subset of auditable events defined in AU-2a that are to be audited within the information system?", "type": "non-technical"}, {"controlNum": "AU-2", "question": "Does the organization determines that the subset of auditable events defined in AU-2a are to be audited within the information system?", "type": "non-technical"}, {"controlNum": "AU-2", "question": "Does the organization determines the frequency of (or situation requiring) auditing for each identified event?", "type": "non-technical"}, {"controlNum": "AU-3", "question": "Does the information system generates audit records containing information that establishes what type of event occurred?", "type": "technical"}, {"controlNum": "AU-3", "question": "Does the information system generates audit records containing information that establishes when the event occurred?", "type": "technical"}, {"controlNum": "AU-3", "question": "Does the information system generates audit records containing information that establishes where the event occurred?", "type": "technical"}, {"controlNum": "AU-3", "question": "Does the information system generates audit records containing information that establishes the source of the event?", "type": "technical"}, {"controlNum": "AU-3", "question": "Does the information system generates audit records containing information that establishes the outcome of the event?", "type": "technical"}, {"controlNum": "AU-3", "question": "Does the information system generates audit records containing information that establishes the identity of any individuals or subjects associated with the event?", "type": "technical"}, {"controlNum": "AU-4", "question": "Does the organization defines audit record storage requirements?", "type": "non-technical"}, {"controlNum": "AU-4", "question": "Does the organization allocates audit record storage capacity in accordance with the organization-defined audit record storage requirements?", "type": "non-technical"}, {"controlNum": "AU-5", "question": "Does the organization defines the personnel or roles to be alerted in the event of an audit processing failure?", "type": "non-technical"}, {"controlNum": "AU-5", "question": "Does the information system alerts the organization-defined personnel or roles in the event of an audit processing failure?", "type": "technical"}, {"controlNum": "AU-5", "question": "Does the organization defines additional actions to be taken (e.g., shutdown information system, overwrite oldest audit records, stop generating audit records) in the event of an audit processing failure?", "type": "non-technical"}, {"controlNum": "AU-5", "question": "Does the information system takes the additional organization-defined actions in the event of an audit processing failure?", "type": "technical"}, {"controlNum": "AU-6", "question": "Does the organization defines the types of inappropriate or unusual activity to look for when information system audit records are reviewed and analyzed?", "type": "non-technical"}, {"controlNum": "AU-6", "question": "Does the organization defines the frequency to review and analyze information system audit records for indications of organization-defined inappropriate or unusual activity?", "type": "non-technical"}, {"controlNum": "AU-6", "question": "Does the organization reviews and analyzes information system audit records for indications of organization-defined inappropriate or unusual activity with the organization-defined frequency?", "type": "non-technical"}, {"controlNum": "AU-6", "question": "Does the organization defines personnel or roles to whom findings resulting from reviews and analysis of information system audit records are to be reported?", "type": "non-technical"}, {"controlNum": "AU-6", "question": "Does the organization reports findings to organization-defined personnel or roles?", "type": "non-technical"}, {"controlNum": "AU-7", "question": "Does the information system provides an audit reduction and report generation capability that supports on-demand audit review?", "type": "technical"}, {"controlNum": "AU-7", "question": "Does the information system provides an audit reduction and report generation capability that supports analysis?", "type": "technical"}, {"controlNum": "AU-7", "question": "Does the information system provides an audit reduction and report generation capability that supports reporting requirements?", "type": "technical"}, {"controlNum": "AU-7", "question": "Does the information system provides an audit reduction and report generation capability that supports after-the-fact investigations of security incidents?", "type": "technical"}, {"controlNum": "AU-7", "question": "Does the information system provides an audit reduction and report generation capability that supports does not alter the original content or time ordering of audit records?", "type": "technical"}, {"controlNum": "AU-8", "question": "Does the information system uses internal system clocks to generate time stamps for audit records?", "type": "technical"}, {"controlNum": "AU-8", "question": "Does the information system records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT)?", "type": "technical"}, {"controlNum": "AU-8", "question": "Does the organization defines the granularity of time measurement to be met when recording time stamps for audit records?", "type": "non-technical"}, {"controlNum": "AU-8", "question": "Does the organization records time stamps for audit records that meet the organization-defined granularity of time measurement?", "type": "non-technical"}, {"controlNum": "AU-9", "question": "Does the information system protects audit information from unauthorized access?", "type": "technical"}, {"controlNum": "AU-9", "question": "Does the information system protects audit information from unauthorized modification?", "type": "technical"}, {"controlNum": "AU-9", "question": "Does the information system protects audit information from unauthorized deletion?", "type": "technical"}, {"controlNum": "AU-9", "question": "Does the information system protects audit tools from unauthorized access?", "type": "technical"}, {"controlNum": "AU-9", "question": "Does the information system protects audit tools from unauthorized modification?", "type": "technical"}, {"controlNum": "AU-9", "question": "Does the information system protects audit tools from unauthorized deletion?", "type": "technical"}, {"controlNum": "AU-10", "question": "Does the organization defines actions to be covered by non-repudiation?", "type": "non-technical"}, {"controlNum": "AU-10", "question": "Does the information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation?", "type": "technical"}, {"controlNum": "AU-11", "question": "Does the organization defines a time period to retain audit records that is consistent with records retention policy?", "type": "non-technical"}, {"controlNum": "AU-11", "question": "Does the organization retains audit records for the organization-defined time period consistent with records retention policy to provide support for after-the-fact investigations of security incidents?", "type": "non-technical"}, {"controlNum": "AU-11", "question": "Does the organization retains audit records for the organization-defined time period consistent with records retention policy to meet regulatory and organizational information retention requirements?", "type": "non-technical"}, {"controlNum": "AU-12", "question": "Does the organization defines the information system components which are to provide audit record generation capability for the auditable events defined in AU-2a?", "type": "non-technical"}, {"controlNum": "AU-12", "question": "Does the information system provides audit record generation capability, for the auditable events defined in AU-2a, at organization-defined information system components?", "type": "technical"}, {"controlNum": "AU-12", "question": "Does the organization defines the personnel or roles allowed to select which auditable events are to be audited by specific components of the information system?", "type": "non-technical"}, {"controlNum": "AU-12", "question": "Does the information system allows the organization-defined personnel or roles to select which auditable events are to be audited by specific components of the system?", "type": "technical"}, {"controlNum": "AU-12", "question": "Does the information system generates audit records for the events defined in AU-2d with the content in defined in AU-3?", "type": "technical"}, {"controlNum": "AU-13", "question": "Does the organization defines open source information and/or information sites to be monitored for evidence of unauthorized disclosure of organizational information?", "type": "non-technical"}, {"controlNum": "AU-13", "question": "Does the organization defines a frequency to monitor organization-defined open source information and/or information sites for evidence of unauthorized disclosure of organizational information?", "type": "non-technical"}, {"controlNum": "AU-13", "question": "Does the organization monitors organization-defined open source information and/or information sites for evidence of unauthorized disclosure of organizational information with the organization-defined frequency?", "type": "non-technical"}, {"controlNum": "AU-14", "question": "Does the information system provides the capability for authorized users to select a user session to view/hear?", "type": "technical"}, {"controlNum": "AU-15", "question": "Does the organization defines alternative audit functionality to be provided in the event of a failure in primary audit capability?", "type": "non-technical"}, {"controlNum": "AU-15", "question": "Does the organization provides an alternative audit capability in the event of a failure in primary audit capability that provides organization-defined alternative audit functionality?", "type": "non-technical"}, {"controlNum": "AU-16", "question": "Does the organization defines audit information to be coordinated among external organizations when audit information is transmitted across organizational boundaries?", "type": "non-technical"}, {"controlNum": "AU-16", "question": "Does the organization defines methods for coordinating organization-defined audit information among external organizations when audit information is transmitted across organizational boundaries?", "type": "non-technical"}, {"controlNum": "AU-16", "question": "Does the organization employs organization-defined methods for coordinating organization-defined audit information among external organizations when audit information is transmitted across organizational boundaries?", "type": "non-technical"}, {"controlNum": "CA-1", "question": "Does the organization develops and documents a security assessment and authorization policy that addresses purpose?", "type": "non-technical"}, {"controlNum": "CA-1", "question": "Does the organization develops and documents a security assessment and authorization policy that addresses scope?", "type": "non-technical"}, {"controlNum": "CA-1", "question": "Does the organization develops and documents a security assessment and authorization policy that addresses roles?", "type": "non-technical"}, {"controlNum": "CA-1", "question": "Does the organization develops and documents a security assessment and authorization policy that addresses responsibilities?", "type": "non-technical"}, {"controlNum": "CA-1", "question": "Does the organization develops and documents a security assessment and authorization policy that addresses management commitment?", "type": "non-technical"}, {"controlNum": "CA-1", "question": "Does the organization develops and documents a security assessment and authorization policy that addresses coordination among organizational entities?", "type": "non-technical"}, {"controlNum": "CA-1", "question": "Does the organization develops and documents a security assessment and authorization policy that addresses compliance?", "type": "non-technical"}, {"controlNum": "CA-1", "question": "Does the organization defines  personnel or roles to whom the security assessment and authorization policy is to be disseminated?", "type": "non-technical"}, {"controlNum": "CA-1", "question": "Does the organization disseminates the security assessment and authorization policy to organization-defined personnel or roles?", "type": "non-technical"}, {"controlNum": "CA-1", "question": "Does the organization develops and documents procedures to facilitate the implementation of the security assessment and authorization policy and associated assessment and authorization controls?", "type": "non-technical"}, {"controlNum": "CA-1", "question": "Does the organization defines personnel or roles to whom the procedures are to be disseminated?", "type": "non-technical"}, {"controlNum": "CA-1", "question": "Does the organization disseminates the procedures to organization-defined personnel or roles?", "type": "non-technical"}, {"controlNum": "CA-1", "question": "Does the organization defines the frequency to review and update the current security assessment and authorization policy?", "type": "non-technical"}, {"controlNum": "CA-1", "question": "Does the organization reviews and updates the current security assessment and authorization policy with the organization-defined frequency?", "type": "non-technical"}, {"controlNum": "CA-1", "question": "Does the organization defines the frequency to review and update the current security assessment and authorization procedures?", "type": "non-technical"}, {"controlNum": "CA-1", "question": "Does the organization reviews and updates the current security assessment and authorization procedures with the organization-defined frequency?", "type": "non-technical"}, {"controlNum": "CA-2", "question": "Does the organization develops a security assessment plan that describes the scope of the assessment including security controls and control enhancements under assessment?", "type": "non-technical"}, {"controlNum": "CA-2", "question": "Does the organization develops a security assessment plan that describes the scope of the assessment including assessment procedures to be used to determine security control effectiveness?", "type": "non-technical"}, {"controlNum": "CA-2", "question": "Does the organization develops a security assessment plan that describes the scope of the assessment including assessment environment?", "type": "non-technical"}, {"controlNum": "CA-2", "question": "Does the organization develops a security assessment plan that describes the scope of the assessment including assessment team?", "type": "non-technical"}, {"controlNum": "CA-2", "question": "Does the organization develops a security assessment plan that describes the scope of the assessment including assessment roles and responsibilities?", "type": "non-technical"}, {"controlNum": "CA-2", "question": "Does the organization develops a security assessment plan that describes the scope of the assessment including defines the frequency to assess the security controls in the information system and its environment of operation?", "type": "non-technical"}, {"controlNum": "CA-2", "question": "Does the organization develops a security assessment plan that describes the scope of the assessment including assesses the security controls in the information system with the organization-defined frequency to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established  security requirements?", "type": "non-technical"}, {"controlNum": "CA-2", "question": "Does the organization produces a security assessment report that documents the results of the assessment?", "type": "non-technical"}, {"controlNum": "CA-2", "question": "Does the organization develops a security assessment plan that describes the scope of the assessment including defines individuals or roles to whom the results of the security control assessment are to be provided?", "type": "non-technical"}, {"controlNum": "CA-2", "question": "Does the organization develops a security assessment plan that describes the scope of the assessment including provides the results of the security control assessment to organization-defined individuals or roles?", "type": "non-technical"}, {"controlNum": "CA-3", "question": "Does the organization authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements?", "type": "non-technical"}, {"controlNum": "CA-3", "question": "Does the organization documents, for each interconnection the interface characteristics?", "type": "non-technical"}, {"controlNum": "CA-3", "question": "Does the organization documents, for each interconnection the security requirements?", "type": "non-technical"}, {"controlNum": "CA-3", "question": "Does the organization documents, for each interconnection the nature of the information communicated?", "type": "non-technical"}, {"controlNum": "CA-3", "question": "Does the organization documents, for each interconnection defines the frequency to review and update Interconnection Security Agreements?", "type": "non-technical"}, {"controlNum": "CA-3", "question": "Does the organization documents, for each interconnection reviews and updates Interconnection Security Agreements with the organization-defined frequency?", "type": "non-technical"}, {"controlNum": "CA-5", "question": "Does the organization develops a plan of action and milestones for the information system to document the organization\u2019s planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls?", "type": "non-technical"}, {"controlNum": "CA-5", "question": "Does the organization develops a plan of action and milestones for the information system to reduce or eliminate known vulnerabilities in the system?", "type": "non-technical"}, {"controlNum": "CA-5", "question": "Does the organization develops a plan of action and milestones for the information system to defines the frequency to update the existing plan of action and milestones?", "type": "non-technical"}, {"controlNum": "CA-5", "question": "Does the organization develops a plan of action and milestones for the information system to updates the existing plan of action and milestones with the organization-defined frequency based on the findings from security controls assessments?", "type": "non-technical"}, {"controlNum": "CA-5", "question": "Does the organization develops a plan of action and milestones for the information system to updates the existing plan of action and milestones with the organization-defined frequency based on the findings from security impact analyses?", "type": "non-technical"}, {"controlNum": "CA-5", "question": "Does the organization develops a plan of action and milestones for the information system to updates the existing plan of action and milestones with the organization-defined frequency based on the findings from continuous monitoring activities?", "type": "non-technical"}, {"controlNum": "CA-6", "question": "Does the organization assigns a senior-level executive or manager as the authorizing official for the information system?", "type": "non-technical"}, {"controlNum": "CA-6", "question": "Does the organization ensures that the authorizing official authorizes the information system for processing before commencing operations?", "type": "non-technical"}, {"controlNum": "CA-6", "question": "Does the organization defines the frequency to update the security authorization?", "type": "non-technical"}, {"controlNum": "CA-6", "question": "Does the organization updates the security authorization with the organization-defined frequency?", "type": "non-technical"}, {"controlNum": "CA-7", "question": "Does the organization develops a continuous monitoring strategy that defines metrics to be monitored?", "type": "non-technical"}, {"controlNum": "CA-7", "question": "Does the organization develops a continuous monitoring strategy that includes monitoring of organization-defined metrics?", "type": "non-technical"}, {"controlNum": "CA-7", "question": "Does the organization implements a continuous monitoring program that includes monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy?", "type": "non-technical"}, {"controlNum": "CA-7", "question": "Does the organization develops a continuous monitoring strategy that defines frequencies for monitoring?", "type": "non-technical"}, {"controlNum": "CA-7", "question": "Does the organization defines frequencies for assessments supporting monitoring?", "type": "non-technical"}, {"controlNum": "CA-7", "question": "Does the organization develops a continuous monitoring strategy that includes establishment of the organization-defined frequencies for monitoring and for assessments supporting monitoring?", "type": "non-technical"}, {"controlNum": "CA-7", "question": "Does the organization implements a continuous monitoring program that includes establishment of organization-defined frequencies for monitoring and for assessments supporting such monitoring in accordance with the organizational continuous monitoring strategy?", "type": "non-technical"}, {"controlNum": "CA-7", "question": "Does the organization develops a continuous monitoring strategy that includes ongoing security control assessments?", "type": "non-technical"}, {"controlNum": "CA-7", "question": "Does the organization implements a continuous monitoring program that includes ongoing security control assessments in accordance with the organizational continuous monitoring strategy?", "type": "non-technical"}, {"controlNum": "CA-7", "question": "Does the organization develops a continuous monitoring strategy that includes ongoing security status monitoring of organization-defined metrics?", "type": "non-technical"}, {"controlNum": "CA-7", "question": "Does the organization implements a continuous monitoring program that includes ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy?", "type": "non-technical"}, {"controlNum": "CA-7", "question": "Does the organization develops a continuous monitoring strategy that includes correlation and analysis of security-related information generated by assessments and monitoring?", "type": "non-technical"}, {"controlNum": "CA-7", "question": "Does the organization implements a continuous monitoring program that includes correlation and analysis of security-related information generated by assessments and monitoring in accordance with the organizational continuous monitoring strategy?", "type": "non-technical"}, {"controlNum": "CA-7", "question": "Does the organization develops a continuous monitoring strategy that includes response actions to address results of the analysis of security-related information?", "type": "non-technical"}, {"controlNum": "CA-7", "question": "Does the organization implements a continuous monitoring program that includes response actions to address results of the analysis of security-related information in accordance with the organizational continuous monitoring strategy?", "type": "non-technical"}, {"controlNum": "CA-7", "question": "Does the organization develops a continuous monitoring strategy that defines the personnel or roles to whom the security status of the organization and  information system are to be reported?", "type": "non-technical"}, {"controlNum": "CA-7", "question": "Does the organization develops a continuous monitoring strategy that defines the frequency to report the security status of the organization and information system to organization-defined personnel or roles?", "type": "non-technical"}, {"controlNum": "CA-7", "question": "Does the organization develops a continuous monitoring strategy that includes reporting the security status of the organization or information system to organizational-defined personnel or roles with the organization-defined frequency?", "type": "non-technical"}, {"controlNum": "CA-7", "question": "Does the organization implements a continuous monitoring program that includes reporting the security status of the organization and information system to organization-defined personnel or roles with the organization-defined frequency in accordance with the organizational continuous monitoring strategy?", "type": "non-technical"}, {"controlNum": "CA-8", "question": "Does the organization defines information systems or system components on which penetration testing is to be conducted?", "type": "non-technical"}, {"controlNum": "CA-8", "question": "Does the organization defines the frequency to conduct penetration testing on organization-defined information systems or system components?", "type": "non-technical"}, {"controlNum": "CA-8", "question": "Does the organization conducts penetration testing on organization-defined information systems or system components with the organization-defined frequency?", "type": "non-technical"}, {"controlNum": "CA-9", "question": "Does the organization defines information system components or classes of components to be authorized as internal connections to the information system?", "type": "non-technical"}, {"controlNum": "CA-9", "question": "Does the organization authorizes internal connections of organization-defined information system components or classes of components to the information system?", "type": "non-technical"}, {"controlNum": "CA-9", "question": "Does the organization documents, for each internal connection the interface characteristics?", "type": "non-technical"}, {"controlNum": "CA-9", "question": "Does the organization documents, for each internal connection the security requirements?", "type": "non-technical"}, {"controlNum": "CA-9", "question": "Does the organization documents, for each internal connection the nature of the information communicated?", "type": "non-technical"}, {"controlNum": "CM-1", "question": "Does the organization develops and documents a configuration management policy that addresses purpose?", "type": "non-technical"}, {"controlNum": "CM-1", "question": "Does the organization develops and documents a configuration management policy that addresses scope?", "type": "non-technical"}, {"controlNum": "CM-1", "question": "Does the organization develops and documents a configuration management policy that addresses roles?", "type": "non-technical"}, {"controlNum": "CM-1", "question": "Does the organization develops and documents a configuration management policy that addresses responsibilities?", "type": "non-technical"}, {"controlNum": "CM-1", "question": "Does the organization develops and documents a configuration management policy that addresses management commitment?", "type": "non-technical"}, {"controlNum": "CM-1", "question": "Does the organization develops and documents a configuration management policy that addresses coordination among organizational entities?", "type": "non-technical"}, {"controlNum": "CM-1", "question": "Does the organization develops and documents a configuration management policy that addresses compliance?", "type": "non-technical"}, {"controlNum": "CM-1", "question": "Does the organization defines  personnel or roles to whom the configuration management policy is to be disseminated?", "type": "non-technical"}, {"controlNum": "CM-1", "question": "Does the organization disseminates the configuration management policy to organization-defined personnel or roles?", "type": "non-technical"}, {"controlNum": "CM-1", "question": "Does the organization develops and documents procedures to facilitate the implementation of the configuration management policy and associated configuration management controls?", "type": "non-technical"}, {"controlNum": "CM-1", "question": "Does the organization defines personnel or roles to whom the procedures are to be disseminated?", "type": "non-technical"}, {"controlNum": "CM-1", "question": "Does the organization disseminates the procedures to organization-defined personnel or roles?", "type": "non-technical"}, {"controlNum": "CM-1", "question": "Does the organization defines the frequency to review and update the current configuration management policy?", "type": "non-technical"}, {"controlNum": "CM-1", "question": "Does the organization reviews and updates the current configuration management policy with the organization-defined frequency?", "type": "non-technical"}, {"controlNum": "CM-1", "question": "Does the organization defines the frequency to review and update the current configuration management procedures?", "type": "non-technical"}, {"controlNum": "CM-1", "question": "Does the organization reviews and updates the current configuration management procedures with the organization-defined frequency?", "type": "non-technical"}, {"controlNum": "CM-2", "question": "Does the organization develops and documents a current baseline configuration of the information system?", "type": "non-technical"}, {"controlNum": "CM-2", "question": "Does the organization maintains, under configuration control, a current baseline configuration of the information system?", "type": "non-technical"}, {"controlNum": "CM-3", "question": "Does the organization determines the type of changes to the information system that must be configuration-controlled?", "type": "non-technical"}, {"controlNum": "CM-3", "question": "Does the organization reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses?", "type": "non-technical"}, {"controlNum": "CM-3", "question": "Does the organization documents configuration change decisions associated with the information system?", "type": "non-technical"}, {"controlNum": "CM-3", "question": "Does the organization implements approved configuration-controlled changes to the information system?", "type": "non-technical"}, {"controlNum": "CM-3", "question": "Does the organization defines a time period to retain records of configuration-controlled changes to the information system?", "type": "non-technical"}, {"controlNum": "CM-3", "question": "Does the organization retains records of configuration-controlled changes to the information system for the organization-defined time period?", "type": "non-technical"}, {"controlNum": "CM-3", "question": "Does the organization audits and reviews activities associated with configuration-controlled changes to the information system?", "type": "non-technical"}, {"controlNum": "CM-3", "question": "Does the organization defines a configuration change control element (e.g., committee, board) responsible for coordinating and providing oversight for configuration change control activities?", "type": "non-technical"}, {"controlNum": "CM-3", "question": "Does the organization defines configuration change conditions that prompt the configuration change control element to convene?", "type": "non-technical"}, {"controlNum": "CM-3", "question": "Does the organization coordinates and provides oversight for configuration change control activities through organization-defined configuration change control element that convenes at organization-defined frequency and/or for any organization-defined configuration change conditions?", "type": "non-technical"}, {"controlNum": "CM-4", "question": "Does the organization analyzes changes to the information system to determine potential security impacts prior to change implementation?", "type": "non-technical"}, {"controlNum": "CM-5", "question": "Does the organization defines physical access restrictions associated with changes to the information system?", "type": "non-technical"}, {"controlNum": "CM-5", "question": "Does the organization documents physical access restrictions associated with changes to the information system?", "type": "non-technical"}, {"controlNum": "CM-5", "question": "Does the organization approves physical access restrictions associated with changes to the information system?", "type": "non-technical"}, {"controlNum": "CM-5", "question": "Does the organization enforces physical access restrictions associated with changes to the information system?", "type": "non-technical"}, {"controlNum": "CM-5", "question": "Does the organization defines logical access restrictions associated with changes to the information system?", "type": "non-technical"}, {"controlNum": "CM-5", "question": "Does the organization documents logical access restrictions associated with changes to the information system?", "type": "non-technical"}, {"controlNum": "CM-5", "question": "Does the organization approves logical access restrictions associated with changes to the information system?", "type": "non-technical"}, {"controlNum": "CM-5", "question": "Does the organization enforces logical access restrictions associated with changes to the information system?", "type": "non-technical"}, {"controlNum": "CM-6", "question": "Does  the organization defines security configuration checklists to be used to establish and document configuration settings for the information technology products employed?", "type": "non-technical"}, {"controlNum": "CM-6", "question": "Does  the organization ensures the defined security configuration checklists reflect the most restrictive mode consistent with operational requirements?", "type": "non-technical"}, {"controlNum": "CM-6", "question": "Does  the organization establishes and documents configuration settings for information technology products employed within the information system using organization-defined security configuration checklists?", "type": "non-technical"}, {"controlNum": "CM-6", "question": "Does  the organization implements the configuration settings established/documented in CM-6(a);?", "type": "non-technical"}, {"controlNum": "CM-6", "question": "Does  the organization defines information system components for which any deviations from established configuration settings must be identified?", "type": "non-technical"}, {"controlNum": "CM-6", "question": "Does  the organization defines information system components for which any deviations from established configuration settings must be documented?", "type": "non-technical"}, {"controlNum": "CM-6", "question": "Does  the organization defines information system components for which any deviations from established configuration settings must be approved?", "type": "non-technical"}, {"controlNum": "CM-6", "question": "Does  the organization defines operational requirements to support the identification of any deviations from established configuration settings?", "type": "non-technical"}, {"controlNum": "CM-6", "question": "Does  the organization defines operational requirements to support the documentation of any deviations from established configuration settings?", "type": "non-technical"}, {"controlNum": "CM-6", "question": "Does  the organization defines operational requirements to support the approval of any deviations from established configuration settings?", "type": "non-technical"}, {"controlNum": "CM-6", "question": "Does  the organization identifies any deviations from established configuration settings for organization-defined information system components based on organizational-defined operational requirements?", "type": "non-technical"}, {"controlNum": "CM-6", "question": "Does  the organization documents any deviations from established configuration settings for organization-defined information system components based on organizational-defined operational requirements?", "type": "non-technical"}, {"controlNum": "CM-6", "question": "Does  the organization approves any deviations from established configuration settings for organization-defined information system components based on organizational-defined operational requirements?", "type": "non-technical"}, {"controlNum": "CM-6", "question": "Does  the organization monitors changes to the configuration settings in accordance with organizational policies and procedures?", "type": "non-technical"}, {"controlNum": "CM-6", "question": "Does  the organization controls changes to the configuration settings in accordance with organizational policies and procedures?", "type": "non-technical"}, {"controlNum": "CM-7", "question": "Does the organization configures the information system to provide only essential capabilities?", "type": "non-technical"}, {"controlNum": "CM-7", "question": "Does the organization defines prohibited or restricted functions?", "type": "non-technical"}, {"controlNum": "CM-7", "question": "Does the organization defines prohibited or restricted ports?", "type": "non-technical"}, {"controlNum": "CM-7", "question": "Does the organization defines prohibited or restricted services?", "type": "non-technical"}, {"controlNum": "CM-7", "question": "Does the organization prohibits or restricts the use of organization-defined functions?", "type": "non-technical"}, {"controlNum": "CM-7", "question": "Does the organization prohibits or restricts the use of organization-defined ports?", "type": "non-technical"}, {"controlNum": "CM-7", "question": "Does the organization prohibits or restricts the use of organization-defined services?", "type": "non-technical"}, {"controlNum": "CM-8", "question": "Does the organization develops and documents an inventory of information system components that accurately reflects the current information system?", "type": "non-technical"}, {"controlNum": "CM-8", "question": "Does the organization develops and documents an inventory of information system components that includes all components within the authorization boundary of the information system?", "type": "non-technical"}, {"controlNum": "CM-8", "question": "Does the organization develops and documents an inventory of information system components that is at the level of granularity deemed necessary for tracking and reporting?", "type": "non-technical"}, {"controlNum": "CM-8", "question": "Does the organization defines the information deemed necessary to achieve effective information system component accountability?", "type": "non-technical"}, {"controlNum": "CM-8", "question": "Does the organization develops and documents an inventory of information system components that includes organization-defined information deemed necessary to achieve effective information system component accountability?", "type": "non-technical"}, {"controlNum": "CM-8", "question": "Does the organization defines the frequency to review and update the information system component inventory?", "type": "non-technical"}, {"controlNum": "CM-8", "question": "Does the organization reviews and updates the information system component inventory with the organization-defined frequency?", "type": "non-technical"}, {"controlNum": "CM-9", "question": "Does the organization develops, documents, and implements a configuration management plan for the information system that addresses roles?", "type": "non-technical"}, {"controlNum": "CM-9", "question": "Does the organization develops, documents, and implements a configuration management plan for the information system that addresses responsibilities?", "type": "non-technical"}, {"controlNum": "CM-9", "question": "Does the organization develops, documents, and implements a configuration management plan for the information system that addresses configuration management processes and procedures?", "type": "non-technical"}, {"controlNum": "CM-9", "question": "Does the organization develops, documents, and implements a configuration management plan for the information system that establishes a process for identifying configuration items throughout the SDLC?", "type": "non-technical"}, {"controlNum": "CM-9", "question": "Does the organization develops, documents, and implements a configuration management plan for the information system that establishes a process for managing the configuration of the configuration items?", "type": "non-technical"}, {"controlNum": "CM-9", "question": "Does the organization develops, documents, and implements a configuration management plan for the information system that establishes a process for defines the configuration items for the information system?", "type": "non-technical"}, {"controlNum": "CM-9", "question": "Does the organization develops, documents, and implements a configuration management plan for the information system that establishes a process for places the configuration items under configuration management?", "type": "non-technical"}, {"controlNum": "CM-9", "question": "Does the organization develops, documents, and implements a configuration management plan for the information system that protects the configuration management plan from unauthorized disclosure?", "type": "non-technical"}, {"controlNum": "CM-9", "question": "Does the organization develops, documents, and implements a configuration management plan for the information system that protects the configuration management plan from unauthorized modification?", "type": "non-technical"}, {"controlNum": "CM-10", "question": "Does the organization uses software and associated documentation in accordance with contract agreements and copyright laws?", "type": "non-technical"}, {"controlNum": "CM-10", "question": "Does the organization tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution?", "type": "non-technical"}, {"controlNum": "CM-10", "question": "Does the organization controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work?", "type": "non-technical"}, {"controlNum": "CM-11", "question": "Does the organization defines policies to govern the installation of software by users?", "type": "non-technical"}, {"controlNum": "CM-11", "question": "Does the organization establishes organization-defined policies governing the installation of software by users?", "type": "non-technical"}, {"controlNum": "CM-11", "question": "Does the organization defines methods to enforce software installation policies?", "type": "non-technical"}, {"controlNum": "CM-11", "question": "Does the organization enforces software installation policies through organization-defined methods?", "type": "non-technical"}, {"controlNum": "CM-11", "question": "Does the organization defines frequency to monitor policy compliance?", "type": "non-technical"}, {"controlNum": "CM-11", "question": "Does the organization monitors policy compliance at organization-defined frequency?", "type": "non-technical"}, {"controlNum": "CP-1", "question": "Does the organization develops and documents a contingency planning policy that addresses purpose?", "type": "non-technical"}, {"controlNum": "CP-1", "question": "Does the organization develops and documents a contingency planning policy that addresses scope?", "type": "non-technical"}, {"controlNum": "CP-1", "question": "Does the organization develops and documents a contingency planning policy that addresses roles?", "type": "non-technical"}, {"controlNum": "CP-1", "question": "Does the organization develops and documents a contingency planning policy that addresses responsibilities?", "type": "non-technical"}, {"controlNum": "CP-1", "question": "Does the organization develops and documents a contingency planning policy that addresses management commitment?", "type": "non-technical"}, {"controlNum": "CP-1", "question": "Does the organization develops and documents a contingency planning policy that addresses coordination among organizational entities?", "type": "non-technical"}, {"controlNum": "CP-1", "question": "Does the organization develops and documents a contingency planning policy that addresses compliance?", "type": "non-technical"}, {"controlNum": "CP-1", "question": "Does the organization defines  personnel or roles to whom the contingency planning policy is to be disseminated?", "type": "non-technical"}, {"controlNum": "CP-1", "question": "Does the organization disseminates the contingency planning policy to organization-defined personnel or roles?", "type": "non-technical"}, {"controlNum": "CP-1", "question": "Does the organization develops and documents procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls?", "type": "non-technical"}, {"controlNum": "CP-1", "question": "Does the organization defines personnel or roles to whom the procedures are to be disseminated?", "type": "non-technical"}, {"controlNum": "CP-1", "question": "Does the organization disseminates the procedures to organization-defined personnel or roles?", "type": "non-technical"}, {"controlNum": "CP-1", "question": "Does the organization defines the frequency to review and update the current contingency planning policy?", "type": "non-technical"}, {"controlNum": "CP-1", "question": "Does the organization reviews and updates the current contingency planning with the organization-defined frequency?", "type": "non-technical"}, {"controlNum": "CP-1", "question": "Does the organization defines the frequency to review and update the current contingency planning procedures?", "type": "non-technical"}, {"controlNum": "CP-1", "question": "Does the organization reviews and updates the current contingency planning procedures with the organization-defined frequency?", "type": "non-technical"}, {"controlNum": "CP-2", "question": "Does the organization develops and documents a contingency plan for the information system that identifies essential missions and business functions and associated contingency requirements?", "type": "non-technical"}, {"controlNum": "CP-2", "question": "Does the organization develops and documents a contingency plan for the information system that provides recovery objectives?", "type": "non-technical"}, {"controlNum": "CP-2", "question": "Does the organization develops and documents a contingency plan for the information system that provides restoration priorities?", "type": "non-technical"}, {"controlNum": "CP-2", "question": "Does the organization develops and documents a contingency plan for the information system that provides metrics?", "type": "non-technical"}, {"controlNum": "CP-2", "question": "Does the organization develops and documents a contingency plan for the information system that addresses contingency roles?", "type": "non-technical"}, {"controlNum": "CP-2", "question": "Does the organization develops and documents a contingency plan for the information system that addresses contingency responsibilities?", "type": "non-technical"}, {"controlNum": "CP-2", "question": "Does the organization develops and documents a contingency plan for the information system that addresses assigned individuals with contact information?", "type": "non-technical"}, {"controlNum": "CP-2", "question": "Does the organization develops and documents a contingency plan for the information system that addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure?", "type": "non-technical"}, {"controlNum": "CP-2", "question": "Does the organization develops and documents a contingency plan for the information system that addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented?", "type": "non-technical"}, {"controlNum": "CP-2", "question": "Does the organization develops and documents a contingency plan for the information system that defines personnel or roles to review and approve the contingency plan for the information system?", "type": "non-technical"}, {"controlNum": "CP-2", "question": "Does the organization develops and documents a contingency plan for the information system that is reviewed and approved by organization-defined personnel or roles?", "type": "non-technical"}, {"controlNum": "CP-2", "question": "Does the organization develops and documents a contingency plan for the information system that defines key contingency personnel (identified by name and/or by role) and organizational elements to whom copies of the contingency plan are to be distributed?", "type": "non-technical"}, {"controlNum": "CP-2", "question": "Does the organization develops and documents a contingency plan for the information system that distributes copies of the contingency plan to organization-defined key contingency personnel and organizational elements?", "type": "non-technical"}, {"controlNum": "CP-2", "question": "Does the organization coordinates contingency planning activities with incident handling activities?", "type": "non-technical"}, {"controlNum": "CP-2", "question": "Does the organization develops and documents a contingency plan for the information system that defines a frequency to review the contingency plan for the information system?", "type": "non-technical"}, {"controlNum": "CP-2", "question": "Does the organization develops and documents a contingency plan for the information system that reviews the contingency plan with the organization-defined frequency?", "type": "non-technical"}, {"controlNum": "CP-2", "question": "Does the organization updates the contingency plan to address changes to the organization, information system, or environment of operation?", "type": "non-technical"}, {"controlNum": "CP-2", "question": "Does the organization updates the contingency plan to address problems encountered during plan implementation, execution, and testing?", "type": "non-technical"}, {"controlNum": "CP-2", "question": "Does the organization updates the contingency plan to address defines key contingency personnel (identified by name and/or by role) and organizational elements to whom contingency plan changes are to be communicated?", "type": "non-technical"}, {"controlNum": "CP-2", "question": "Does the organization updates the contingency plan to address communicates contingency plan changes to organization-defined key contingency personnel and organizational elements?", "type": "non-technical"}, {"controlNum": "CP-2", "question": "Does the organization protects the contingency plan from unauthorized disclosure and modification?", "type": "non-technical"}, {"controlNum": "CP-3", "question": "Does the organization defines a time period within which contingency training is to be provided to information system users assuming a contingency role or responsibility?", "type": "non-technical"}, {"controlNum": "CP-3", "question": "Does the organization provides contingency training to information system users consistent with assigned roles and responsibilities within the organization-defined time period of assuming a contingency role or responsibility?", "type": "non-technical"}, {"controlNum": "CP-3", "question": "Does the organization provides contingency training to information system users consistent with assigned roles and responsibilities when required by information system changes?", "type": "non-technical"}, {"controlNum": "CP-3", "question": "Does the organization defines the frequency for contingency training thereafter?", "type": "non-technical"}, {"controlNum": "CP-3", "question": "Does the organization provides contingency training to information system users consistent with assigned roles and responsibilities with the organization-defined frequency thereafter?", "type": "non-technical"}, {"controlNum": "CP-4", "question": "Does the organization defines tests to determine the effectiveness of the contingency plan and the organizational readiness to execute the plan?", "type": "non-technical"}, {"controlNum": "CP-4", "question": "Does the organization defines a frequency to test the contingency plan for the information system?", "type": "non-technical"}, {"controlNum": "CP-4", "question": "Does the organization tests the contingency plan for the information system with the organization-defined frequency, using organization-defined tests to determine the effectiveness of the plan and the organizational readiness to execute the plan?", "type": "non-technical"}, {"controlNum": "CP-4", "question": "Does the organization reviews the contingency plan test results?", "type": "non-technical"}, {"controlNum": "CP-4", "question": "Does the organization initiates corrective actions, if needed?", "type": "non-technical"}, {"controlNum": "CP-6", "question": "Does the organization establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information?", "type": "non-technical"}, {"controlNum": "CP-6", "question": "Does the organization ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site?", "type": "non-technical"}, {"controlNum": "CP-7", "question": "Does the organization defines information system operations requiring an alternate processing site to be established to permit the transfer and resumption of such operations?", "type": "non-technical"}, {"controlNum": "CP-7", "question": "Does the organization defines the time period consistent with recovery time objectives and recovery point objectives (as specified in the information system contingency plan) for transfer/resumption of organization-defined information system operations for essential missions/business functions?", "type": "non-technical"}, {"controlNum": "CP-7", "question": "Does the organization establishes an alternate processing site including necessary agreements to permit the transfer and resumption of organization-defined information system operations for essential missions/business functions, within the organization-defined time period, when the primary processing capabilities are unavailable?", "type": "non-technical"}, {"controlNum": "CP-7", "question": "Does the organization ensures that contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption?", "type": "non-technical"}, {"controlNum": "CP-7", "question": "Does the organization ensures that the alternate processing site provides information security safeguards equivalent to those of the primary site?", "type": "non-technical"}, {"controlNum": "CP-8", "question": "Does the organization defines information system operations requiring alternate telecommunications services to be established to permit the resumption of such operations?", "type": "non-technical"}, {"controlNum": "CP-8", "question": "Does the organization defines the time period to permit resumption of organization-defined information system operations for essential missions and business functions?", "type": "non-technical"}, {"controlNum": "CP-8", "question": "Does the organization establishes alternate telecommunications services including necessary agreements to permit the resumption of organization-defined information system operations for essential missions and business functions, within the organization-defined time period, when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites?", "type": "non-technical"}, {"controlNum": "CP-9", "question": "Does the organization defines a frequency, consistent with recovery time objectives and recovery point objectives as specified in the information system contingency plan, to conduct backups of user-level information contained in the information system?", "type": "non-technical"}, {"controlNum": "CP-9", "question": "Does the organization conducts backups of user-level information contained in the information system with the organization-defined frequency?", "type": "non-technical"}, {"controlNum": "CP-9", "question": "Does the organization defines a frequency, consistent with recovery time objectives and recovery point objectives as specified in the information system contingency plan, to conduct backups of system-level information contained in the information system?", "type": "non-technical"}, {"controlNum": "CP-9", "question": "Does the organization conducts backups of system-level information contained in the information system with the organization-defined frequency?", "type": "non-technical"}, {"controlNum": "CP-9", "question": "Does the organization defines a frequency, consistent with recovery time objectives and recovery point objectives as specified in the information system contingency plan, to conduct backups of information system documentation including security-related documentation?", "type": "non-technical"}, {"controlNum": "CP-9", "question": "Does the organization conducts backups of information system documentation, including security-related documentation, with the organization-defined frequency?", "type": "non-technical"}, {"controlNum": "CP-9", "question": "Does the organization protects the confidentiality, integrity, and availability of backup information at storage locations?", "type": "non-technical"}, {"controlNum": "CP-10", "question": "Does the organization provides for the recovery of the information system to a known state after a disruption?", "type": "non-technical"}, {"controlNum": "CP-10", "question": "Does the organization provides for the recovery of the information system to a known state after a failure?", "type": "non-technical"}, {"controlNum": "CP-10", "question": "Does the organization provides for the reconstitution of the information system to a known state after a disruption?", "type": "non-technical"}, {"controlNum": "CP-10", "question": "Does the organization provides for the reconstitution of the information system to a known state after a failure?", "type": "non-technical"}, {"controlNum": "CP-11", "question": "Does the organization defines alternative communications protocols to be employed in support of maintaining continuity of operations?", "type": "non-technical"}, {"controlNum": "CP-11", "question": "Does the information system provides the capability to employ organization-defined alternative communications protocols in support of maintaining continuity of operations?", "type": "technical"}, {"controlNum": "CP-12", "question": "Does the organization defines conditions that, when detected, requires the information system to enter a safe mode of operation?", "type": "non-technical"}, {"controlNum": "CP-12", "question": "Does the organization defines restrictions of safe mode of operation?", "type": "non-technical"}, {"controlNum": "CP-12", "question": "Does the information system, when organization-defined conditions are detected, enters a safe mode of operation with organization-defined restrictions of safe mode of operation?", "type": "technical"}, {"controlNum": "CP-13", "question": "Does the organization defines alternative or supplemental security mechanisms to be employed when the primary means of implementing the security function is unavailable or compromised?", "type": "non-technical"}, {"controlNum": "CP-13", "question": "Does the organization defines security functions to be satisfied using organization-defined alternative or supplemental security mechanisms when the primary means of implementing the security function is unavailable or compromised?", "type": "non-technical"}, {"controlNum": "CP-13", "question": "Does the organization employs organization-defined alternative or supplemental security mechanisms satisfying organization-defined security functions when the primary means of implementing the security function is unavailable or compromised?", "type": "non-technical"}, {"controlNum": "IA-1", "question": "Does the organization develops and documents an identification and authentication policy that addresses purpose?", "type": "non-technical"}, {"controlNum": "IA-1", "question": "Does the organization develops and documents an identification and authentication policy that addresses scope?", "type": "non-technical"}, {"controlNum": "IA-1", "question": "Does the organization develops and documents an identification and authentication policy that addresses roles?", "type": "non-technical"}, {"controlNum": "IA-1", "question": "Does the organization develops and documents an identification and authentication policy that addresses responsibilities?", "type": "non-technical"}, {"controlNum": "IA-1", "question": "Does the organization develops and documents an identification and authentication policy that addresses management commitment?", "type": "non-technical"}, {"controlNum": "IA-1", "question": "Does the organization develops and documents an identification and authentication policy that addresses coordination among organizational entities?", "type": "non-technical"}, {"controlNum": "IA-1", "question": "Does the organization develops and documents an identification and authentication policy that addresses compliance?", "type": "non-technical"}, {"controlNum": "IA-1", "question": "Does the organization defines  personnel or roles to whom the identification and authentication policy is to be disseminated?", "type": "non-technical"}, {"controlNum": "IA-1", "question": "Does the organization disseminates the identification and authentication policy to organization-defined personnel or roles?", "type": "non-technical"}, {"controlNum": "IA-1", "question": "Does the organization develops and documents procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls?", "type": "non-technical"}, {"controlNum": "IA-1", "question": "Does the organization defines personnel or roles to whom the procedures are to be disseminated?", "type": "non-technical"}, {"controlNum": "IA-1", "question": "Does the organization disseminates the procedures to organization-defined personnel or roles?", "type": "non-technical"}, {"controlNum": "IA-1", "question": "Does the organization defines the frequency to review and update the current identification and authentication policy?", "type": "non-technical"}, {"controlNum": "IA-1", "question": "Does the organization reviews and updates the current identification and authentication policy with the organization-defined frequency?", "type": "non-technical"}, {"controlNum": "IA-1", "question": "Does the organization defines the frequency to review and update the current identification and authentication procedures?", "type": "non-technical"}, {"controlNum": "IA-1", "question": "Does the organization reviews and updates the current identification and authentication procedures with the organization-defined frequency?", "type": "non-technical"}, {"controlNum": "IA-2", "question": "Does the information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users)?", "type": "technical"}, {"controlNum": "IA-3", "question": "Does the organization defines specific and/or types of devices that the information system uniquely identifies and authenticates before establishing one or more of the following a local connection?", "type": "non-technical"}, {"controlNum": "IA-3", "question": "Does the organization defines specific and/or types of devices that the information system uniquely identifies and authenticates before establishing one or more of the following a network connection?", "type": "non-technical"}, {"controlNum": "IA-3", "question": "Does the information system uniquely identifies and authenticates organization-defined devices before establishing one or more of the following a local connection?", "type": "technical"}, {"controlNum": "IA-3", "question": "Does the information system uniquely identifies and authenticates organization-defined devices before establishing one or more of the following a network connection?", "type": "technical"}, {"controlNum": "IA-4", "question": "Does the organization manages information system identifiers by defining personnel or roles from whom authorization must be received to assign an individual identifier?", "type": "non-technical"}, {"controlNum": "IA-4", "question": "Does the organization manages information system identifiers by defining personnel or roles from whom authorization must be received to assign a group identifier?", "type": "non-technical"}, {"controlNum": "IA-4", "question": "Does the organization manages information system identifiers by defining personnel or roles from whom authorization must be received to assign a device identifier?", "type": "non-technical"}, {"controlNum": "IA-4", "question": "Does the organization manages information system identifiers by receiving authorization from organization-defined personnel or roles to assign an individual identifier?", "type": "non-technical"}, {"controlNum": "IA-4", "question": "Does the organization manages information system identifiers by receiving authorization from organization-defined personnel or roles to assign a group identifier?", "type": "non-technical"}, {"controlNum": "IA-4", "question": "Does the organization manages information system identifiers by receiving authorization from organization-defined personnel or roles to assign a device identifier?", "type": "non-technical"}, {"controlNum": "IA-4", "question": "Does the organization manages information system identifiers by selecting an identifier that identifies an individual?", "type": "non-technical"}, {"controlNum": "IA-4", "question": "Does the organization manages information system identifiers by selecting an identifier that identifies a group?", "type": "non-technical"}, {"controlNum": "IA-4", "question": "Does the organization manages information system identifiers by selecting an identifier that identifies a device?", "type": "non-technical"}, {"controlNum": "IA-4", "question": "Does the organization manages information system identifiers by assigning the identifier to the intended individual?", "type": "non-technical"}, {"controlNum": "IA-4", "question": "Does the organization manages information system identifiers by assigning the identifier to the intended group?", "type": "non-technical"}, {"controlNum": "IA-4", "question": "Does the organization manages information system identifiers by assigning the identifier to the intended device?", "type": "non-technical"}, {"controlNum": "IA-4", "question": "Does the organization manages information system identifiers by assigning the identifier to the intended defining a time period for preventing reuse of identifiers?", "type": "non-technical"}, {"controlNum": "IA-4", "question": "Does the organization manages information system identifiers by assigning the identifier to the intended preventing reuse of identifiers for the organization-defined time period?", "type": "non-technical"}, {"controlNum": "IA-4", "question": "Does the organization manages information system identifiers by assigning the identifier to the intended defining a time period of inactivity to disable the identifier?", "type": "non-technical"}, {"controlNum": "IA-4", "question": "Does the organization manages information system identifiers by assigning the identifier to the intended disabling the identifier after the organization-defined time period of inactivity?", "type": "non-technical"}, {"controlNum": "IA-5", "question": "Does the organization manages information system authenticators by verifying, as part of the initial authenticator distribution, the identity of the individual receiving the authenticator?", "type": "non-technical"}, {"controlNum": "IA-5", "question": "Does the organization manages information system authenticators by verifying, as part of the initial authenticator distribution, the identity of the group receiving the authenticator?", "type": "non-technical"}, {"controlNum": "IA-5", "question": "Does the organization manages information system authenticators by verifying, as part of the initial authenticator distribution, the identity of the device receiving the authenticator?", "type": "non-technical"}, {"controlNum": "IA-5", "question": "Does the organization manages information system authenticators by establishing initial authenticator content for authenticators defined by the organization?", "type": "non-technical"}, {"controlNum": "IA-5", "question": "Does the organization manages information system authenticators by ensuring that authenticators have sufficient strength of mechanism for their intended use?", "type": "non-technical"}, {"controlNum": "IA-5", "question": "Does the organization manages information system authenticators by verifying, as part of the initial authenticator distribution, the identity of establishing and implementing administrative procedures for initial authenticator distribution?", "type": "non-technical"}, {"controlNum": "IA-5", "question": "Does the organization manages information system authenticators by verifying, as part of the initial authenticator distribution, the identity of establishing and implementing administrative procedures for lost/compromised or damaged authenticators?", "type": "non-technical"}, {"controlNum": "IA-5", "question": "Does the organization manages information system authenticators by verifying, as part of the initial authenticator distribution, the identity of establishing and implementing administrative procedures for revoking authenticators?", "type": "non-technical"}, {"controlNum": "IA-5", "question": "Does the organization manages information system authenticators by changing default content of authenticators prior to information system installation?", "type": "non-technical"}, {"controlNum": "IA-5", "question": "Does the organization manages information system authenticators by verifying, as part of the initial authenticator distribution, the identity of establishing minimum lifetime restrictions for authenticators?", "type": "non-technical"}, {"controlNum": "IA-5", "question": "Does the organization manages information system authenticators by verifying, as part of the initial authenticator distribution, the identity of establishing maximum lifetime restrictions for authenticators?", "type": "non-technical"}, {"controlNum": "IA-5", "question": "Does the organization manages information system authenticators by verifying, as part of the initial authenticator distribution, the identity of establishing reuse conditions for authenticators?", "type": "non-technical"}, {"controlNum": "IA-5", "question": "Does the organization manages information system authenticators by verifying, as part of the initial authenticator distribution, the identity of defining a time period (by authenticator type) for changing/refreshing authenticators?", "type": "non-technical"}, {"controlNum": "IA-5", "question": "Does the organization manages information system authenticators by verifying, as part of the initial authenticator distribution, the identity of changing/refreshing authenticators with the organization-defined time period by authenticator type?", "type": "non-technical"}, {"controlNum": "IA-5", "question": "Does the organization manages information system authenticators by protecting authenticator content from unauthorized disclosure?", "type": "non-technical"}, {"controlNum": "IA-5", "question": "Does the organization manages information system authenticators by protecting authenticator content from unauthorized modification?", "type": "non-technical"}, {"controlNum": "IA-5", "question": "Does the organization manages information system authenticators by protecting authenticator content from unauthorized requiring individuals to take specific security safeguards to protect authenticators?", "type": "non-technical"}, {"controlNum": "IA-5", "question": "Does the organization manages information system authenticators by protecting authenticator content from unauthorized having devices implement specific security safeguards to protect authenticators?", "type": "non-technical"}, {"controlNum": "IA-5", "question": "Does the organization manages information system authenticators by changing authenticators for group/role accounts when membership to those accounts changes?", "type": "non-technical"}, {"controlNum": "IA-6", "question": "Does the information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals?", "type": "technical"}, {"controlNum": "IA-7", "question": "Does the information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication?", "type": "technical"}, {"controlNum": "IA-8", "question": "Does the information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users)?", "type": "technical"}, {"controlNum": "IA-9", "question": "Does the organization defines information system services to be identified and authenticated using security safeguards?", "type": "non-technical"}, {"controlNum": "IA-9", "question": "Does the organization defines security safeguards to be used to identify and authenticate organization-defined information system services?", "type": "non-technical"}, {"controlNum": "IA-9", "question": "Does the organization identifies and authenticates organization-defined information system services using organization-defined security safeguards?", "type": "non-technical"}, {"controlNum": "IA-10", "question": "Does the organization defines specific circumstances or situations that require individuals accessing the information system to employ supplemental authentication techniques or mechanisms?", "type": "non-technical"}, {"controlNum": "IA-10", "question": "Does the organization defines supplemental authentication techniques or mechanisms to be employed when accessing the information system under specific organization-defined circumstances or situations?", "type": "non-technical"}, {"controlNum": "IA-10", "question": "Does the organization requires that individuals accessing the information system employ organization-defined supplemental authentication techniques or mechanisms under specific organization-defined circumstances or situations?", "type": "non-technical"}, {"controlNum": "IA-11", "question": "Does the organization defines circumstances or situations requiring re-authentication?", "type": "non-technical"}, {"controlNum": "IA-11", "question": "Does the organization requires users to re-authenticate when organization-defined circumstances or situations require re-authentication?", "type": "non-technical"}, {"controlNum": "IA-11", "question": "Does the organization requires devices to re-authenticate when organization-defined circumstances or situations require re-authentication?", "type": "non-technical"}, {"controlNum": "IR-1", "question": "Does the organization develops and documents an incident response policy that addresses purpose?", "type": "non-technical"}, {"controlNum": "IR-1", "question": "Does the organization develops and documents an incident response policy that addresses scope?", "type": "non-technical"}, {"controlNum": "IR-1", "question": "Does the organization develops and documents an incident response policy that addresses roles?", "type": "non-technical"}, {"controlNum": "IR-1", "question": "Does the organization develops and documents an incident response policy that addresses responsibilities?", "type": "non-technical"}, {"controlNum": "IR-1", "question": "Does the organization develops and documents an incident response policy that addresses management commitment?", "type": "non-technical"}, {"controlNum": "IR-1", "question": "Does the organization develops and documents an incident response policy that addresses coordination among organizational entities?", "type": "non-technical"}, {"controlNum": "IR-1", "question": "Does the organization develops and documents an incident response policy that addresses compliance?", "type": "non-technical"}, {"controlNum": "IR-1", "question": "Does the organization defines personnel or roles to whom the incident response policy is to be disseminated?", "type": "non-technical"}, {"controlNum": "IR-1", "question": "Does the organization disseminates the incident response policy to organization-defined personnel or roles?", "type": "non-technical"}, {"controlNum": "IR-1", "question": "Does the organization develops and documents procedures to facilitate the implementation of the incident response policy and associated incident response controls?", "type": "non-technical"}, {"controlNum": "IR-1", "question": "Does the organization defines personnel or roles to whom the procedures are to be disseminated?", "type": "non-technical"}, {"controlNum": "IR-1", "question": "Does the organization disseminates the procedures to organization-defined personnel or roles?", "type": "non-technical"}, {"controlNum": "IR-1", "question": "Does the organization defines the frequency to review and update the current incident response policy?", "type": "non-technical"}, {"controlNum": "IR-1", "question": "Does the organization reviews and updates the current incident response policy with the organization-defined frequency?", "type": "non-technical"}, {"controlNum": "IR-1", "question": "Does the organization defines the frequency to review and update the current incident response procedures?", "type": "non-technical"}, {"controlNum": "IR-1", "question": "Does the organization reviews and updates the current incident response procedures with the organization-defined frequency?", "type": "non-technical"}, {"controlNum": "IR-2", "question": "Does the organization defines a time period within which incident response training is to be provided to information system users assuming an incident response role or responsibility?", "type": "non-technical"}, {"controlNum": "IR-2", "question": "Does the organization provides incident response training to information system users consistent with assigned roles and responsibilities within the organization-defined time period of assuming an incident response role or responsibility?", "type": "non-technical"}, {"controlNum": "IR-2", "question": "Does the organization provides incident response training to information system users consistent with assigned roles and responsibilities when required by information system changes?", "type": "non-technical"}, {"controlNum": "IR-2", "question": "Does the organization defines the frequency to provide refresher incident response training to information system users consistent with assigned roles or responsibilities?", "type": "non-technical"}, {"controlNum": "IR-2", "question": "Does the organization after the initial incident response training, provides refresher incident response training to information system users consistent with assigned roles and responsibilities in accordance with the organization-defined frequency to provide refresher training?", "type": "non-technical"}, {"controlNum": "IR-3", "question": "Does the organization defines incident response tests to test the incident response capability for the information system?", "type": "non-technical"}, {"controlNum": "IR-3", "question": "Does the organization defines the frequency to test the incident response capability for the information system?", "type": "non-technical"}, {"controlNum": "IR-3", "question": "Does the organization tests the incident response capability for the information system with the organization-defined frequency, using organization-defined tests to determine the incident response effectiveness and documents the results?", "type": "non-technical"}, {"controlNum": "IR-4", "question": "Does the organization implements an incident handling capability for security incidents that includes preparation?", "type": "non-technical"}, {"controlNum": "IR-4", "question": "Does the organization implements an incident handling capability for security incidents that includes detection and analysis?", "type": "non-technical"}, {"controlNum": "IR-4", "question": "Does the organization implements an incident handling capability for security incidents that includes containment?", "type": "non-technical"}, {"controlNum": "IR-4", "question": "Does the organization implements an incident handling capability for security incidents that includes eradication?", "type": "non-technical"}, {"controlNum": "IR-4", "question": "Does the organization implements an incident handling capability for security incidents that includes recovery?", "type": "non-technical"}, {"controlNum": "IR-4", "question": "Does the organization coordinates incident handling activities with contingency planning activities?", "type": "non-technical"}, {"controlNum": "IR-4", "question": "Does the organization implements an incident handling capability for security incidents that includes incorporates lessons learned from ongoing incident handling activities into incident response procedures?", "type": "non-technical"}, {"controlNum": "IR-4", "question": "Does the organization implements an incident handling capability for security incidents that includes incorporates lessons learned from ongoing incident handling activities into training?", "type": "non-technical"}, {"controlNum": "IR-4", "question": "Does the organization implements an incident handling capability for security incidents that includes incorporates lessons learned from ongoing incident handling activities into testing/exercises?", "type": "non-technical"}, {"controlNum": "IR-4", "question": "Does the organization implements an incident handling capability for security incidents that includes implements the resulting changes accordingly to incident response procedures?", "type": "non-technical"}, {"controlNum": "IR-4", "question": "Does the organization implements an incident handling capability for security incidents that includes implements the resulting changes accordingly to training?", "type": "non-technical"}, {"controlNum": "IR-4", "question": "Does the organization implements an incident handling capability for security incidents that includes implements the resulting changes accordingly to testing/exercises?", "type": "non-technical"}, {"controlNum": "IR-5", "question": "Does the organization tracks information system security incidents?", "type": "non-technical"}, {"controlNum": "IR-5", "question": "Does the organization documents information system security incidents?", "type": "non-technical"}, {"controlNum": "IR-6", "question": "Does the organization defines the time period within which personnel report suspected security incidents to the organizational incident response capability?", "type": "non-technical"}, {"controlNum": "IR-6", "question": "Does the organization requires personnel to report suspected security incidents to the organizational incident response capability within the organization-defined time period?", "type": "non-technical"}, {"controlNum": "IR-6", "question": "Does the organization defines authorities to whom security incident information is to be reported?", "type": "non-technical"}, {"controlNum": "IR-6", "question": "Does the organization reports security incident information to organization-defined authorities?", "type": "non-technical"}, {"controlNum": "IR-7", "question": "Does the organization provides an incident response support resource that is integral to the organizational incident response capability?", "type": "non-technical"}, {"controlNum": "IR-7", "question": "Does the organization provides an incident response support resource that offers advice and assistance to users of the information system for the handling and reporting of security incidents?", "type": "non-technical"}, {"controlNum": "IR-8", "question": "Does the organization develops an incident response plan that provides the organization with a roadmap for implementing its incident response capability?", "type": "non-technical"}, {"controlNum": "IR-8", "question": "Does the organization develops an incident response plan that describes the structure and organization of the incident response capability?", "type": "non-technical"}, {"controlNum": "IR-8", "question": "Does the organization develops an incident response plan that provides a high-level approach for how the incident response capability fits into the overall organization?", "type": "non-technical"}, {"controlNum": "IR-8", "question": "Does the organization develops an incident response plan that meets the unique requirements of the organization, which relate to mission?", "type": "non-technical"}, {"controlNum": "IR-8", "question": "Does the organization develops an incident response plan that meets the unique requirements of the organization, which relate to size?", "type": "non-technical"}, {"controlNum": "IR-8", "question": "Does the organization develops an incident response plan that meets the unique requirements of the organization, which relate to structure?", "type": "non-technical"}, {"controlNum": "IR-8", "question": "Does the organization develops an incident response plan that meets the unique requirements of the organization, which relate to functions?", "type": "non-technical"}, {"controlNum": "IR-8", "question": "Does the organization develops an incident response plan that defines reportable incidents?", "type": "non-technical"}, {"controlNum": "IR-8", "question": "Does the organization develops an incident response plan that provides metrics for measuring the incident response capability within the organization?", "type": "non-technical"}, {"controlNum": "IR-8", "question": "Does the organization develops an incident response plan that defines the resources and management support needed to effectively maintain and mature an incident response capability?", "type": "non-technical"}, {"controlNum": "IR-8", "question": "Does the organization develops an incident response plan that meets the unique requirements of the organization, which relate to defines personnel or roles to review and approve the incident response plan?", "type": "non-technical"}, {"controlNum": "IR-8", "question": "Does the organization develops an incident response plan that meets the unique requirements of the organization, which relate to is reviewed and approved by organization-defined personnel or roles?", "type": "non-technical"}, {"controlNum": "IR-8", "question": "Does the organization develops an incident response plan that meets the unique requirements of the organization, which relate to defines incident response personnel (identified by name and/or by role) to whom copies of the incident response plan are to be distributed?", "type": "non-technical"}, {"controlNum": "IR-8", "question": "Does the organization develops an incident response plan that meets the unique requirements of the organization, which relate to defines organizational elements to whom copies of the incident response plan are to be distributed?", "type": "non-technical"}, {"controlNum": "IR-8", "question": "Does the organization develops an incident response plan that distributes copies of the incident response plan to organization-defined incident response personnel (identified by name and/or by role) and organizational elements?", "type": "non-technical"}, {"controlNum": "IR-8", "question": "Does the organization develops an incident response plan that defines the frequency to review the incident response plan?", "type": "non-technical"}, {"controlNum": "IR-8", "question": "Does the organization develops an incident response plan that reviews the incident response plan with the organization-defined frequency?", "type": "non-technical"}, {"controlNum": "IR-8", "question": "Does the organization updates the incident response plan to address system/organizational changes or problems encountered during plan implementation?", "type": "non-technical"}, {"controlNum": "IR-8", "question": "Does the organization updates the incident response plan to address system/organizational changes or problems encountered during plan testing?", "type": "non-technical"}, {"controlNum": "IR-8", "question": "Does the organization updates the incident response plan to address system/organizational changes or problems encountered during plan execution; or defines incident response personnel (identified by name and/or by role) to whom incident response plan changes are to be communicated?", "type": "non-technical"}, {"controlNum": "IR-8", "question": "Does the organization updates the incident response plan to address system/organizational changes or problems encountered during plan execution; or defines organizational elements to whom incident response plan changes are to be communicated?", "type": "non-technical"}, {"controlNum": "IR-8", "question": "Does the organization updates the incident response plan to address system/organizational changes or problems encountered during plan communicates incident response plan changes to organization-defined incident response personnel (identified by name and/or by role) and organizational elements?", "type": "non-technical"}, {"controlNum": "IR-8", "question": "Does the organization protects the incident response plan from unauthorized disclosure and modification?", "type": "non-technical"}, {"controlNum": "IR-9", "question": "Does the organization responds to information spills by identifying the specific information causing the information system contamination?", "type": "non-technical"}, {"controlNum": "IR-9", "question": "Does the organization defines personnel to be alerted of the information spillage?", "type": "non-technical"}, {"controlNum": "IR-9", "question": "Does the organization identifies a method of communication not associated with the information spill to use to alert organization-defined personnel of the spill?", "type": "non-technical"}, {"controlNum": "IR-9", "question": "Does the organization responds to information spills by alerting organization-defined personnel of the information spill using a method of communication not associated with the spill?", "type": "non-technical"}, {"controlNum": "IR-9", "question": "Does the organization responds to information spills by isolating the contaminated information system?", "type": "non-technical"}, {"controlNum": "IR-9", "question": "Does the organization responds to information spills by eradicating the information from the contaminated information system?", "type": "non-technical"}, {"controlNum": "IR-9", "question": "Does the organization responds to information spills by identifying other information systems that may have been subsequently contaminated?", "type": "non-technical"}, {"controlNum": "IR-9", "question": "Does the organization defines other actions to be performed in response to information spills?", "type": "non-technical"}, {"controlNum": "IR-9", "question": "Does the organization responds to information spills by performing other organization-defined actions?", "type": "non-technical"}, {"controlNum": "IR-10", "question": "Does the organization establishes an integrated team of forensic/malicious code analyst, tool developers, and real-time operations personnel?", "type": "non-technical"}, {"controlNum": "MA-1", "question": "Does the organization develops and documents a system maintenance policy that addresses purpose?", "type": "non-technical"}, {"controlNum": "MA-1", "question": "Does the organization develops and documents a system maintenance policy that addresses scope?", "type": "non-technical"}, {"controlNum": "MA-1", "question": "Does the organization develops and documents a system maintenance policy that addresses roles?", "type": "non-technical"}, {"controlNum": "MA-1", "question": "Does the organization develops and documents a system maintenance policy that addresses responsibilities?", "type": "non-technical"}, {"controlNum": "MA-1", "question": "Does the organization develops and documents a system maintenance policy that addresses management commitment?", "type": "non-technical"}, {"controlNum": "MA-1", "question": "Does the organization develops and documents a system maintenance policy that addresses coordination among organizational entities?", "type": "non-technical"}, {"controlNum": "MA-1", "question": "Does the organization develops and documents a system maintenance policy that addresses compliance?", "type": "non-technical"}, {"controlNum": "MA-1", "question": "Does the organization defines  personnel or roles to whom the system maintenance policy is to be disseminated?", "type": "non-technical"}, {"controlNum": "MA-1", "question": "Does the organization disseminates the system maintenance policy to organization-defined personnel or roles?", "type": "non-technical"}, {"controlNum": "MA-1", "question": "Does the organization develops and documents procedures to facilitate the implementation of the maintenance policy and associated system maintenance controls?", "type": "non-technical"}, {"controlNum": "MA-1", "question": "Does the organization defines personnel or roles to whom the procedures are to be disseminated?", "type": "non-technical"}, {"controlNum": "MA-1", "question": "Does the organization disseminates the procedures to organization-defined personnel or roles?", "type": "non-technical"}, {"controlNum": "MA-1", "question": "Does the organization defines the frequency to review and update the current system maintenance policy?", "type": "non-technical"}, {"controlNum": "MA-1", "question": "Does the organization reviews and updates the current system maintenance policy with the organization-defined frequency?", "type": "non-technical"}, {"controlNum": "MA-1", "question": "Does the organization defines the frequency to review and update the current system maintenance procedures?", "type": "non-technical"}, {"controlNum": "MA-1", "question": "Does the organization reviews and updates the current system maintenance procedures with the organization-defined frequency?", "type": "non-technical"}, {"controlNum": "MA-2", "question": "Does the organization schedules maintenance and repairs on information system components in accordance with organizational requirements?", "type": "non-technical"}, {"controlNum": "MA-2", "question": "Does the organization performs maintenance and repairs on information system components in accordance with organizational requirements?", "type": "non-technical"}, {"controlNum": "MA-2", "question": "Does the organization documents maintenance and repairs on information system components in accordance with organizational requirements?", "type": "non-technical"}, {"controlNum": "MA-2", "question": "Does the organization reviews records of maintenance and repairs on information system components in accordance with organizational requirements?", "type": "non-technical"}, {"controlNum": "MA-2", "question": "Does the organization approves all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location?", "type": "non-technical"}, {"controlNum": "MA-2", "question": "Does the organization monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location?", "type": "non-technical"}, {"controlNum": "MA-2", "question": "Does the organization defines personnel or roles required to explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs?", "type": "non-technical"}, {"controlNum": "MA-2", "question": "Does the organization requires that organization-defined personnel or roles explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs?", "type": "non-technical"}, {"controlNum": "MA-2", "question": "Does the organization sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs?", "type": "non-technical"}, {"controlNum": "MA-2", "question": "Does the organization checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions?", "type": "non-technical"}, {"controlNum": "MA-2", "question": "Does the organization defines maintenance-related information to be included in organizational maintenance records?", "type": "non-technical"}, {"controlNum": "MA-2", "question": "Does the organization includes organization-defined maintenance-related information in organizational maintenance records?", "type": "non-technical"}, {"controlNum": "MA-3", "question": "Does the organization approves information system maintenance tools?", "type": "non-technical"}, {"controlNum": "MA-3", "question": "Does the organization controls information system maintenance tools?", "type": "non-technical"}, {"controlNum": "MA-3", "question": "Does the organization monitors information system maintenance tools?", "type": "non-technical"}, {"controlNum": "MA-4", "question": "Does the organization approves nonlocal maintenance and diagnostic activities?", "type": "non-technical"}, {"controlNum": "MA-4", "question": "Does the organization monitors nonlocal maintenance and diagnostic activities?", "type": "non-technical"}, {"controlNum": "MA-4", "question": "Does the organization allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy?", "type": "non-technical"}, {"controlNum": "MA-4", "question": "Does the organization allows the use of nonlocal maintenance and diagnostic tools only as documented in the security plan for the information system?", "type": "non-technical"}, {"controlNum": "MA-4", "question": "Does the organization employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions?", "type": "non-technical"}, {"controlNum": "MA-4", "question": "Does the organization maintains records for nonlocal maintenance and diagnostic activities?", "type": "non-technical"}, {"controlNum": "MA-4", "question": "Does the organization allows the use of nonlocal maintenance and diagnostic tools only terminates sessions when nonlocal maintenance or diagnostics is completed?", "type": "non-technical"}, {"controlNum": "MA-4", "question": "Does the organization allows the use of nonlocal maintenance and diagnostic tools only terminates network connections when nonlocal maintenance or diagnostics is completed?", "type": "non-technical"}, {"controlNum": "MA-5", "question": "Does the organization establishes a process for maintenance personnel authorization?", "type": "non-technical"}, {"controlNum": "MA-5", "question": "Does the organization maintains a list of authorized maintenance organizations or personnel?", "type": "non-technical"}, {"controlNum": "MA-5", "question": "Does the organization ensures that non-escorted personnel performing maintenance on the information system have required access authorizations?", "type": "non-technical"}, {"controlNum": "MA-5", "question": "Does the organization designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations?", "type": "non-technical"}, {"controlNum": "MA-6", "question": "Does the organization defines information system components for which maintenance support and/or spare parts are to be obtained?", "type": "non-technical"}, {"controlNum": "MA-6", "question": "Does the organization defines the time period within which maintenance support and/or spare parts are to be obtained after a failure?", "type": "non-technical"}, {"controlNum": "MA-6", "question": "Does the organization obtains spare parts for organization-defined information system components within the organization-defined time period of failure?", "type": "non-technical"}, {"controlNum": "MP-1", "question": "Does the organization develops and documents a media protection policy that addresses purpose?", "type": "non-technical"}, {"controlNum": "MP-1", "question": "Does the organization develops and documents a media protection policy that addresses scope?", "type": "non-technical"}, {"controlNum": "MP-1", "question": "Does the organization develops and documents a media protection policy that addresses roles?", "type": "non-technical"}, {"controlNum": "MP-1", "question": "Does the organization develops and documents a media protection policy that addresses responsibilities?", "type": "non-technical"}, {"controlNum": "MP-1", "question": "Does the organization develops and documents a media protection policy that addresses management commitment?", "type": "non-technical"}, {"controlNum": "MP-1", "question": "Does the organization develops and documents a media protection policy that addresses coordination among organizational entities?", "type": "non-technical"}, {"controlNum": "MP-1", "question": "Does the organization develops and documents a media protection policy that addresses compliance?", "type": "non-technical"}, {"controlNum": "MP-1", "question": "Does the organization defines personnel or roles to whom the media protection policy is to be disseminated?", "type": "non-technical"}, {"controlNum": "MP-1", "question": "Does the organization disseminates the media protection policy to organization-defined personnel or roles?", "type": "non-technical"}, {"controlNum": "MP-1", "question": "Does the organization develops and documents procedures to facilitate the implementation of the media protection policy and associated media protection controls?", "type": "non-technical"}, {"controlNum": "MP-1", "question": "Does the organization defines personnel or roles to whom the procedures are to be disseminated?", "type": "non-technical"}, {"controlNum": "MP-1", "question": "Does the organization disseminates the procedures to organization-defined personnel or roles?", "type": "non-technical"}, {"controlNum": "MP-1", "question": "Does the organization defines the frequency to review and update the current media protection policy?", "type": "non-technical"}, {"controlNum": "MP-1", "question": "Does the organization reviews and updates the current media protection policy with the organization-defined frequency?", "type": "non-technical"}, {"controlNum": "MP-1", "question": "Does the organization defines the frequency to review and update the current media protection procedures?", "type": "non-technical"}, {"controlNum": "MP-1", "question": "Does the organization reviews and updates the current media protection procedures with the organization-defined frequency?", "type": "non-technical"}, {"controlNum": "MP-2", "question": "Does the organization defines types of digital and/or non-digital media requiring restricted access?", "type": "non-technical"}, {"controlNum": "MP-2", "question": "Does the organization defines personnel or roles authorized to access organization-defined types of digital and/or non-digital media?", "type": "non-technical"}, {"controlNum": "MP-2", "question": "Does the organization restricts access to organization-defined types of digital and/or non-digital media to organization-defined personnel or roles?", "type": "non-technical"}, {"controlNum": "MP-3", "question": "Does the organization marks information system media indicating the distribution limitations of the information?", "type": "non-technical"}, {"controlNum": "MP-3", "question": "Does the organization marks information system media indicating the handling caveats of the information?", "type": "non-technical"}, {"controlNum": "MP-3", "question": "Does the organization marks information system media indicating the applicable security markings (if any) of the information?", "type": "non-technical"}, {"controlNum": "MP-3", "question": "Does the organization marks information system media indicating the defines types of information system media to be exempted from marking as long as the media remain in designated controlled areas?", "type": "non-technical"}, {"controlNum": "MP-3", "question": "Does the organization marks information system media indicating the defines controlled areas where organization-defined types of information system media exempt from marking are to be retained?", "type": "non-technical"}, {"controlNum": "MP-3", "question": "Does the organization marks information system media indicating the exempts organization-defined types of information system media from marking as long as the media remain within organization-defined controlled areas?", "type": "non-technical"}, {"controlNum": "MP-4", "question": "Does the organization defines types of digital and/or non-digital media to be physically controlled and securely stored within designated controlled areas?", "type": "non-technical"}, {"controlNum": "MP-4", "question": "Does the organization defines controlled areas designated to physically control and securely store organization-defined types of digital and/or non-digital media?", "type": "non-technical"}, {"controlNum": "MP-4", "question": "Does the organization physically controls organization-defined types of digital and/or non-digital media within organization-defined controlled areas?", "type": "non-technical"}, {"controlNum": "MP-4", "question": "Does the organization securely stores organization-defined types of digital and/or non-digital media within organization-defined controlled areas?", "type": "non-technical"}, {"controlNum": "MP-4", "question": "Does the organization protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures?", "type": "non-technical"}, {"controlNum": "MP-5", "question": "Does the organization defines types of information system media to be protected and controlled during transport outside of controlled areas?", "type": "non-technical"}, {"controlNum": "MP-5", "question": "Does the organization defines security safeguards to protect and control organization-defined information system media during transport outside of controlled areas?", "type": "non-technical"}, {"controlNum": "MP-5", "question": "Does the organization protects and controls organization-defined information system  media during transport outside of controlled areas using organization-defined security safeguards?", "type": "non-technical"}, {"controlNum": "MP-5", "question": "Does the organization maintains accountability for information system media during transport outside of controlled areas?", "type": "non-technical"}, {"controlNum": "MP-5", "question": "Does the organization documents activities associated with the transport of information system media?", "type": "non-technical"}, {"controlNum": "MP-5", "question": "Does the organization restricts the activities associated with transport of information system media to authorized personnel?", "type": "non-technical"}, {"controlNum": "MP-6", "question": "Does the organization defines information system media to be sanitized prior to disposal?", "type": "non-technical"}, {"controlNum": "MP-6", "question": "Does the organization defines information system media to be sanitized prior to release for reuse?", "type": "non-technical"}, {"controlNum": "MP-6", "question": "Does the organization defines sanitization techniques or procedures to be used for sanitizing organization-defined information system media prior to disposal?", "type": "non-technical"}, {"controlNum": "MP-6", "question": "Does the organization defines sanitization techniques or procedures to be used for sanitizing organization-defined information system media prior to release for reuse?", "type": "non-technical"}, {"controlNum": "MP-6", "question": "Does the organization sanitizes organization-defined information system media prior to disposal, release out of organizational control, or release for reuse using organization-defined sanitization techniques or procedures in accordance with applicable federal and organizational standards and policies?", "type": "non-technical"}, {"controlNum": "MP-6", "question": "Does the organization employs sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information?", "type": "non-technical"}, {"controlNum": "MP-7", "question": "Does the organization defines types of information system media to be prohibited from use on information systems or system components?", "type": "non-technical"}, {"controlNum": "MP-7", "question": "Does the organization defines information systems or system components on which the use of organization-defined types of information system media is to be one of the following prohibited?", "type": "non-technical"}, {"controlNum": "MP-7", "question": "Does the organization defines security safeguards to be employed to restrict or prohibit the use of organization-defined types of information system media on organization-defined information systems or system components?", "type": "non-technical"}, {"controlNum": "MP-7", "question": "Does the organization restricts or prohibits the use of organization-defined information system media on organization-defined information systems or system components using organization-defined security safeguards?", "type": "non-technical"}, {"controlNum": "MP-8", "question": "Does the organization defines the information system media downgrading process?", "type": "non-technical"}, {"controlNum": "MP-8", "question": "Does the organization defines the strength and integrity with which media downgrading mechanisms are to be employed?", "type": "non-technical"}, {"controlNum": "MP-8", "question": "Does the organization establishes an organization-defined information system media downgrading process that includes employing downgrading mechanisms with organization-defined strength and integrity?", "type": "non-technical"}, {"controlNum": "MP-8", "question": "Does the organization ensures that the information system media downgrading process is commensurate with the security category and/or classification level of the information to be removed?", "type": "non-technical"}, {"controlNum": "MP-8", "question": "Does the organization ensures that the information system media downgrading process is commensurate with the access authorizations of the potential recipients of the downgraded information?", "type": "non-technical"}, {"controlNum": "MP-8", "question": "Does the organization identifies/defines information system media requiring downgrading?", "type": "non-technical"}, {"controlNum": "MP-8", "question": "Does the organization downgrades the identified information system media using the established process?", "type": "non-technical"}, {"controlNum": "PE-1", "question": "Does the organization develops and documents a physical and environmental protection policy that addresses purpose?", "type": "non-technical"}, {"controlNum": "PE-1", "question": "Does the organization develops and documents a physical and environmental protection policy that addresses scope?", "type": "non-technical"}, {"controlNum": "PE-1", "question": "Does the organization develops and documents a physical and environmental protection policy that addresses roles?", "type": "non-technical"}, {"controlNum": "PE-1", "question": "Does the organization develops and documents a physical and environmental protection policy that addresses responsibilities?", "type": "non-technical"}, {"controlNum": "PE-1", "question": "Does the organization develops and documents a physical and environmental protection policy that addresses management commitment?", "type": "non-technical"}, {"controlNum": "PE-1", "question": "Does the organization develops and documents a physical and environmental protection policy that addresses coordination among organizational entities?", "type": "non-technical"}, {"controlNum": "PE-1", "question": "Does the organization develops and documents a physical and environmental protection policy that addresses compliance?", "type": "non-technical"}, {"controlNum": "PE-1", "question": "Does the organization defines  personnel or roles to whom the physical and environmental protection policy is to be disseminated?", "type": "non-technical"}, {"controlNum": "PE-1", "question": "Does the organization disseminates the physical and environmental protection  policy to organization-defined personnel or roles?", "type": "non-technical"}, {"controlNum": "PE-1", "question": "Does the organization develops and documents procedures to facilitate the implementation of the physical and environmental protection  policy and associated physical and environmental protection controls?", "type": "non-technical"}, {"controlNum": "PE-1", "question": "Does the organization defines personnel or roles to whom the procedures are to be disseminated?", "type": "non-technical"}, {"controlNum": "PE-1", "question": "Does the organization disseminates the procedures to organization-defined personnel or roles?", "type": "non-technical"}, {"controlNum": "PE-1", "question": "Does the organization defines the frequency to review and update the current physical and environmental protection policy?", "type": "non-technical"}, {"controlNum": "PE-1", "question": "Does the organization reviews and updates the current physical and environmental protection policy with the organization-defined frequency?", "type": "non-technical"}, {"controlNum": "PE-1", "question": "Does the organization defines the frequency to review and update the current physical and environmental protection procedures?", "type": "non-technical"}, {"controlNum": "PE-1", "question": "Does the organization reviews and updates the current physical and environmental protection procedures with the organization-defined frequency?", "type": "non-technical"}, {"controlNum": "PE-2", "question": "Does the organization develops a list of individuals with authorized access to the facility where the information system resides?", "type": "non-technical"}, {"controlNum": "PE-2", "question": "Does the organization approves a list of individuals with authorized access to the facility where the information system resides?", "type": "non-technical"}, {"controlNum": "PE-2", "question": "Does the organization maintains a list of individuals with authorized access to the facility where the information system resides?", "type": "non-technical"}, {"controlNum": "PE-2", "question": "Does the organization issues authorization credentials for facility access?", "type": "non-technical"}, {"controlNum": "PE-2", "question": "Does the organization defines the frequency to review the access list detailing authorized facility access by individuals?", "type": "non-technical"}, {"controlNum": "PE-2", "question": "Does the organization reviews the access list detailing authorized facility access by individuals with the organization-defined frequency?", "type": "non-technical"}, {"controlNum": "PE-2", "question": "Does the organization removes individuals from the facility access list when access is no longer required?", "type": "non-technical"}, {"controlNum": "PE-3", "question": "Does the organization defines entry/exit points to the facility where the information system resides?", "type": "non-technical"}, {"controlNum": "PE-3", "question": "Does the organization enforces physical access authorizations at organization-defined entry/exit points to the facility where the information system resides by verifying individual access authorizations before granting access to the facility?", "type": "non-technical"}, {"controlNum": "PE-3", "question": "Does the organization enforces physical access authorizations at organization-defined entry/exit points to the facility where the information system resides by defining physical access control systems/devices to be employed to control ingress/egress to the facility where the information system resides?", "type": "non-technical"}, {"controlNum": "PE-3", "question": "Does the organization enforces physical access authorizations at organization-defined entry/exit points to the facility where the information system resides by using one or more of the following ways to control ingress/egress to the facility guards?", "type": "non-technical"}, {"controlNum": "PE-3", "question": "Does the organization defines entry/exit points for which physical access audit logs are to be maintained?", "type": "non-technical"}, {"controlNum": "PE-3", "question": "Does the organization maintains physical access audit logs for organization-defined entry/exit points?", "type": "non-technical"}, {"controlNum": "PE-3", "question": "Does the organization defines security safeguards to be employed to control access to areas within the facility officially designated as publicly accessible?", "type": "non-technical"}, {"controlNum": "PE-3", "question": "Does the organization provides organization-defined security safeguards to control access to areas within the facility officially designated as publicly accessible?", "type": "non-technical"}, {"controlNum": "PE-3", "question": "Does the organization defines circumstances requiring visitor escorts?", "type": "non-technical"}, {"controlNum": "PE-3", "question": "Does the organization defines circumstances requiring visitor monitoring?", "type": "non-technical"}, {"controlNum": "PE-3", "question": "Does the organization in accordance with organization-defined circumstances requiring visitor escorts and monitoring escorts visitors?", "type": "non-technical"}, {"controlNum": "PE-3", "question": "Does the organization in accordance with organization-defined circumstances requiring visitor escorts and monitoring monitors visitor activities?", "type": "non-technical"}, {"controlNum": "PE-3", "question": "Does the organization secures keys?", "type": "non-technical"}, {"controlNum": "PE-3", "question": "Does the organization secures combinations?", "type": "non-technical"}, {"controlNum": "PE-3", "question": "Does the organization secures other physical access devices?", "type": "non-technical"}, {"controlNum": "PE-3", "question": "Does the organization defines physical access devices to be inventoried?", "type": "non-technical"}, {"controlNum": "PE-3", "question": "Does the organization defines the frequency to inventory organization-defined physical access devices?", "type": "non-technical"}, {"controlNum": "PE-3", "question": "Does the organization inventories the organization-defined physical access devices with the organization-defined frequency?", "type": "non-technical"}, {"controlNum": "PE-3", "question": "Does the organization defines the frequency to change combinations and keys?", "type": "non-technical"}, {"controlNum": "PE-3", "question": "Does the organization changes combinations and keys with the organization-defined frequency and/or when keys are lost?", "type": "non-technical"}, {"controlNum": "PE-3", "question": "Does the organization changes combinations and keys with the organization-defined frequency and/or when combinations are compromised?", "type": "non-technical"}, {"controlNum": "PE-3", "question": "Does the organization changes combinations and keys with the organization-defined frequency and/or when individuals are transferred or terminated?", "type": "non-technical"}, {"controlNum": "PE-4", "question": "Does the organization defines information system distribution and transmission lines requiring physical access controls?", "type": "non-technical"}, {"controlNum": "PE-4", "question": "Does the organization defines security safeguards to be employed to control physical access to organization-defined information system distribution and transmission lines within organizational facilities?", "type": "non-technical"}, {"controlNum": "PE-4", "question": "Does the organization controls physical access to organization-defined information system distribution and transmission lines within organizational facilities using organization-defined security safeguards?", "type": "non-technical"}, {"controlNum": "PE-5", "question": "Does the organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output?", "type": "non-technical"}, {"controlNum": "PE-6", "question": "Does the organization monitors physical access to the facility where the information system resides to detect and respond to physical security incidents?", "type": "non-technical"}, {"controlNum": "PE-6", "question": "Does the organization defines the frequency to review physical access logs?", "type": "non-technical"}, {"controlNum": "PE-6", "question": "Does the organization defines events or potential indication of events requiring physical access logs to be reviewed?", "type": "non-technical"}, {"controlNum": "PE-6", "question": "Does the organization reviews physical access logs with the organization-defined frequency and upon occurrence of organization-defined events or potential indications of events?", "type": "non-technical"}, {"controlNum": "PE-6", "question": "Does the organization coordinates results of reviews and investigations with the organizational incident response capability?", "type": "non-technical"}, {"controlNum": "PE-8", "question": "Does the organization defines the time period to maintain visitor access records to the facility where the information system resides?", "type": "non-technical"}, {"controlNum": "PE-8", "question": "Does the organization maintains visitor access records to the facility where the information system resides for the organization-defined time period?", "type": "non-technical"}, {"controlNum": "PE-8", "question": "Does the organization defines the frequency to review visitor access records?", "type": "non-technical"}, {"controlNum": "PE-8", "question": "Does the organization reviews visitor access records with the organization-defined frequency?", "type": "non-technical"}, {"controlNum": "PE-9", "question": "Does the organization protects power equipment and power cabling for the information system from damage and destruction?", "type": "non-technical"}, {"controlNum": "PE-10", "question": "Does the organization provides the capability of shutting off power to the information system or individual system components in emergency situations?", "type": "non-technical"}, {"controlNum": "PE-10", "question": "Does the organization defines the location of emergency shutoff switches or devices by information system or system component?", "type": "non-technical"}, {"controlNum": "PE-10", "question": "Does the organization places emergency shutoff switches or devices in the organization-defined location by information system or system component to facilitate safe and easy access for personnel?", "type": "non-technical"}, {"controlNum": "PE-10", "question": "Does the organization protects emergency power shutoff capability from unauthorized activation?", "type": "non-technical"}, {"controlNum": "PE-11", "question": "Does the organization provides a short-term uninterruptible power supply to facilitate one or more of the following in the event of a primary power source loss transition of the information system to long-term alternate power?", "type": "non-technical"}, {"controlNum": "PE-12", "question": "Does the organization employs and maintains automatic emergency lighting for the information system that activates in the event of a power outage or disruption?", "type": "non-technical"}, {"controlNum": "PE-12", "question": "Does the organization employs and maintains automatic emergency lighting for the information system that covers emergency exits and evacuation routes within the facility?", "type": "non-technical"}, {"controlNum": "PE-13", "question": "Does the organization employs fire suppression and detection devices/systems for the information system that are supported by an independent energy source?", "type": "non-technical"}, {"controlNum": "PE-13", "question": "Does the organization maintains fire suppression and detection devices/systems for the information system that are supported by an independent energy source?", "type": "non-technical"}, {"controlNum": "PE-14", "question": "Does the organization defines acceptable temperature levels to be maintained within the facility where the information system resides?", "type": "non-technical"}, {"controlNum": "PE-14", "question": "Does the organization defines acceptable humidity levels to be maintained within the facility where the information system resides?", "type": "non-technical"}, {"controlNum": "PE-14", "question": "Does the organization maintains temperature levels within the facility where the information system resides at the organization-defined levels?", "type": "non-technical"}, {"controlNum": "PE-14", "question": "Does the organization maintains humidity levels within the facility where the information system resides at the organization-defined levels?", "type": "non-technical"}, {"controlNum": "PE-14", "question": "Does the organization defines the frequency to monitor temperature levels?", "type": "non-technical"}, {"controlNum": "PE-14", "question": "Does the organization defines the frequency to monitor humidity levels?", "type": "non-technical"}, {"controlNum": "PE-14", "question": "Does the organization monitors temperature levels with the organization-defined frequency?", "type": "non-technical"}, {"controlNum": "PE-14", "question": "Does the organization monitors humidity levels with the organization-defined frequency?", "type": "non-technical"}, {"controlNum": "PE-15", "question": "Does the organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible?", "type": "non-technical"}, {"controlNum": "PE-15", "question": "Does the organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are working properly?", "type": "non-technical"}, {"controlNum": "PE-15", "question": "Does the organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are known to key personnel?", "type": "non-technical"}, {"controlNum": "PE-16", "question": "Does the organization defines types of information system components to be authorized, monitored, and controlled as such components are entering and exiting the facility?", "type": "non-technical"}, {"controlNum": "PE-16", "question": "Does the organization authorizes organization-defined information system components entering the facility?", "type": "non-technical"}, {"controlNum": "PE-16", "question": "Does the organization monitors organization-defined information system components entering the facility?", "type": "non-technical"}, {"controlNum": "PE-16", "question": "Does the organization controls organization-defined information system components entering the facility?", "type": "non-technical"}, {"controlNum": "PE-16", "question": "Does the organization authorizes organization-defined information system components exiting the facility?", "type": "non-technical"}, {"controlNum": "PE-16", "question": "Does the organization monitors organization-defined information system components exiting the facility?", "type": "non-technical"}, {"controlNum": "PE-16", "question": "Does the organization controls organization-defined information system components exiting the facility?", "type": "non-technical"}, {"controlNum": "PE-16", "question": "Does the organization maintains records of information system components entering the facility?", "type": "non-technical"}, {"controlNum": "PE-16", "question": "Does the organization maintains records of information system components exiting the facility?", "type": "non-technical"}, {"controlNum": "PE-17", "question": "Does the organization defines security controls to be employed at alternate work sites?", "type": "non-technical"}, {"controlNum": "PE-17", "question": "Does the organization employs organization-defined security controls at alternate work sites?", "type": "non-technical"}, {"controlNum": "PE-17", "question": "Does the organization assesses, as feasible, the effectiveness of security controls at alternate work sites?", "type": "non-technical"}, {"controlNum": "PE-17", "question": "Does the organization provides a means for employees to communicate with information security personnel in case of security incidents or problems?", "type": "non-technical"}, {"controlNum": "PE-18", "question": "Does the organization defines physical hazards that could result in potential damage to information system components within the facility?", "type": "non-technical"}, {"controlNum": "PE-18", "question": "Does the organization defines environmental hazards that could result in potential damage to information system components within the facility?", "type": "non-technical"}, {"controlNum": "PE-18", "question": "Does the organization positions information system components within the facility to minimize potential damage from organization-defined physical and environmental hazards?", "type": "non-technical"}, {"controlNum": "PE-18", "question": "Does the organization positions information system components within the facility to minimize the opportunity for unauthorized access?", "type": "non-technical"}, {"controlNum": "PE-19", "question": "Does the organization protects the information system from information leakage due to electromagnetic signals emanations?", "type": "non-technical"}, {"controlNum": "PE-20", "question": "Does the organization defines assets whose location and movement are to be tracked and monitored?", "type": "non-technical"}, {"controlNum": "PE-20", "question": "Does the organization defines asset location technologies to be employed to track and monitor the location and movement of organization-defined assets?", "type": "non-technical"}, {"controlNum": "PE-20", "question": "Does the organization defines controlled areas within which to track and monitor organization-defined assets?", "type": "non-technical"}, {"controlNum": "PE-20", "question": "Does the organization employs organization-defined asset location technologies to track and monitor the location and movement of organization-defined assets within organization-defined controlled areas?", "type": "non-technical"}, {"controlNum": "PE-20", "question": "Does the organization ensures that asset location technologies are employed in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards and guidance?", "type": "non-technical"}, {"controlNum": "PL-1", "question": "Does the organization develops and documents a planning policy that addresses purpose?", "type": "non-technical"}, {"controlNum": "PL-1", "question": "Does the organization develops and documents a planning policy that addresses scope?", "type": "non-technical"}, {"controlNum": "PL-1", "question": "Does the organization develops and documents a planning policy that addresses roles?", "type": "non-technical"}, {"controlNum": "PL-1", "question": "Does the organization develops and documents a planning policy that addresses responsibilities?", "type": "non-technical"}, {"controlNum": "PL-1", "question": "Does the organization develops and documents a planning policy that addresses management commitment?", "type": "non-technical"}, {"controlNum": "PL-1", "question": "Does the organization develops and documents a planning policy that addresses coordination among organizational entities?", "type": "non-technical"}, {"controlNum": "PL-1", "question": "Does the organization develops and documents a planning policy that addresses compliance?", "type": "non-technical"}, {"controlNum": "PL-1", "question": "Does the organization defines personnel or roles to whom the planning policy is to be disseminated?", "type": "non-technical"}, {"controlNum": "PL-1", "question": "Does the organization disseminates the planning policy to organization-defined personnel or roles?", "type": "non-technical"}, {"controlNum": "PL-1", "question": "Does the organization develops and documents procedures to facilitate the implementation of the planning policy and associated planning controls?", "type": "non-technical"}, {"controlNum": "PL-1", "question": "Does the organization defines personnel or roles to whom the procedures are to be disseminated?", "type": "non-technical"}, {"controlNum": "PL-1", "question": "Does the organization disseminates the procedures to organization-defined personnel or roles?", "type": "non-technical"}, {"controlNum": "PL-1", "question": "Does the organization defines the frequency to review and update the current planning policy?", "type": "non-technical"}, {"controlNum": "PL-1", "question": "Does the organization reviews and updates the current planning policy with the organization-defined frequency?", "type": "non-technical"}, {"controlNum": "PL-1", "question": "Does the organization defines the frequency to review and update the current planning procedures?", "type": "non-technical"}, {"controlNum": "PL-1", "question": "Does the organization reviews and updates the current planning procedures with the organization-defined frequency?", "type": "non-technical"}, {"controlNum": "PL-2", "question": "Does the organization develops a security plan for the information system that is consistent with the organization\u2019s enterprise architecture?", "type": "non-technical"}, {"controlNum": "PL-2", "question": "Does the organization develops a security plan for the information system that explicitly defines the authorization boundary for the system?", "type": "non-technical"}, {"controlNum": "PL-2", "question": "Does the organization develops a security plan for the information system that describes the operational context of the information system in terms of missions and business processes?", "type": "non-technical"}, {"controlNum": "PL-2", "question": "Does the organization develops a security plan for the information system that provides the security categorization of the information system including supporting rationale?", "type": "non-technical"}, {"controlNum": "PL-2", "question": "Does the organization develops a security plan for the information system that describes the operational environment for the information system and relationships with or connections to other information systems?", "type": "non-technical"}, {"controlNum": "PL-2", "question": "Does the organization develops a security plan for the information system that provides an overview of the security requirements for the system?", "type": "non-technical"}, {"controlNum": "PL-2", "question": "Does the organization develops a security plan for the information system that identifies any relevant overlays, if applicable?", "type": "non-technical"}, {"controlNum": "PL-2", "question": "Does the organization develops a security plan for the information system that describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring and supplemental decisions?", "type": "non-technical"}, {"controlNum": "PL-2", "question": "Does the organization develops a security plan for the information system that is reviewed and approved by the authorizing official or designated representative prior to plan implementation?", "type": "non-technical"}, {"controlNum": "PL-2", "question": "Does the organization develops a security plan for the information system that defines personnel or roles to whom copies of the security plan are to be distributed and subsequent changes to the plan are to be communicated?", "type": "non-technical"}, {"controlNum": "PL-2", "question": "Does the organization develops a security plan for the information system that distributes copies of the security plan and communicates subsequent changes to the plan to organization-defined personnel or roles?", "type": "non-technical"}, {"controlNum": "PL-2", "question": "Does the organization develops a security plan for the information system that defines the frequency to review the security plan for the information system?", "type": "non-technical"}, {"controlNum": "PL-2", "question": "Does the organization develops a security plan for the information system that reviews the security plan for the information system with the organization-defined frequency?", "type": "non-technical"}, {"controlNum": "PL-2", "question": "Does the organization updates the plan to address changes to the information system/environment of operation?", "type": "non-technical"}, {"controlNum": "PL-2", "question": "Does the organization updates the plan to address problems identified during plan implementation?", "type": "non-technical"}, {"controlNum": "PL-2", "question": "Does the organization updates the plan to address problems identified during security control assessments?", "type": "non-technical"}, {"controlNum": "PL-2", "question": "Does the organization protects the security plan from unauthorized disclosure?", "type": "non-technical"}, {"controlNum": "PL-2", "question": "Does the organization protects the security plan from unauthorized modification?", "type": "non-technical"}, {"controlNum": "PL-4", "question": "Does the organization establishes, for individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage?", "type": "non-technical"}, {"controlNum": "PL-4", "question": "Does the organization makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage?", "type": "non-technical"}, {"controlNum": "PL-4", "question": "Does the organization receives a signed acknowledgement from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system?", "type": "non-technical"}, {"controlNum": "PL-4", "question": "Does the organization defines the frequency to review and update the rules of behavior?", "type": "non-technical"}, {"controlNum": "PL-4", "question": "Does the organization reviews and updates the rules of behavior with the organization-defined frequency?", "type": "non-technical"}, {"controlNum": "PL-4", "question": "Does the organization requires individuals who have signed a previous version of the rules of behavior to read and resign when the rules of behavior are revised/updated?", "type": "non-technical"}, {"controlNum": "PL-7", "question": "Does the organization develops a security Concept of Operations (CONOPS) for the information system containing at a minimum, how the organization intends to operate the system from the perspective of information security?", "type": "non-technical"}, {"controlNum": "PL-7", "question": "Does the organization defines the frequency to review and update the security CONOPS?", "type": "non-technical"}, {"controlNum": "PL-7", "question": "Does the organization reviews and updates the security CONOPS with the organization-defined frequency?", "type": "non-technical"}, {"controlNum": "PL-8", "question": "Does the organization develops an information security architecture for the information system that describes the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of organizational information?", "type": "non-technical"}, {"controlNum": "PL-8", "question": "Does the organization develops an information security architecture for the information system that describes how the information security architecture is integrated into and supports the enterprise architecture?", "type": "non-technical"}, {"controlNum": "PL-8", "question": "Does the organization develops an information security architecture for the information system that describes any information security assumptions about, and dependencies on, external services?", "type": "non-technical"}, {"controlNum": "PL-8", "question": "Does the organization develops an information security architecture for the information system that describes defines the frequency to review and update the information security architecture?", "type": "non-technical"}, {"controlNum": "PL-8", "question": "Does the organization develops an information security architecture for the information system that describes reviews and updates the information security architecture with the organization-defined frequency to reflect updates in the enterprise architecture?", "type": "non-technical"}, {"controlNum": "PL-8", "question": "Does the organization ensures that planned information security architecture changes are reflected in the security plan?", "type": "non-technical"}, {"controlNum": "PL-8", "question": "Does the organization ensures that planned information security architecture changes are reflected in the security Concept of Operations (CONOPS)?", "type": "non-technical"}, {"controlNum": "PL-8", "question": "Does the organization ensures that planned information security architecture changes are reflected in the organizational procurements/acquisitions?", "type": "non-technical"}, {"controlNum": "PL-9", "question": "Does the organization defines security controls and related processes to be centrally managed?", "type": "non-technical"}, {"controlNum": "PL-9", "question": "Does the organization centrally manages organization-defined security controls and related processes?", "type": "non-technical"}, {"controlNum": "PM-1", "question": "Does the organization develops and disseminates an organization-wide information security program plan that provides an overview of the requirements for the security program?", "type": "non-technical"}, {"controlNum": "PM-1", "question": "Does the organization develops and disseminates an organization-wide information security program plan that provides a description of the security program management controls in place or planned for meeting those requirements?", "type": "non-technical"}, {"controlNum": "PM-1", "question": "Does the organization develops and disseminates an organization-wide information security program plan that provides a description of the common controls in place or planned for meeting those requirements?", "type": "non-technical"}, {"controlNum": "PM-1", "question": "Does the organization develops and disseminates an organization-wide information security program plan that includes the identification and assignment of roles?", "type": "non-technical"}, {"controlNum": "PM-1", "question": "Does the organization develops and disseminates an organization-wide information security program plan that includes the identification and assignment of responsibilities?", "type": "non-technical"}, {"controlNum": "PM-1", "question": "Does the organization develops and disseminates an organization-wide information security program plan that includes the identification and assignment of management commitment?", "type": "non-technical"}, {"controlNum": "PM-1", "question": "Does the organization develops and disseminates an organization-wide information security program plan that includes the identification and assignment of coordination among organizational entities?", "type": "non-technical"}, {"controlNum": "PM-1", "question": "Does the organization develops and disseminates an organization-wide information security program plan that includes the identification and assignment of compliance?", "type": "non-technical"}, {"controlNum": "PM-1", "question": "Does the organization develops and disseminates an organization-wide information security program plan that reflects coordination among organizational entities responsible for the different aspects of information security (i.e., technical, physical, personnel, cyber-physical)?", "type": "non-technical"}, {"controlNum": "PM-1", "question": "Does the organization develops and disseminates an organization-wide information security program plan that is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations, organizational assets, individuals, other organizations, and the Nation?", "type": "non-technical"}, {"controlNum": "PM-1", "question": "Does the organization develops and disseminates an organization-wide information security program plan that defines the frequency to review the security program plan for the information system?", "type": "non-technical"}, {"controlNum": "PM-1", "question": "Does the organization develops and disseminates an organization-wide information security program plan that reviews the organization-wide information security program plan with the organization-defined frequency?", "type": "non-technical"}, {"controlNum": "PM-1", "question": "Does the organization updates the plan to address organizational changes identified during plan implementation?", "type": "non-technical"}, {"controlNum": "PM-1", "question": "Does the organization updates the plan to address organizational changes identified during security control assessments?", "type": "non-technical"}, {"controlNum": "PM-1", "question": "Does the organization updates the plan to address organizational problems identified during plan implementation?", "type": "non-technical"}, {"controlNum": "PM-1", "question": "Does the organization updates the plan to address organizational problems identified during security control assessments?", "type": "non-technical"}, {"controlNum": "PM-1", "question": "Does the organization protects the information security program plan from unauthorized disclosure?", "type": "non-technical"}, {"controlNum": "PM-1", "question": "Does the organization protects the information security program plan from unauthorized modification?", "type": "non-technical"}, {"controlNum": "PM-2", "question": "Does the organization appoints a senior information security officer with the mission and resources to coordinate an organization-wide information security program?", "type": "non-technical"}, {"controlNum": "PM-2", "question": "Does the organization appoints a senior information security officer with the mission and resources to develop an organization-wide information security program?", "type": "non-technical"}, {"controlNum": "PM-2", "question": "Does the organization appoints a senior information security officer with the mission and resources to implement an organization-wide information security program?", "type": "non-technical"}, {"controlNum": "PM-2", "question": "Does the organization appoints a senior information security officer with the mission and resources to maintain an organization-wide information security program?", "type": "non-technical"}, {"controlNum": "PM-3", "question": "Does the organization ensures that all capital planning and investment requests include the resources needed to implement the information security program plan?", "type": "non-technical"}, {"controlNum": "PM-3", "question": "Does the organization documents all exceptions to the requirement?", "type": "non-technical"}, {"controlNum": "PM-3", "question": "Does the organization employs a business case/Exhibit 300/Exhibit 53 to record the resources required?", "type": "non-technical"}, {"controlNum": "PM-3", "question": "Does the organization ensures that information security resources are available for expenditure as planned?", "type": "non-technical"}, {"controlNum": "PM-4", "question": "Does the organization implements a process for ensuring that plans of action and milestones for the security program and associated organizational information systems are developed?", "type": "non-technical"}, {"controlNum": "PM-4", "question": "Does the organization implements a process for ensuring that plans of action and milestones for the security program and associated organizational information systems are maintained?", "type": "non-technical"}, {"controlNum": "PM-4", "question": "Does the organization implements a process for ensuring that plans of action and milestones for the security program and associated organizational information systems document the remedial information security actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation?", "type": "non-technical"}, {"controlNum": "PM-4", "question": "Does the organization implements a process for ensuring that plans of action and milestones for the security program and associated organizational information systems are reported in accordance with OMB FISMA reporting requirements?", "type": "non-technical"}, {"controlNum": "PM-4", "question": "Does the organization reviews plans of action and milestones for consistency with the organizational risk management strategy?", "type": "non-technical"}, {"controlNum": "PM-4", "question": "Does the organization reviews plans of action and milestones for consistency with organization-wide priorities for risk response actions?", "type": "non-technical"}, {"controlNum": "PM-5", "question": "Does the organization develops an inventory of its information systems?", "type": "non-technical"}, {"controlNum": "PM-5", "question": "Does the organization maintains the inventory of its information systems?", "type": "non-technical"}, {"controlNum": "PM-6", "question": "Does the organization develops information security measures of performance?", "type": "non-technical"}, {"controlNum": "PM-6", "question": "Does the organization monitors information security measures of performance?", "type": "non-technical"}, {"controlNum": "PM-6", "question": "Does the organization reports information security measures of performance?", "type": "non-technical"}, {"controlNum": "PM-7", "question": "Does the organization develops an enterprise architecture with consideration for information security?", "type": "non-technical"}, {"controlNum": "PM-7", "question": "Does the organization develops an enterprise architecture with consideration for the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation?", "type": "non-technical"}, {"controlNum": "PM-8", "question": "Does the organization addresses information security issues in the development of a critical infrastructure and key resources protection plan?", "type": "non-technical"}, {"controlNum": "PM-8", "question": "Does the organization addresses information security issues in the documentation of a critical infrastructure and key resources protection plan?", "type": "non-technical"}, {"controlNum": "PM-8", "question": "Does the organization addresses information security issues in the updating of the critical infrastructure and key resources protection plan?", "type": "non-technical"}, {"controlNum": "PM-9", "question": "Does the organization develops a comprehensive strategy to manage risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of information systems?", "type": "non-technical"}, {"controlNum": "PM-9", "question": "Does the organization implements the risk management strategy consistently across the organization?", "type": "non-technical"}, {"controlNum": "PM-9", "question": "Does the organization defines the frequency to review and update the risk management strategy?", "type": "non-technical"}, {"controlNum": "PM-9", "question": "Does the organization reviews and updates the risk management strategy to address organizational changes as required?", "type": "non-technical"}, {"controlNum": "PM-10", "question": "Does the organization manages (i.e., documents, tracks, and reports) the security state of organizational information systems and the environments in which those systems operate through security authorization processes?", "type": "non-technical"}, {"controlNum": "PM-10", "question": "Does the organization designates individuals to fulfill specific roles and responsibilities within the organizational risk management process?", "type": "non-technical"}, {"controlNum": "PM-10", "question": "Does the organization fully integrates the security authorization processes into an organization-wide risk management program?", "type": "non-technical"}, {"controlNum": "PM-11", "question": "Does the organization defines mission/business processes with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation?", "type": "non-technical"}, {"controlNum": "PM-11", "question": "Does the organization determines information protection needs arising from the defined mission/business process?", "type": "non-technical"}, {"controlNum": "PM-11", "question": "Does the organization revises the processes as necessary until achievable protection needs are obtained?", "type": "non-technical"}, {"controlNum": "PM-12", "question": "Does the organization implements an insider threat program that includes a cross-discipline insider threat incident handling team?", "type": "non-technical"}, {"controlNum": "PM-13", "question": "Does the organization establishes an information security workforce development and improvement program?", "type": "non-technical"}, {"controlNum": "PM-14", "question": "Does the organization implements a process for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational information systems are developed?", "type": "non-technical"}, {"controlNum": "PM-14", "question": "Does the organization implements a process for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational information systems are maintained?", "type": "non-technical"}, {"controlNum": "PM-14", "question": "Does the organization implements a process for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational information systems continue to be executed in a timely manner?", "type": "non-technical"}, {"controlNum": "PM-14", "question": "Does the organization reviews testing, training, and monitoring plans for consistency with the organizational risk management strategy?", "type": "non-technical"}, {"controlNum": "PM-14", "question": "Does the organization reviews testing, training, and monitoring plans for consistency with organization-wide priorities for risk response actions?", "type": "non-technical"}, {"controlNum": "PM-15", "question": "Does the organization establishes and institutionalizes contact with selected groups and associations with the security community to facilitate ongoing security education and training for organizational personnel?", "type": "non-technical"}, {"controlNum": "PM-15", "question": "Does the organization establishes and institutionalizes contact with selected groups and associations with the security community to maintain currency with recommended security practices, techniques, and technologies?", "type": "non-technical"}, {"controlNum": "PM-15", "question": "Does the organization establishes and institutionalizes contact with selected groups and associations with the security community to share current security-related information including threats, vulnerabilities, and incidents?", "type": "non-technical"}, {"controlNum": "PM-16", "question": "Does the organization implements a threat awareness program that includes a cross-organization information-sharing capability?", "type": "non-technical"}, {"controlNum": "PS-1", "question": "Does the organization develops and documents an personnel security policy that addresses purpose?", "type": "non-technical"}, {"controlNum": "PS-1", "question": "Does the organization develops and documents an personnel security policy that addresses scope?", "type": "non-technical"}, {"controlNum": "PS-1", "question": "Does the organization develops and documents an personnel security policy that addresses roles?", "type": "non-technical"}, {"controlNum": "PS-1", "question": "Does the organization develops and documents an personnel security policy that addresses responsibilities?", "type": "non-technical"}, {"controlNum": "PS-1", "question": "Does the organization develops and documents an personnel security policy that addresses management commitment?", "type": "non-technical"}, {"controlNum": "PS-1", "question": "Does the organization develops and documents an personnel security policy that addresses coordination among organizational entities?", "type": "non-technical"}, {"controlNum": "PS-1", "question": "Does the organization develops and documents an personnel security policy that addresses compliance?", "type": "non-technical"}, {"controlNum": "PS-1", "question": "Does the organization defines personnel or roles to whom the personnel security policy is to be disseminated?", "type": "non-technical"}, {"controlNum": "PS-1", "question": "Does the organization disseminates the personnel security policy to organization-defined personnel or roles?", "type": "non-technical"}, {"controlNum": "PS-1", "question": "Does the organization develops and documents procedures to facilitate the implementation of the personnel security policy and associated personnel security controls?", "type": "non-technical"}, {"controlNum": "PS-1", "question": "Does the organization defines personnel or roles to whom the procedures are to be disseminated?", "type": "non-technical"}, {"controlNum": "PS-1", "question": "Does the organization disseminates the procedures to organization-defined personnel or roles?", "type": "non-technical"}, {"controlNum": "PS-1", "question": "Does the organization defines the frequency to review and update the current personnel security policy?", "type": "non-technical"}, {"controlNum": "PS-1", "question": "Does the organization reviews and updates the current personnel security policy with the organization-defined frequency?", "type": "non-technical"}, {"controlNum": "PS-1", "question": "Does the organization defines the frequency to review and update the current personnel security procedures?", "type": "non-technical"}, {"controlNum": "PS-1", "question": "Does the organization reviews and updates the current personnel security procedures with the organization-defined frequency?", "type": "non-technical"}, {"controlNum": "PS-2", "question": "Does the organization assigns a risk designation to all organizational positions?", "type": "non-technical"}, {"controlNum": "PS-2", "question": "Does the organization establishes screening criteria for individuals filling those positions?", "type": "non-technical"}, {"controlNum": "PS-2", "question": "Does the organization defines the frequency to review and update position risk designations?", "type": "non-technical"}, {"controlNum": "PS-2", "question": "Does the organization reviews and updates position risk designations with the organization-defined frequency?", "type": "non-technical"}, {"controlNum": "PS-3", "question": "Does the organization screens individuals prior to authorizing access to the information system?", "type": "non-technical"}, {"controlNum": "PS-3", "question": "Does the organization defines conditions requiring re-screening?", "type": "non-technical"}, {"controlNum": "PS-3", "question": "Does the organization defines the frequency of re-screening where it is so indicated?", "type": "non-technical"}, {"controlNum": "PS-3", "question": "Does the organization re-screens individuals in accordance with organization-defined conditions requiring re-screening and, where re-screening is so indicated, with the organization-defined frequency of such re-screening?", "type": "non-technical"}, {"controlNum": "PS-4", "question": "Does the organization, upon termination of individual employment, defines a time period within which to disable information system access?", "type": "non-technical"}, {"controlNum": "PS-4", "question": "Does the organization, upon termination of individual employment, disables information system access within the organization-defined time period?", "type": "non-technical"}, {"controlNum": "PS-4", "question": "Does the organization, upon termination of individual employment, terminates/revokes any authenticators/credentials associated with the individual?", "type": "non-technical"}, {"controlNum": "PS-4", "question": "Does the organization, upon termination of individual employment, defines information security topics to be discussed when conducting exit interviews?", "type": "non-technical"}, {"controlNum": "PS-4", "question": "Does the organization, upon termination of individual employment, conducts exit interviews that include a discussion of organization-defined information security topics?", "type": "non-technical"}, {"controlNum": "PS-4", "question": "Does the organization, upon termination of individual employment, retrieves all security-related organizational information system-related property?", "type": "non-technical"}, {"controlNum": "PS-4", "question": "Does the organization, upon termination of individual employment, retains access to organizational information and information systems formerly controlled by the terminated individual?", "type": "non-technical"}, {"controlNum": "PS-4", "question": "Does the organization, upon termination of individual employment, defines personnel or roles to be notified of the termination?", "type": "non-technical"}, {"controlNum": "PS-4", "question": "Does the organization, upon termination of individual employment, defines the time period within which to notify organization-defined personnel or roles?", "type": "non-technical"}, {"controlNum": "PS-4", "question": "Does the organization, upon termination of individual employment, notifies organization-defined personnel or roles within the organization-defined time period?", "type": "non-technical"}, {"controlNum": "PS-5", "question": "Does the organization when individuals are reassigned or transferred to other positions within the organization, reviews and confirms ongoing operational need for current logical access authorizations to information systems?", "type": "non-technical"}, {"controlNum": "PS-5", "question": "Does the organization when individuals are reassigned or transferred to other positions within the organization, reviews and confirms ongoing operational need for current physical access authorizations to information systems and facilities?", "type": "non-technical"}, {"controlNum": "PS-5", "question": "Does the organization when individuals are reassigned or transferred to other positions within the organization, reviews and confirms ongoing operational need for current defines transfer or reassignment actions to be initiated following transfer or reassignment?", "type": "non-technical"}, {"controlNum": "PS-5", "question": "Does the organization when individuals are reassigned or transferred to other positions within the organization, reviews and confirms ongoing operational need for current defines the time period within which transfer or reassignment actions must occur following transfer or reassignment?", "type": "non-technical"}, {"controlNum": "PS-5", "question": "Does the organization when individuals are reassigned or transferred to other positions within the organization, reviews and confirms ongoing operational need for current initiates organization-defined transfer or reassignment actions within the organization-defined time period following transfer or reassignment?", "type": "non-technical"}, {"controlNum": "PS-5", "question": "Does the organization modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer?", "type": "non-technical"}, {"controlNum": "PS-5", "question": "Does the organization when individuals are reassigned or transferred to other positions within the organization, reviews and confirms ongoing operational need for current defines personnel or roles to be notified when individuals are reassigned or transferred to other positions within the organization?", "type": "non-technical"}, {"controlNum": "PS-5", "question": "Does the organization when individuals are reassigned or transferred to other positions within the organization, reviews and confirms ongoing operational need for current defines the time period within which to notify organization-defined personnel or roles when individuals are reassigned or transferred to other positions within the organization?", "type": "non-technical"}, {"controlNum": "PS-5", "question": "Does the organization when individuals are reassigned or transferred to other positions within the organization, reviews and confirms ongoing operational need for current notifies organization-defined personnel or roles within the organization-defined time period when individuals are reassigned or transferred to other positions within the organization?", "type": "non-technical"}, {"controlNum": "PS-6", "question": "Does the organization develops and documents access agreements for organizational information systems?", "type": "non-technical"}, {"controlNum": "PS-6", "question": "Does the organization defines the frequency to review and update the access agreements?", "type": "non-technical"}, {"controlNum": "PS-6", "question": "Does the organization reviews and updates the access agreements with the organization-defined frequency?", "type": "non-technical"}, {"controlNum": "PS-6", "question": "Does the organization ensures that individuals requiring access to organizational information and information systems sign appropriate access agreements prior to being granted access?", "type": "non-technical"}, {"controlNum": "PS-6", "question": "Does the organization defines the frequency to re-sign access agreements to maintain access to organizational information systems when access agreements have been updated?", "type": "non-technical"}, {"controlNum": "PS-6", "question": "Does the organization ensures that individuals requiring access to organizational information and information systems re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or with the organization-defined frequency?", "type": "non-technical"}, {"controlNum": "PS-7", "question": "Does the organization establishes personnel security requirements, including security roles and responsibilities, for third-party providers?", "type": "non-technical"}, {"controlNum": "PS-7", "question": "Does the organization requires third-party providers to comply with personnel security policies and procedures established by the organization?", "type": "non-technical"}, {"controlNum": "PS-7", "question": "Does the organization documents personnel security requirements?", "type": "non-technical"}, {"controlNum": "PS-7", "question": "Does the organization defines personnel or roles to be notified of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges?", "type": "non-technical"}, {"controlNum": "PS-7", "question": "Does the organization defines the time period within which third-party providers are required to notify organization-defined personnel or roles of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges?", "type": "non-technical"}, {"controlNum": "PS-7", "question": "Does the organization requires third-party providers to notify organization-defined personnel or roles within the organization-defined time period of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges?", "type": "non-technical"}, {"controlNum": "PS-7", "question": "Does the organization monitors provider compliance?", "type": "non-technical"}, {"controlNum": "PS-8", "question": "Does the organization employs a formal sanctions process for individuals failing to comply with established information security policies and procedures?", "type": "non-technical"}, {"controlNum": "PS-8", "question": "Does the organization defines personnel or roles to be notified when a formal employee sanctions process is initiated?", "type": "non-technical"}, {"controlNum": "PS-8", "question": "Does the organization defines the time period within which organization-defined personnel or roles must be notified when a formal employee sanctions process is initiated?", "type": "non-technical"}, {"controlNum": "PS-8", "question": "Does the organization notifies organization-defined personnel or roles within the organization-defined time period when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction?", "type": "non-technical"}, {"controlNum": "RA-1", "question": "Does the organization develops and documents a risk assessment policy that addresses purpose?", "type": "non-technical"}, {"controlNum": "RA-1", "question": "Does the organization develops and documents a risk assessment policy that addresses scope?", "type": "non-technical"}, {"controlNum": "RA-1", "question": "Does the organization develops and documents a risk assessment policy that addresses roles?", "type": "non-technical"}, {"controlNum": "RA-1", "question": "Does the organization develops and documents a risk assessment policy that addresses responsibilities?", "type": "non-technical"}, {"controlNum": "RA-1", "question": "Does the organization develops and documents a risk assessment policy that addresses management commitment?", "type": "non-technical"}, {"controlNum": "RA-1", "question": "Does the organization develops and documents a risk assessment policy that addresses coordination among organizational entities?", "type": "non-technical"}, {"controlNum": "RA-1", "question": "Does the organization develops and documents a risk assessment policy that addresses compliance?", "type": "non-technical"}, {"controlNum": "RA-1", "question": "Does the organization defines personnel or roles to whom the risk assessment policy is to be disseminated?", "type": "non-technical"}, {"controlNum": "RA-1", "question": "Does the organization disseminates the risk assessment policy to organization-defined personnel or roles?", "type": "non-technical"}, {"controlNum": "RA-1", "question": "Does the organization develops and documents procedures to facilitate the implementation of the  risk assessment policy and associated risk assessment controls?", "type": "non-technical"}, {"controlNum": "RA-1", "question": "Does the organization defines personnel or roles to whom the procedures are to be disseminated?", "type": "non-technical"}, {"controlNum": "RA-1", "question": "Does the organization disseminates the procedures to organization-defined personnel or roles?", "type": "non-technical"}, {"controlNum": "RA-1", "question": "Does the organization defines the frequency to review and update the current risk assessment policy?", "type": "non-technical"}, {"controlNum": "RA-1", "question": "Does the organization reviews and updates the current risk assessment policy with the organization-defined frequency?", "type": "non-technical"}, {"controlNum": "RA-1", "question": "Does the organization defines the frequency to review and update the current risk assessment procedures?", "type": "non-technical"}, {"controlNum": "RA-1", "question": "Does the organization reviews and updates the current risk assessment procedures with the organization-defined frequency?", "type": "non-technical"}, {"controlNum": "RA-2", "question": "Does the organization categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance?", "type": "non-technical"}, {"controlNum": "RA-2", "question": "Does the organization documents the security categorization results (including supporting rationale) in the security plan for the information system?", "type": "non-technical"}, {"controlNum": "RA-2", "question": "Does the organization ensures the authorizing official or authorizing official designated representative reviews and approves the security categorization decision?", "type": "non-technical"}, {"controlNum": "RA-3", "question": "Does the organization conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system?", "type": "non-technical"}, {"controlNum": "RA-3", "question": "Does the organization conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information the system processes, stores, or transmits?", "type": "non-technical"}, {"controlNum": "RA-3", "question": "Does the organization conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of defines a document in which risk assessment results are to be documented (if not documented in the security plan or risk assessment report)?", "type": "non-technical"}, {"controlNum": "RA-3", "question": "Does the organization conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of documents risk assessment results in one of the following the security plan?", "type": "non-technical"}, {"controlNum": "RA-3", "question": "Does the organization conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of documents risk assessment results in one of the following the organization-defined document?", "type": "non-technical"}, {"controlNum": "RA-3", "question": "Does the organization conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of defines the frequency to review risk assessment results?", "type": "non-technical"}, {"controlNum": "RA-3", "question": "Does the organization conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of reviews risk assessment results with the organization-defined frequency?", "type": "non-technical"}, {"controlNum": "RA-3", "question": "Does the organization conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of defines personnel or roles to whom risk assessment results are to be disseminated?", "type": "non-technical"}, {"controlNum": "RA-3", "question": "Does the organization conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of disseminates risk assessment results to organization-defined personnel or roles?", "type": "non-technical"}, {"controlNum": "RA-3", "question": "Does the organization conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of defines the frequency to update the risk assessment?", "type": "non-technical"}, {"controlNum": "RA-3", "question": "Does the organization conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of updates the risk assessment with the organization-defined frequency?", "type": "non-technical"}, {"controlNum": "RA-3", "question": "Does the organization conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of updates the risk assessment whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities)?", "type": "non-technical"}, {"controlNum": "RA-3", "question": "Does the organization conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of updates the risk assessment whenever there are other conditions that may impact the security state of the system?", "type": "non-technical"}, {"controlNum": "RA-5", "question": "Does the organization defines the process for conducting random vulnerability scans on the information system and hosted applications?", "type": "non-technical"}, {"controlNum": "RA-5", "question": "Does the organization in accordance with the organization-defined frequency and/or organization-defined process for conducting random scans, scans for vulnerabilities in the information system?", "type": "non-technical"}, {"controlNum": "RA-5", "question": "Does the organization in accordance with the organization-defined frequency and/or organization-defined process for conducting random scans, scans for vulnerabilities in hosted applications?", "type": "non-technical"}, {"controlNum": "RA-5", "question": "Does the organization when new vulnerabilities potentially affecting the system/applications are identified and reported, scans for vulnerabilities in the information system?", "type": "non-technical"}, {"controlNum": "RA-5", "question": "Does the organization when new vulnerabilities potentially affecting the system/applications are identified and reported, scans for vulnerabilities in hosted applications?", "type": "non-technical"}, {"controlNum": "RA-5", "question": "Does the organization employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for when new vulnerabilities potentially affecting the system/applications are identified and reported, scans for vulnerabilities in enumerating platforms?", "type": "non-technical"}, {"controlNum": "RA-5", "question": "Does the organization employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for when new vulnerabilities potentially affecting the system/applications are identified and reported, scans for vulnerabilities in enumerating software flaws?", "type": "non-technical"}, {"controlNum": "RA-5", "question": "Does the organization employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for when new vulnerabilities potentially affecting the system/applications are identified and reported, scans for vulnerabilities in enumerating improper configurations?", "type": "non-technical"}, {"controlNum": "RA-5", "question": "Does the organization employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for when new vulnerabilities potentially affecting the system/applications are identified and reported, scans for vulnerabilities in formatting checklists?", "type": "non-technical"}, {"controlNum": "RA-5", "question": "Does the organization employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for when new vulnerabilities potentially affecting the system/applications are identified and reported, scans for vulnerabilities in formatting test procedures?", "type": "non-technical"}, {"controlNum": "RA-5", "question": "Does the organization employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for measuring vulnerability impact?", "type": "non-technical"}, {"controlNum": "RA-5", "question": "Does the organization employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for analyzes vulnerability scan reports?", "type": "non-technical"}, {"controlNum": "RA-5", "question": "Does the organization employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for analyzes results from security control assessments?", "type": "non-technical"}, {"controlNum": "RA-5", "question": "Does the organization employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for defines response times to remediate legitimate vulnerabilities in accordance with an organizational assessment of risk?", "type": "non-technical"}, {"controlNum": "RA-5", "question": "Does the organization employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for remediates legitimate vulnerabilities within the organization-defined response times in accordance with an organizational assessment of risk?", "type": "non-technical"}, {"controlNum": "RA-5", "question": "Does the organization employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for defines personnel or roles with whom information obtained from the vulnerability scanning process and security control assessments is to be shared?", "type": "non-technical"}, {"controlNum": "RA-5", "question": "Does the organization employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for shares information obtained from the vulnerability scanning process with organization-defined personnel or roles to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies)?", "type": "non-technical"}, {"controlNum": "RA-5", "question": "Does the organization employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for shares information obtained from security control assessments with organization-defined personnel or roles to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies)?", "type": "non-technical"}, {"controlNum": "RA-6", "question": "Does the organization defines locations to employ technical surveillance countermeasure surveys?", "type": "non-technical"}, {"controlNum": "RA-6", "question": "Does the organization defines a frequency to employ technical surveillance countermeasure surveys?", "type": "non-technical"}, {"controlNum": "RA-6", "question": "Does the organization defines events or indicators which, if they occur, trigger a technical surveillance countermeasures survey?", "type": "non-technical"}, {"controlNum": "RA-6", "question": "Does the organization employs a technical surveillance countermeasures survey at organization-defined locations one or more of the following when organization-defined events or indicators occur?", "type": "non-technical"}, {"controlNum": "SA-1", "question": "Does the organization develops and documents a system and services acquisition policy that addresses purpose?", "type": "non-technical"}, {"controlNum": "SA-1", "question": "Does the organization develops and documents a system and services acquisition policy that addresses scope?", "type": "non-technical"}, {"controlNum": "SA-1", "question": "Does the organization develops and documents a system and services acquisition policy that addresses roles?", "type": "non-technical"}, {"controlNum": "SA-1", "question": "Does the organization develops and documents a system and services acquisition policy that addresses responsibilities?", "type": "non-technical"}, {"controlNum": "SA-1", "question": "Does the organization develops and documents a system and services acquisition policy that addresses management commitment?", "type": "non-technical"}, {"controlNum": "SA-1", "question": "Does the organization develops and documents a system and services acquisition policy that addresses coordination among organizational entities?", "type": "non-technical"}, {"controlNum": "SA-1", "question": "Does the organization develops and documents a system and services acquisition policy that addresses compliance?", "type": "non-technical"}, {"controlNum": "SA-1", "question": "Does the organization defines personnel or roles to whom the system and services acquisition policy is to be disseminated?", "type": "non-technical"}, {"controlNum": "SA-1", "question": "Does the organization disseminates the system and services acquisition policy to organization-defined personnel or roles?", "type": "non-technical"}, {"controlNum": "SA-1", "question": "Does the organization develops and documents procedures to facilitate the implementation of the  system and services acquisition policy and associated  system and services acquisition controls?", "type": "non-technical"}, {"controlNum": "SA-1", "question": "Does the organization defines personnel or roles to whom the procedures are to be disseminated?", "type": "non-technical"}, {"controlNum": "SA-1", "question": "Does the organization disseminates the procedures to organization-defined personnel or roles?", "type": "non-technical"}, {"controlNum": "SA-1", "question": "Does the organization defines the frequency to review and update the current system and services acquisition policy?", "type": "non-technical"}, {"controlNum": "SA-1", "question": "Does the organization reviews and updates the current system and services acquisition policy with the organization-defined frequency?", "type": "non-technical"}, {"controlNum": "SA-1", "question": "Does the organization defines the frequency to review and update the current  system and services acquisition procedures?", "type": "non-technical"}, {"controlNum": "SA-1", "question": "Does the organization reviews and updates the current system and services acquisition procedures with the organization-defined frequency?", "type": "non-technical"}, {"controlNum": "SA-2", "question": "Does the organization determines information security requirements for the information system or information system service in mission/business process planning?", "type": "non-technical"}, {"controlNum": "SA-2", "question": "Does the organization to protect the information system or information system service as part of its capital planning and investment control process determines the resources required?", "type": "non-technical"}, {"controlNum": "SA-2", "question": "Does the organization to protect the information system or information system service as part of its capital planning and investment control process documents the resources required?", "type": "non-technical"}, {"controlNum": "SA-2", "question": "Does the organization to protect the information system or information system service as part of its capital planning and investment control process allocates the resources required?", "type": "non-technical"}, {"controlNum": "SA-2", "question": "Does the organization establishes a discrete line item for information security in organizational programming and budgeting documentation?", "type": "non-technical"}, {"controlNum": "SA-3", "question": "Does the organization defines a system development life cycle that incorporates information security considerations to be used to manage the information system?", "type": "non-technical"}, {"controlNum": "SA-3", "question": "Does the organization manages the information system using the organization-defined system development life cycle?", "type": "non-technical"}, {"controlNum": "SA-3", "question": "Does the organization defines and documents information security roles and responsibilities throughout the system development life cycle?", "type": "non-technical"}, {"controlNum": "SA-3", "question": "Does the organization identifies individuals having information security roles and responsibilities?", "type": "non-technical"}, {"controlNum": "SA-3", "question": "Does the organization integrates the organizational information security risk management process into system development life cycle activities?", "type": "non-technical"}, {"controlNum": "SA-4", "question": "Does the organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contracts for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs security functional requirements?", "type": "non-technical"}, {"controlNum": "SA-4", "question": "Does the organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contracts for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs security strength requirements?", "type": "non-technical"}, {"controlNum": "SA-4", "question": "Does the organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contracts for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs security assurance requirements?", "type": "non-technical"}, {"controlNum": "SA-4", "question": "Does the organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contracts for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs security-related documentation requirements?", "type": "non-technical"}, {"controlNum": "SA-4", "question": "Does the organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contracts for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs requirements for protecting security-related documentation?", "type": "non-technical"}, {"controlNum": "SA-4", "question": "Does the organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contracts for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs description of the information system development environment?", "type": "non-technical"}, {"controlNum": "SA-4", "question": "Does the organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contracts for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs description of the environment in which the system is intended to operate?", "type": "non-technical"}, {"controlNum": "SA-4", "question": "Does the organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contracts for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs acceptance criteria?", "type": "non-technical"}, {"controlNum": "SA-5", "question": "Does the organization obtains administrator documentation for the information system, system component, or information system service that describes secure configuration of the system, system component, or service?", "type": "non-technical"}, {"controlNum": "SA-5", "question": "Does the organization obtains administrator documentation for the information system, system component, or information system service that describes secure installation of the system, system component, or service?", "type": "non-technical"}, {"controlNum": "SA-5", "question": "Does the organization obtains administrator documentation for the information system, system component, or information system service that describes secure operation of the system, system component, or service?", "type": "non-technical"}, {"controlNum": "SA-5", "question": "Does the organization obtains administrator documentation for the information system, system component, or information system service that describes effective use of the security features/mechanisms?", "type": "non-technical"}, {"controlNum": "SA-5", "question": "Does the organization obtains administrator documentation for the information system, system component, or information system service that describes effective maintenance of the security features/mechanisms?", "type": "non-technical"}, {"controlNum": "SA-5", "question": "Does the organization obtains administrator documentation for the information system, system component, or information system service that describes known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions?", "type": "non-technical"}, {"controlNum": "SA-5", "question": "Does the organization obtains user documentation for the information system, system component, or information system service that describes user-accessible security functions/mechanisms?", "type": "non-technical"}, {"controlNum": "SA-5", "question": "Does the organization obtains user documentation for the information system, system component, or information system service that describes how to effectively use those functions/mechanisms?", "type": "non-technical"}, {"controlNum": "SA-5", "question": "Does the organization obtains user documentation for the information system, system component, or information system service that describes methods for user interaction, which enables individuals to use the system, component, or service  in a more secure manner?", "type": "non-technical"}, {"controlNum": "SA-5", "question": "Does the organization obtains user documentation for the information system, system component, or information system service that describes user responsibilities in maintaining the security of the system, component, or service?", "type": "non-technical"}, {"controlNum": "SA-5", "question": "Does the organization obtains user documentation for the information system, system component, or information system service that describes defines actions to be taken after documented attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent?", "type": "non-technical"}, {"controlNum": "SA-5", "question": "Does the organization obtains user documentation for the information system, system component, or information system service that describes documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent?", "type": "non-technical"}, {"controlNum": "SA-5", "question": "Does the organization obtains user documentation for the information system, system component, or information system service that describes takes organization-defined actions in response?", "type": "non-technical"}, {"controlNum": "SA-5", "question": "Does the organization protects documentation as required, in accordance with the risk management strategy?", "type": "non-technical"}, {"controlNum": "SA-5", "question": "Does the organization obtains user documentation for the information system, system component, or information system service that describes defines personnel or roles to whom documentation is to be distributed?", "type": "non-technical"}, {"controlNum": "SA-5", "question": "Does the organization obtains user documentation for the information system, system component, or information system service that describes distributes documentation to organization-defined personnel or roles?", "type": "non-technical"}, {"controlNum": "SA-8", "question": "Does the organization applies information system security engineering principles in the specification of the information system?", "type": "non-technical"}, {"controlNum": "SA-8", "question": "Does the organization applies information system security engineering principles in the design of the information system?", "type": "non-technical"}, {"controlNum": "SA-8", "question": "Does the organization applies information system security engineering principles in the development of the information system?", "type": "non-technical"}, {"controlNum": "SA-8", "question": "Does the organization applies information system security engineering principles in the implementation of the information system?", "type": "non-technical"}, {"controlNum": "SA-8", "question": "Does the organization applies information system security engineering principles in the modification of the information system?", "type": "non-technical"}, {"controlNum": "SA-9", "question": "Does the organization defines security controls to be employed by providers of external information system services?", "type": "non-technical"}, {"controlNum": "SA-9", "question": "Does the organization requires that providers of external information system services comply with organizational information security requirements?", "type": "non-technical"}, {"controlNum": "SA-9", "question": "Does the organization requires that providers of external information system services employ organization-defined security controls in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance?", "type": "non-technical"}, {"controlNum": "SA-9", "question": "Does the organization defines and documents government oversight with regard to external information system services?", "type": "non-technical"}, {"controlNum": "SA-9", "question": "Does the organization defines and documents user roles and responsibilities with regard to external information system services?", "type": "non-technical"}, {"controlNum": "SA-9", "question": "Does the organization defines processes, methods, and techniques to be employed to monitor security control compliance by external service providers?", "type": "non-technical"}, {"controlNum": "SA-9", "question": "Does the organization employs organization-defined processes, methods, and techniques to monitor security control compliance by external service providers on an ongoing basis?", "type": "non-technical"}, {"controlNum": "SA-10", "question": "Does the organization requires the developer of the information system, system component, or information system service to perform configuration management during one or more of the following system, component, or service design?", "type": "non-technical"}, {"controlNum": "SA-10", "question": "Does the organization requires the developer of the information system, system component, or information system service to perform configuration management during one or more of the following system, component, or service development?", "type": "non-technical"}, {"controlNum": "SA-10", "question": "Does the organization requires the developer of the information system, system component, or information system service to perform configuration management during one or more of the following system, component, or service operation?", "type": "non-technical"}, {"controlNum": "SA-10", "question": "Does the organization requires the developer of the information system, system component, or information system service to perform configuration management during one or more of the following defines configuration items to be placed under configuration management?", "type": "non-technical"}, {"controlNum": "SA-10", "question": "Does the organization requires the developer of the information system, system component, or information system service to perform configuration management during one or more of the following requires the developer of the information system, system component, or information system service to document the integrity of changes to organization-defined items under configuration management?", "type": "non-technical"}, {"controlNum": "SA-10", "question": "Does the organization requires the developer of the information system, system component, or information system service to perform configuration management during one or more of the following requires the developer of the information system, system component, or information system service to manage the integrity of changes to organization-defined items under configuration management?", "type": "non-technical"}, {"controlNum": "SA-10", "question": "Does the organization requires the developer of the information system, system component, or information system service to perform configuration management during one or more of the following requires the developer of the information system, system component, or information system service to control the integrity of changes to organization-defined items under configuration management?", "type": "non-technical"}, {"controlNum": "SA-10", "question": "Does the organization requires the developer of the information system, system component, or information system service to implement only organization-approved changes to the system, component, or service?", "type": "non-technical"}, {"controlNum": "SA-10", "question": "Does the organization requires the developer of the information system, system component, or information system service to document approved changes to the system, component, or service?", "type": "non-technical"}, {"controlNum": "SA-10", "question": "Does the organization requires the developer of the information system, system component, or information system service to document the potential security impacts of such changes?", "type": "non-technical"}, {"controlNum": "SA-10", "question": "Does the organization requires the developer of the information system, system component, or information system service to document defines personnel to whom findings, resulting from security flaws and flaw resolution tracked within the system, component, or service, are to be reported?", "type": "non-technical"}, {"controlNum": "SA-10", "question": "Does the organization requires the developer of the information system, system component, or information system service to document requires the developer of the information system, system component, or information system service to track security flaws within the system, component, or service?", "type": "non-technical"}, {"controlNum": "SA-10", "question": "Does the organization requires the developer of the information system, system component, or information system service to document requires the developer of the information system, system component, or information system service to track security flaw resolution within the system, component, or service?", "type": "non-technical"}, {"controlNum": "SA-10", "question": "Does the organization requires the developer of the information system, system component, or information system service to document requires the developer of the information system, system component, or information system service to report findings to organization-defined personnel?", "type": "non-technical"}, {"controlNum": "SA-11", "question": "Does the organization requires the developer of the information system, system component, or information system service to create and implement a security plan?", "type": "non-technical"}, {"controlNum": "SA-11", "question": "Does the organization defines the depth of testing/evaluation to be performed by the developer of the information system, system component, or information system service?", "type": "non-technical"}, {"controlNum": "SA-11", "question": "Does the organization defines the coverage of testing/evaluation to be performed by the developer of the information system, system component, or information system service?", "type": "non-technical"}, {"controlNum": "SA-11", "question": "Does the organization requires the developer of the information system, system component, or information system service to perform one or more of the following testing/evaluation at the organization-defined depth and coverage unit testing/evaluation?", "type": "non-technical"}, {"controlNum": "SA-11", "question": "Does the organization requires the developer of the information system, system component, or information system service to perform one or more of the following testing/evaluation at the organization-defined depth and coverage integration testing/evaluation?", "type": "non-technical"}, {"controlNum": "SA-11", "question": "Does the organization requires the developer of the information system, system component, or information system service to perform one or more of the following testing/evaluation at the organization-defined depth and coverage regression testing/evaluation?", "type": "non-technical"}, {"controlNum": "SA-11", "question": "Does the organization requires the developer of the information system, system component, or information system service to produce evidence of the execution of the security assessment plan?", "type": "non-technical"}, {"controlNum": "SA-11", "question": "Does the organization requires the developer of the information system, system component, or information system service to produce evidence of the results of the security testing/evaluation?", "type": "non-technical"}, {"controlNum": "SA-11", "question": "Does the organization requires the developer of the information system, system component, or information system service to implement a verifiable flaw remediation process?", "type": "non-technical"}, {"controlNum": "SA-11", "question": "Does the organization requires the developer of the information system, system component, or information system service to correct flaws identified during security testing/evaluation?", "type": "non-technical"}, {"controlNum": "SA-12", "question": "Does the organization defines security safeguards to be employed to protect against supply chain threats to the information system, system component, or information system service?", "type": "non-technical"}, {"controlNum": "SA-12", "question": "Does the organization protects against supply chain threats to the information system, system component, or information system service by employing organization-defined security safeguards as part of a comprehensive, defense-in-breadth information security strategy?", "type": "non-technical"}, {"controlNum": "SA-13", "question": "Does the organization defines information system, system component, or information system service for which the trustworthiness required is to be described?", "type": "non-technical"}, {"controlNum": "SA-13", "question": "Does the organization describes the trustworthiness required in organization-defined information system, information system component, or information system service supporting its critical mission/business functions?", "type": "non-technical"}, {"controlNum": "SA-13", "question": "Does the organization defines an assurance overlay to be implemented to achieve such trustworthiness?", "type": "non-technical"}, {"controlNum": "SA-13", "question": "Does the organization organization implements the organization-defined assurance overlay to achieve such trustworthiness?", "type": "non-technical"}, {"controlNum": "SA-14", "question": "Does the organization defines information systems, information  system components, or information system services requiring a criticality analysis to identify critical information system components and functions?", "type": "non-technical"}, {"controlNum": "SA-14", "question": "Does the organization defines decision points in the system development life cycle when a criticality analysis is to be performed for organization-defined information systems, information system components, or information system services?", "type": "non-technical"}, {"controlNum": "SA-14", "question": "Does the organization identifies critical information system components and functions by performing a criticality analysis for organization-defined information systems, information system components, or information system services at organization-defined decisions points in the system development life cycle?", "type": "non-technical"}, {"controlNum": "SA-15", "question": "Does the organization requires the developer of the information system, system component, or information system service to follow a documented development process that explicitly addresses security requirements?", "type": "non-technical"}, {"controlNum": "SA-15", "question": "Does the organization requires the developer of the information system, system component, or information system service to follow a documented development process that identifies the standards and tools used in the development process?", "type": "non-technical"}, {"controlNum": "SA-15", "question": "Does the organization requires the developer of the information system, system component, or information system service to follow a documented development process that documents the specific tool options used in the development process?", "type": "non-technical"}, {"controlNum": "SA-15", "question": "Does the organization requires the developer of the information system, system component, or information system service to follow a documented development process that documents the specific tool configurations used in the development process?", "type": "non-technical"}, {"controlNum": "SA-15", "question": "Does the organization requires the developer of the information system, system component, or information system service to follow a documented development process that documents changes to the process and/or tools used in the development?", "type": "non-technical"}, {"controlNum": "SA-15", "question": "Does the organization requires the developer of the information system, system component, or information system service to follow a documented development process that manages changes to the process and/or tools used in the development?", "type": "non-technical"}, {"controlNum": "SA-15", "question": "Does the organization requires the developer of the information system, system component, or information system service to follow a documented development process that ensures the integrity of changes to the process and/or tools used in the development?", "type": "non-technical"}, {"controlNum": "SA-15", "question": "Does the organization requires the developer of the information system, system component, or information system service to follow a documented development process that defines a frequency to review the development process, standards, tools, and tool options/configurations?", "type": "non-technical"}, {"controlNum": "SA-15", "question": "Does the organization requires the developer of the information system, system component, or information system service to follow a documented development process that defines security requirements to be satisfied by the process, standards, tools, and tool option/configurations selected and employed?", "type": "non-technical"}, {"controlNum": "SA-15", "question": "Does the organization requires the developer of the information system, system component, or information system service to follow a documented development process that reviews the development process with the organization-defined frequency to determine if the process selected and employed can satisfy organization-defined security requirements?", "type": "non-technical"}, {"controlNum": "SA-15", "question": "Does the organization requires the developer of the information system, system component, or information system service to follow a documented development process that reviews the development standards with the organization-defined frequency to determine if the standards selected and employed can satisfy organization-defined security requirements?", "type": "non-technical"}, {"controlNum": "SA-15", "question": "Does the organization requires the developer of the information system, system component, or information system service to follow a documented development process that reviews the development tools with the organization-defined frequency to determine if the tools selected and employed can satisfy organization-defined security requirements?", "type": "non-technical"}, {"controlNum": "SA-15", "question": "Does the organization requires the developer of the information system, system component, or information system service to follow a documented development process that reviews the development tool options/configurations with the organization-defined frequency to determine if the tool options/configurations selected and employed can satisfy organization-defined security requirements?", "type": "non-technical"}, {"controlNum": "SA-16", "question": "Does the organization defines training to be provided by the developer of the information system, system component, or information system service?", "type": "non-technical"}, {"controlNum": "SA-16", "question": "Does the organization requires the developer of the information system, system component, or information system service to provide organization-defined training on the correct use and operation of the implemented security functions, controls, and/or mechanisms?", "type": "non-technical"}, {"controlNum": "SA-17", "question": "Does the organization requires the developer of the information system, system component, or information system service to produce a design specification and security architecture that is consistent with and supportive of the organization\u2019s security architecture which is established within and is an integrated part of the organization\u2019s enterprise architecture?", "type": "non-technical"}, {"controlNum": "SA-17", "question": "Does the organization requires the developer of the information system, system component, or information system service to produce a design specification and security architecture that accurately and completely describes the required security functionality?", "type": "non-technical"}, {"controlNum": "SA-17", "question": "Does the organization requires the developer of the information system, system component, or information system service to produce a design specification and security architecture that accurately and completely describes the allocation of security controls among physical and logical components?", "type": "non-technical"}, {"controlNum": "SA-17", "question": "Does the organization requires the developer of the information system, system component, or information system service to produce a design specification and security architecture that expresses how individual security functions, mechanisms, and services work together to provide required security capabilities and a unified approach to protection?", "type": "non-technical"}, {"controlNum": "SA-18", "question": "Does the organization implements a tamper protection program for the information system, system component, or information system service?", "type": "non-technical"}, {"controlNum": "SA-19", "question": "Does the organization develops and implements anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the information system?", "type": "non-technical"}, {"controlNum": "SA-19", "question": "Does the organization defines external reporting organizations to whom counterfeit information system components are to be reported?", "type": "non-technical"}, {"controlNum": "SA-19", "question": "Does the organization defines personnel or roles to whom counterfeit information system components are to be reported?", "type": "non-technical"}, {"controlNum": "SA-19", "question": "Does the organization reports counterfeit information system components to one or more of the following the source of counterfeit component?", "type": "non-technical"}, {"controlNum": "SA-19", "question": "Does the organization reports counterfeit information system components to one or more of the following the organization-defined personnel or roles?", "type": "non-technical"}, {"controlNum": "SA-20", "question": "Does the organization defines critical information system components to be re-implemented or custom developed?", "type": "non-technical"}, {"controlNum": "SA-20", "question": "Does the organization re-implements or custom develops organization-defined information system components?", "type": "non-technical"}, {"controlNum": "SA-21", "question": "Does the organization defines the information system, system component, or information system service for which the developer is to be screened?", "type": "non-technical"}, {"controlNum": "SA-21", "question": "Does the organization defines official government duties to be used to determine appropriate access authorizations for the developer?", "type": "non-technical"}, {"controlNum": "SA-21", "question": "Does the organization defines additional personnel screening criteria to be satisfied by the developer?", "type": "non-technical"}, {"controlNum": "SA-21", "question": "Does the organization requires that the developer of organization-defined information system, system component, or information system service have appropriate access authorizations as determined by assigned organization-defined official government duties?", "type": "non-technical"}, {"controlNum": "SA-21", "question": "Does the organization requires that the developer of organization-defined information system, system component, or information system service satisfy organization-defined additional personnel screening criteria?", "type": "non-technical"}, {"controlNum": "SA-22", "question": "Does the organization replaces information system components when support for the components is no longer available from the developer, vendor, or manufacturer?", "type": "non-technical"}, {"controlNum": "SA-22", "question": "Does the organization provides justification for the continued use of unsupported system components required to satisfy mission/business needs?", "type": "non-technical"}, {"controlNum": "SA-22", "question": "Does the organization documents approval for the continued use of unsupported system components required to satisfy mission/business needs?", "type": "non-technical"}, {"controlNum": "SC-1", "question": "Does the organization develops and documents a system and communications protection policy that addresses purpose?", "type": "non-technical"}, {"controlNum": "SC-1", "question": "Does the organization develops and documents a system and communications protection policy that addresses scope?", "type": "non-technical"}, {"controlNum": "SC-1", "question": "Does the organization develops and documents a system and communications protection policy that addresses roles?", "type": "non-technical"}, {"controlNum": "SC-1", "question": "Does the organization develops and documents a system and communications protection policy that addresses responsibilities?", "type": "non-technical"}, {"controlNum": "SC-1", "question": "Does the organization develops and documents a system and communications protection policy that addresses management commitment?", "type": "non-technical"}, {"controlNum": "SC-1", "question": "Does the organization develops and documents a system and communications protection policy that addresses coordination among organizational entities?", "type": "non-technical"}, {"controlNum": "SC-1", "question": "Does the organization develops and documents a system and communications protection policy that addresses compliance?", "type": "non-technical"}, {"controlNum": "SC-1", "question": "Does the organization defines personnel or roles to whom the system and communications protection policy is to be disseminated?", "type": "non-technical"}, {"controlNum": "SC-1", "question": "Does the organization disseminates the system and communications protection policy to organization-defined personnel or roles?", "type": "non-technical"}, {"controlNum": "SC-1", "question": "Does the organization develops and documents procedures to facilitate the implementation of the system and communications protection policy and associated  system and communications protection controls?", "type": "non-technical"}, {"controlNum": "SC-1", "question": "Does the organization defines personnel or roles to whom the procedures are to be disseminated?", "type": "non-technical"}, {"controlNum": "SC-1", "question": "Does the organization disseminates the procedures to organization-defined personnel or roles?", "type": "non-technical"}, {"controlNum": "SC-1", "question": "Does the organization defines the frequency to review and update the current system and communications protection policy?", "type": "non-technical"}, {"controlNum": "SC-1", "question": "Does the organization reviews and updates the current system and communications protection policy with the organization-defined frequency?", "type": "non-technical"}, {"controlNum": "SC-1", "question": "Does the organization defines the frequency to review and update the current system and communications protection procedures?", "type": "non-technical"}, {"controlNum": "SC-1", "question": "Does the organization reviews and updates the current system and communications protection procedures with the organization-defined frequency?", "type": "non-technical"}, {"controlNum": "SC-2", "question": "Does the information system separates user functionality (including user interface services) from information system management functionality?", "type": "technical"}, {"controlNum": "SC-3", "question": "Does the information system isolates security functions from nonsecurity functions?", "type": "technical"}, {"controlNum": "SC-4", "question": "Does the information system prevents unauthorized and unintended information transfer via shared system resources?", "type": "technical"}, {"controlNum": "SC-5", "question": "Does the organization defines types of denial of service attacks or reference to source of such information for the information system to protect against or limit the effects?", "type": "non-technical"}, {"controlNum": "SC-5", "question": "Does the organization defines security safeguards to be employed by the information system to protect against or limit the effects of organization-defined types of denial of service attacks?", "type": "non-technical"}, {"controlNum": "SC-5", "question": "Does the information system protects against or limits the effects of the organization-defined denial or service attacks (or reference to source for such information) by employing organization-defined security safeguards?", "type": "technical"}, {"controlNum": "SC-6", "question": "Does the organization defines resources to be allocated to protect the availability of resources?", "type": "non-technical"}, {"controlNum": "SC-6", "question": "Does the organization defines security safeguards to be employed to protect the availability of resources?", "type": "non-technical"}, {"controlNum": "SC-6", "question": "Does the information system protects the availability of resources by allocating organization-defined resources by one or more of the following priority?", "type": "technical"}, {"controlNum": "SC-6", "question": "Does the information system protects the availability of resources by allocating organization-defined resources by one or more of the following organization-defined safeguards?", "type": "technical"}, {"controlNum": "SC-7", "question": "Does the information system monitors communications at the external boundary of the information system?", "type": "technical"}, {"controlNum": "SC-7", "question": "Does the information system monitors communications at key internal boundaries within the system?", "type": "technical"}, {"controlNum": "SC-7", "question": "Does the information system controls communications at the external boundary of the information system?", "type": "technical"}, {"controlNum": "SC-7", "question": "Does the information system controls communications at key internal boundaries within the system?", "type": "technical"}, {"controlNum": "SC-7", "question": "Does the information system implements subnetworks for publicly accessible system components that are either logically separated from internal organizational networks?", "type": "technical"}, {"controlNum": "SC-7", "question": "Does the information system connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture?", "type": "technical"}, {"controlNum": "SC-8", "question": "Does the information system protects one or more of the following integrity of transmitted information?", "type": "technical"}, {"controlNum": "SC-10", "question": "Does the organization defines a time period of inactivity after which the information system terminates a network connection associated with a communications session?", "type": "non-technical"}, {"controlNum": "SC-10", "question": "Does the information system terminates the network connection associated with a communication session at the end of the session or after the organization-defined time period of inactivity?", "type": "technical"}, {"controlNum": "SC-11", "question": "Does the organization defines security functions of the information system?", "type": "non-technical"}, {"controlNum": "SC-11", "question": "Does the organization-defined security functions include at a minimum, information system authentication and re-authentication?", "type": "non-technical"}, {"controlNum": "SC-11", "question": "Does the information system establishes a trusted communications path between the user and the organization-defined security functions of the system?", "type": "technical"}, {"controlNum": "SC-12", "question": "Does the organization defines requirements for cryptographic key generation?", "type": "non-technical"}, {"controlNum": "SC-12", "question": "Does the organization defines requirements for cryptographic key distribution?", "type": "non-technical"}, {"controlNum": "SC-12", "question": "Does the organization defines requirements for cryptographic key storage?", "type": "non-technical"}, {"controlNum": "SC-12", "question": "Does the organization defines requirements for cryptographic key access?", "type": "non-technical"}, {"controlNum": "SC-12", "question": "Does the organization defines requirements for cryptographic key destruction?", "type": "non-technical"}, {"controlNum": "SC-12", "question": "Does the organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with organization-defined requirements for key generation, distribution, storage, access, and destruction?", "type": "non-technical"}, {"controlNum": "SC-13", "question": "Does the organization defines cryptographic uses?", "type": "non-technical"}, {"controlNum": "SC-13", "question": "Does the organization defines the type of cryptography required for each use?", "type": "non-technical"}, {"controlNum": "SC-13", "question": "Does the information system implements the organization-defined cryptographic uses and type of cryptography required for each use in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards?", "type": "technical"}, {"controlNum": "SC-15", "question": "Does the organization defines exceptions where remote activation of collaborative computing devices is to be allowed?", "type": "non-technical"}, {"controlNum": "SC-15", "question": "Does the information system prohibits remote activation of collaborative computing devices, except for organization-defined exceptions where remote activation is to be allowed?", "type": "technical"}, {"controlNum": "SC-15", "question": "Does the information system provides an explicit indication of use to users physically present at the devices?", "type": "technical"}, {"controlNum": "SC-16", "question": "Does the organization defines security attributes to be associated with information exchanged between information systems?", "type": "non-technical"}, {"controlNum": "SC-16", "question": "Does the organization defines security attributes to be associated with information exchanged between system components?", "type": "non-technical"}, {"controlNum": "SC-16", "question": "Does the information system associates organization-defined security attributes with information exchanged between information systems?", "type": "technical"}, {"controlNum": "SC-16", "question": "Does the information system associates organization-defined security attributes with information exchanged between system components?", "type": "technical"}, {"controlNum": "SC-17", "question": "Does the organization defines a certificate policy for issuing public key certificates?", "type": "non-technical"}, {"controlNum": "SC-17", "question": "Does the organization issues public key certificates obtains public key certificates from an approved service provider?", "type": "non-technical"}, {"controlNum": "SC-18", "question": "Does the organization defines acceptable and unacceptable mobile code and mobile code technologies?", "type": "non-technical"}, {"controlNum": "SC-18", "question": "Does the organization establishes usage restrictions for acceptable mobile code and mobile code technologies?", "type": "non-technical"}, {"controlNum": "SC-18", "question": "Does the organization establishes  implementation guidance for acceptable mobile code and mobile code technologies?", "type": "non-technical"}, {"controlNum": "SC-18", "question": "Does the organization authorizes the use of mobile code within the information system?", "type": "non-technical"}, {"controlNum": "SC-18", "question": "Does the organization monitors the use of mobile code within the information system?", "type": "non-technical"}, {"controlNum": "SC-18", "question": "Does the organization controls the use of mobile code within the information system?", "type": "non-technical"}, {"controlNum": "SC-19", "question": "Does the organization establishes usage restrictions for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously?", "type": "non-technical"}, {"controlNum": "SC-19", "question": "Does the organization establishes implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously?", "type": "non-technical"}, {"controlNum": "SC-19", "question": "Does the organization authorizes the use of VoIP within the information system?", "type": "non-technical"}, {"controlNum": "SC-19", "question": "Does the organization monitors the use of VoIP within the information system?", "type": "non-technical"}, {"controlNum": "SC-19", "question": "Does the organization controls the use of VoIP within the information system?", "type": "non-technical"}, {"controlNum": "SC-20", "question": "Does the information system provides additional data origin and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries?", "type": "technical"}, {"controlNum": "SC-20", "question": "Does the information system provides the means to, when operating as part of a distributed, hierarchical namespace indicate the security status of child zones?", "type": "technical"}, {"controlNum": "SC-20", "question": "Does the information system provides the means to, when operating as part of a distributed, hierarchical namespace enable verification of a chain of trust among parent and child domains (if the child supports secure resolution services)?", "type": "technical"}, {"controlNum": "SC-21", "question": "Does the information system requests data origin authentication on the name/address resolution responses the system receives from authoritative sources?", "type": "technical"}, {"controlNum": "SC-21", "question": "Does the information system requests data integrity verification on the name/address resolution responses the system receives from authoritative sources?", "type": "technical"}, {"controlNum": "SC-21", "question": "Does the information system performs data origin authentication on the name/address resolution responses the system receives from authoritative sources?", "type": "technical"}, {"controlNum": "SC-21", "question": "Does the information system performs data integrity verification on the name/address resolution responses the system receives from authoritative sources?", "type": "technical"}, {"controlNum": "SC-22", "question": "Does the information systems that collectively provide name/address resolution service for an organization are fault tolerant?", "type": "technical"}, {"controlNum": "SC-22", "question": "Does the information systems that collectively provide name/address resolution service for an organization implement internal/external role separation?", "type": "technical"}, {"controlNum": "SC-23", "question": "Does the information system protects the authenticity of communications sessions?", "type": "technical"}, {"controlNum": "SC-24", "question": "Does the organization defines a known-state to which the information system is to fail in the event of a system failure?", "type": "non-technical"}, {"controlNum": "SC-24", "question": "Does the organization defines types of failures for which the information system is to fail to an organization-defined known-state?", "type": "non-technical"}, {"controlNum": "SC-24", "question": "Does the organization defines system state information to be preserved in the event of a system failure?", "type": "non-technical"}, {"controlNum": "SC-24", "question": "Does the information system fails to the organization-defined known-state for organization-defined types of failures?", "type": "technical"}, {"controlNum": "SC-24", "question": "Does the information system preserves the organization-defined system state information in the event of a system failure?", "type": "technical"}, {"controlNum": "SC-25", "question": "Does the organization defines information system components to be employed with minimal functionality and information storage?", "type": "non-technical"}, {"controlNum": "SC-25", "question": "Does the organization employs organization-defined information system components with minimal functionality and information storage?", "type": "non-technical"}, {"controlNum": "SC-26", "question": "Does the information system includes components specifically designed to be the target of malicious attacks for the purpose of detecting, deflecting, and analyzing such attacks?", "type": "technical"}, {"controlNum": "SC-27", "question": "Does the organization defines platform-independent applications?", "type": "non-technical"}, {"controlNum": "SC-27", "question": "Does the information system includes organization-defined platform-independent applications?", "type": "technical"}, {"controlNum": "SC-28", "question": "Does the organization defines information at rest requiring one or more of the following integrity protection?", "type": "non-technical"}, {"controlNum": "SC-28", "question": "Does the information system protects the integrity of organization-defined information at rest?", "type": "technical"}, {"controlNum": "SC-29", "question": "Does the organization defines information system components requiring a diverse set of information technologies to be employed in the implementation of the information system?", "type": "non-technical"}, {"controlNum": "SC-29", "question": "Does the organization employs a diverse set of information technologies for organization-defined information system components in the implementation of the information system?", "type": "non-technical"}, {"controlNum": "SC-30", "question": "Does the organization defines concealment and misdirection techniques to be employed to confuse and mislead adversaries potentially targeting organizational information systems?", "type": "non-technical"}, {"controlNum": "SC-30", "question": "Does the organization defines information systems for which organization-defined concealment and misdirection techniques are to be employed?", "type": "non-technical"}, {"controlNum": "SC-30", "question": "Does the organization defines time periods to employ organization-defined concealment and misdirection techniques for organization-defined information systems?", "type": "non-technical"}, {"controlNum": "SC-30", "question": "Does the organization employs organization-defined concealment and misdirection techniques for organization-defined information systems at organization-defined time periods to confuse and mislead adversaries?", "type": "non-technical"}, {"controlNum": "SC-31", "question": "Does the organization performs a covert channel analysis to identify those aspects of communications within the information system that are potential avenues for one or more of the following covert timing channels?", "type": "non-technical"}, {"controlNum": "SC-31", "question": "Does the organization estimates the maximum bandwidth of those channels?", "type": "non-technical"}, {"controlNum": "SC-32", "question": "Does the organization defines circumstances for physical separation of information system components into information system partitions?", "type": "non-technical"}, {"controlNum": "SC-32", "question": "Does the organization defines information system components to reside in separate physical domains or environments based on organization-defined circumstances for physical separation of components?", "type": "non-technical"}, {"controlNum": "SC-32", "question": "Does the organization partitions the information system into organization-defined information system components residing in separate physical domains or environments based on organization-defined circumstances for physical separation of components?", "type": "non-technical"}, {"controlNum": "SC-34", "question": "Does the organization defines information system components for which the operating environment and organization-defined applications are to be loaded and executed from hardware-enforced, read-only media?", "type": "non-technical"}, {"controlNum": "SC-34", "question": "Does the organization defines applications to be loaded and executed from hardware-enforced, read-only media?", "type": "non-technical"}, {"controlNum": "SC-34", "question": "Does the information system, at organization-defined information system components loads and executes the operating environment from hardware-enforced, read-only media?", "type": "technical"}, {"controlNum": "SC-34", "question": "Does the information system, at organization-defined information system components loads and executes organization-defined applications from hardware-enforced, read-only media?", "type": "technical"}, {"controlNum": "SC-35", "question": "Does the information system includes components that proactively seek to identify malicious websites and/or web-based malicious code?", "type": "technical"}, {"controlNum": "SC-36", "question": "Does the organization defines processing and storage to be distributed across multiple physical locations?", "type": "non-technical"}, {"controlNum": "SC-36", "question": "Does the organization distributes organization-defined processing and storage across multiple physical locations?", "type": "non-technical"}, {"controlNum": "SC-37", "question": "Does the organization defines out-of-band channels to be employed for the physical delivery or electronic transmission of information, information system components, or devices to individuals or information systems?", "type": "non-technical"}, {"controlNum": "SC-37", "question": "Does the organization defines information, information system components, or devices for which physical delivery or electronic transmission of such information, information system components, or devices to individuals or information systems requires employment of organization-defined out-of-band channels?", "type": "non-technical"}, {"controlNum": "SC-37", "question": "Does the organization defines individuals or information systems to which physical delivery or electronic transmission of organization-defined information, information system components, or devices is to be achieved via employment of organization-defined out-of-band channels?", "type": "non-technical"}, {"controlNum": "SC-37", "question": "Does the organization employs organization-defined out-of-band channels for the physical delivery or electronic transmission of organization-defined information, information system components, or devices to organization-defined individuals or information systems?", "type": "non-technical"}, {"controlNum": "SC-38", "question": "Does the organization defines operations security safeguards to be employed to protect key organizational information throughout the system development life cycle?", "type": "non-technical"}, {"controlNum": "SC-38", "question": "Does the organization employs organization-defined operations security safeguards to protect key organizational information throughout the system development life cycle?", "type": "non-technical"}, {"controlNum": "SC-39", "question": "Does the information system maintains a separate execution domain for each executing process?", "type": "technical"}, {"controlNum": "SC-40", "question": "Does the organization defines internal wireless links to be protected  from particular types of signal parameter attacks?", "type": "non-technical"}, {"controlNum": "SC-40", "question": "Does the organization defines external wireless links to be protected  from particular types of signal parameter attacks?", "type": "non-technical"}, {"controlNum": "SC-40", "question": "Does the organization defines types of signal parameter attacks or references to sources for such attacks that are based upon exploiting the signal parameters of organization-defined internal and external wireless links?", "type": "non-technical"}, {"controlNum": "SC-40", "question": "Does the information system protects internal and external organization-defined wireless links from organization-defined types of signal parameter attacks or references to sources for such attacks?", "type": "technical"}, {"controlNum": "SC-41", "question": "Does the organization defines connection ports or input/output devices to be physically disabled or removed on information systems or information system components?", "type": "non-technical"}, {"controlNum": "SC-41", "question": "Does the organization defines information systems or information system components with organization-defined connection ports or input/output devices that are to be physically disabled or removed?", "type": "non-technical"}, {"controlNum": "SC-41", "question": "Does the organization physically disables or removes organization-defined connection ports or input/output devices on organization-defined information systems or information system components?", "type": "non-technical"}, {"controlNum": "SC-42", "question": "Does the organization defines exceptions where remote activation of sensors is to be allowed?", "type": "non-technical"}, {"controlNum": "SC-42", "question": "Does the information system prohibits the remote activation of sensors, except for organization-defined exceptions where remote activation of sensors is to be allowed?", "type": "technical"}, {"controlNum": "SC-42", "question": "Does the organization defines the class of users to whom an explicit indication of sensor use is to be provided?", "type": "non-technical"}, {"controlNum": "SC-42", "question": "Does the information system provides an explicit indication of sensor use to the organization-defined class of users?", "type": "technical"}, {"controlNum": "SC-43", "question": "Does the organization defines information system components for which usage restrictions and implementation guidance are to be established?", "type": "non-technical"}, {"controlNum": "SC-43", "question": "Does the organization establishes, for organization-defined information system components usage restrictions based on the potential to cause damage to the information system if used maliciously?", "type": "non-technical"}, {"controlNum": "SC-43", "question": "Does the organization establishes, for organization-defined information system components implementation guidance based on the potential to cause damage to the information system if used maliciously?", "type": "non-technical"}, {"controlNum": "SC-43", "question": "Does the organization authorizes the use of such components within the information system?", "type": "non-technical"}, {"controlNum": "SC-43", "question": "Does the organization monitors the use of such components within the information system?", "type": "non-technical"}, {"controlNum": "SC-43", "question": "Does the organization controls the use of such components within the information system?", "type": "non-technical"}, {"controlNum": "SC-44", "question": "Does the organization defines information system, system component, or location where a detonation chamber capability is to be employed?", "type": "non-technical"}, {"controlNum": "SC-44", "question": "Does the organization employs a detonation chamber capability within organization-defined information system, system component, or location?", "type": "non-technical"}, {"controlNum": "SI-1", "question": "Does the organization develops and documents a system and information integrity policy that addresses purpose?", "type": "non-technical"}, {"controlNum": "SI-1", "question": "Does the organization develops and documents a system and information integrity policy that addresses scope?", "type": "non-technical"}, {"controlNum": "SI-1", "question": "Does the organization develops and documents a system and information integrity policy that addresses roles?", "type": "non-technical"}, {"controlNum": "SI-1", "question": "Does the organization develops and documents a system and information integrity policy that addresses responsibilities?", "type": "non-technical"}, {"controlNum": "SI-1", "question": "Does the organization develops and documents a system and information integrity policy that addresses management commitment?", "type": "non-technical"}, {"controlNum": "SI-1", "question": "Does the organization develops and documents a system and information integrity policy that addresses coordination among organizational entities?", "type": "non-technical"}, {"controlNum": "SI-1", "question": "Does the organization develops and documents a system and information integrity policy that addresses compliance?", "type": "non-technical"}, {"controlNum": "SI-1", "question": "Does the organization defines personnel or roles to whom the system and information integrity policy is to be disseminated?", "type": "non-technical"}, {"controlNum": "SI-1", "question": "Does the organization disseminates the system and information integrity policy to organization-defined personnel or roles?", "type": "non-technical"}, {"controlNum": "SI-1", "question": "Does the organization develops and documents procedures to facilitate the implementation of the system and information integrity policy and associated  system and information integrity controls?", "type": "non-technical"}, {"controlNum": "SI-1", "question": "Does the organization defines personnel or roles to whom the procedures are to be disseminated?", "type": "non-technical"}, {"controlNum": "SI-1", "question": "Does the organization disseminates the procedures to organization-defined personnel or roles?", "type": "non-technical"}, {"controlNum": "SI-1", "question": "Does the organization defines the frequency to review and update the current system and information integrity policy?", "type": "non-technical"}, {"controlNum": "SI-1", "question": "Does the organization reviews and updates the current system and information integrity policy with the organization-defined frequency?", "type": "non-technical"}, {"controlNum": "SI-1", "question": "Does the organization defines the frequency to review and update the current system and information integrity procedures?", "type": "non-technical"}, {"controlNum": "SI-1", "question": "Does the organization reviews and updates the current system and information integrity procedures with the organization-defined frequency?", "type": "non-technical"}, {"controlNum": "SI-2", "question": "Does the organization identifies information system flaws?", "type": "non-technical"}, {"controlNum": "SI-2", "question": "Does the organization reports information system flaws?", "type": "non-technical"}, {"controlNum": "SI-2", "question": "Does the organization corrects information system flaws?", "type": "non-technical"}, {"controlNum": "SI-2", "question": "Does the organization tests software updates related to flaw remediation for effectiveness and potential side effects before installation?", "type": "non-technical"}, {"controlNum": "SI-2", "question": "Does the organization tests firmware updates related to flaw remediation for effectiveness and potential side effects before installation?", "type": "non-technical"}, {"controlNum": "SI-2", "question": "Does the organization defines the time period within which to install security-relevant software updates after the release of the updates?", "type": "non-technical"}, {"controlNum": "SI-2", "question": "Does the organization defines the time period within which to install security-relevant firmware updates after the release of the updates?", "type": "non-technical"}, {"controlNum": "SI-2", "question": "Does the organization installs software updates within the organization-defined time period of the release of the updates?", "type": "non-technical"}, {"controlNum": "SI-2", "question": "Does the organization installs firmware updates within the organization-defined time period of the release of the updates?", "type": "non-technical"}, {"controlNum": "SI-2", "question": "Does the organization incorporates flaw remediation into the organizational configuration management process?", "type": "non-technical"}, {"controlNum": "SI-3", "question": "Does the organization employs malicious code protection mechanisms to detect and eradicate malicious code at information system entry points?", "type": "non-technical"}, {"controlNum": "SI-3", "question": "Does the organization employs malicious code protection mechanisms to detect and eradicate malicious code at information system exit points?", "type": "non-technical"}, {"controlNum": "SI-3", "question": "Does the organization updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures (as identified in CM-1)?", "type": "non-technical"}, {"controlNum": "SI-3", "question": "Does the organization employs malicious code protection mechanisms to detect and eradicate malicious code at information system defines a frequency for malicious code protection mechanisms to perform periodic scans of the information system?", "type": "non-technical"}, {"controlNum": "SI-3", "question": "Does the organization employs malicious code protection mechanisms to detect and eradicate malicious code at information system defines action to be initiated by malicious  protection mechanisms in response to malicious code detection?", "type": "non-technical"}, {"controlNum": "SI-3", "question": "Does the organization employs malicious code protection mechanisms to detect and eradicate malicious code at information system configures malicious code protection mechanisms to perform periodic scans of the information system with the organization-defined frequency?", "type": "non-technical"}, {"controlNum": "SI-3", "question": "Does the organization employs malicious code protection mechanisms to detect and eradicate malicious code at information system configures malicious code protection mechanisms to perform real-time scans of files from external sources at endpoint and/or network entry/exit points as the files are downloaded, opened, or executed in accordance with organizational security policy?", "type": "non-technical"}, {"controlNum": "SI-3", "question": "Does the organization employs malicious code protection mechanisms to detect and eradicate malicious code at information system configures malicious code protection mechanisms to do one or more of the following block malicious code in response to malicious code detection?", "type": "non-technical"}, {"controlNum": "SI-3", "question": "Does the organization employs malicious code protection mechanisms to detect and eradicate malicious code at information system configures malicious code protection mechanisms to do one or more of the following quarantine malicious code in response to malicious code detection?", "type": "non-technical"}, {"controlNum": "SI-3", "question": "Does the organization employs malicious code protection mechanisms to detect and eradicate malicious code at information system configures malicious code protection mechanisms to do one or more of the following initiate organization-defined action in response to malicious code detection?", "type": "non-technical"}, {"controlNum": "SI-3", "question": "Does the organization employs malicious code protection mechanisms to detect and eradicate malicious code at information system addresses the receipt of false positives during malicious code detection and eradication?", "type": "non-technical"}, {"controlNum": "SI-3", "question": "Does the organization employs malicious code protection mechanisms to detect and eradicate malicious code at information system addresses the resulting potential impact on the availability of the information system?", "type": "non-technical"}, {"controlNum": "SI-4", "question": "Does the organization defines monitoring objectives to detect attacks and indicators of potential attacks on the information system?", "type": "non-technical"}, {"controlNum": "SI-4", "question": "Does the organization monitors the information system to detect, in accordance with organization-defined monitoring objectives, attacks?", "type": "non-technical"}, {"controlNum": "SI-4", "question": "Does the organization monitors the information system to detect, in accordance with organization-defined monitoring objectives, indicators of potential attacks?", "type": "non-technical"}, {"controlNum": "SI-4", "question": "Does the organization monitors the information system to detect unauthorized local connections?", "type": "non-technical"}, {"controlNum": "SI-4", "question": "Does the organization monitors the information system to detect unauthorized network connections?", "type": "non-technical"}, {"controlNum": "SI-4", "question": "Does the organization monitors the information system to detect unauthorized remote connections?", "type": "non-technical"}, {"controlNum": "SI-4", "question": "Does the organization defines techniques and methods to identify unauthorized use of the information system?", "type": "non-technical"}, {"controlNum": "SI-4", "question": "Does the organization identifies unauthorized use of the information system through organization-defined techniques and methods?", "type": "non-technical"}, {"controlNum": "SI-4", "question": "Does the organization deploys monitoring devices strategically within the information system to collect organization-determined essential information?", "type": "non-technical"}, {"controlNum": "SI-4", "question": "Does the organization deploys monitoring devices at ad hoc locations within the system to track specific types of transactions of interest to the organization?", "type": "non-technical"}, {"controlNum": "SI-4", "question": "Does the organization protects information obtained from intrusion-monitoring tools from unauthorized access?", "type": "non-technical"}, {"controlNum": "SI-4", "question": "Does the organization protects information obtained from intrusion-monitoring tools from unauthorized modification?", "type": "non-technical"}, {"controlNum": "SI-4", "question": "Does the organization protects information obtained from intrusion-monitoring tools from unauthorized deletion?", "type": "non-technical"}, {"controlNum": "SI-4", "question": "Does the organization heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information?", "type": "non-technical"}, {"controlNum": "SI-4", "question": "Does the organization obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations?", "type": "non-technical"}, {"controlNum": "SI-4", "question": "Does the organization protects information obtained from intrusion-monitoring tools from unauthorized defines personnel or roles to whom information system monitoring information is to be provided?", "type": "non-technical"}, {"controlNum": "SI-4", "question": "Does the organization protects information obtained from intrusion-monitoring tools from unauthorized defines information system monitoring information to be provided to organization-defined personnel or roles?", "type": "non-technical"}, {"controlNum": "SI-4", "question": "Does the organization protects information obtained from intrusion-monitoring tools from unauthorized defines a frequency to provide organization-defined information system monitoring to organization-defined personnel or roles?", "type": "non-technical"}, {"controlNum": "SI-4", "question": "Does the organization protects information obtained from intrusion-monitoring tools from unauthorized provides organization-defined information system monitoring information to organization-defined personnel or roles one or more of the following with the organization-defined frequency?", "type": "non-technical"}, {"controlNum": "SI-5", "question": "Does the organization defines external organizations from whom information system security alerts, advisories and directives are to be received?", "type": "non-technical"}, {"controlNum": "SI-5", "question": "Does the organization receives information system security alerts, advisories, and directives from organization-defined external organizations on an ongoing basis?", "type": "non-technical"}, {"controlNum": "SI-5", "question": "Does the organization generates internal security alerts, advisories, and directives as deemed necessary?", "type": "non-technical"}, {"controlNum": "SI-5", "question": "Does the organization defines personnel or roles to whom security alerts, advisories, and directives are to be provided?", "type": "non-technical"}, {"controlNum": "SI-5", "question": "Does the organization defines elements within the organization to whom security alerts, advisories, and directives are to be provided?", "type": "non-technical"}, {"controlNum": "SI-5", "question": "Does the organization defines external organizations to whom security alerts, advisories, and directives are to be provided?", "type": "non-technical"}, {"controlNum": "SI-5", "question": "Does the organization disseminates security alerts, advisories, and directives to one or more of the following organization-defined personnel or roles?", "type": "non-technical"}, {"controlNum": "SI-5", "question": "Does the organization disseminates security alerts, advisories, and directives to one or more of the following organization-defined external organizations?", "type": "non-technical"}, {"controlNum": "SI-5", "question": "Does the organization notifies the issuing organization of the degree of noncompliance?", "type": "non-technical"}, {"controlNum": "SI-6", "question": "Does the organization defines security functions to be verified for correct operation?", "type": "non-technical"}, {"controlNum": "SI-6", "question": "Does the information system verifies the correct operation of organization-defined security functions?", "type": "technical"}, {"controlNum": "SI-6", "question": "Does the organization defines system transitional states requiring verification of organization-defined security functions?", "type": "non-technical"}, {"controlNum": "SI-6", "question": "Does the organization defines a frequency to verify the correct operation of organization-defined security functions?", "type": "non-technical"}, {"controlNum": "SI-6", "question": "Does the information system performs this verification one or more of the following at organization-defined system transitional states?", "type": "technical"}, {"controlNum": "SI-6", "question": "Does the information system performs this verification one or more of the following with the organization-defined frequency?", "type": "technical"}, {"controlNum": "SI-6", "question": "Does the organization defines personnel or roles to be notified of failed security verification tests?", "type": "non-technical"}, {"controlNum": "SI-6", "question": "Does the information system notifies organization-defined personnel or roles of failed security verification tests?", "type": "technical"}, {"controlNum": "SI-6", "question": "Does the organization defines alternative action(s) to be performed when anomalies are discovered?", "type": "non-technical"}, {"controlNum": "SI-6", "question": "Does the information system performs one or more of the following actions when anomalies are discovered shuts the information system down?", "type": "technical"}, {"controlNum": "SI-6", "question": "Does the information system performs one or more of the following actions when anomalies are discovered performs organization-defined alternative action(s)?", "type": "technical"}, {"controlNum": "SI-7", "question": "Does the organization defines software requiring integrity verification tools to be employed to detect unauthorized changes?", "type": "non-technical"}, {"controlNum": "SI-7", "question": "Does the organization defines firmware requiring integrity verification tools to be employed to detect unauthorized changes?", "type": "non-technical"}, {"controlNum": "SI-7", "question": "Does the organization defines information requiring integrity verification tools to be employed to detect unauthorized changes?", "type": "non-technical"}, {"controlNum": "SI-7", "question": "Does the organization employs integrity verification tools to detect unauthorized changes to organization-defined software?", "type": "non-technical"}, {"controlNum": "SI-7", "question": "Does the organization employs integrity verification tools to detect unauthorized changes to organization-defined firmware?", "type": "non-technical"}, {"controlNum": "SI-7", "question": "Does the organization employs integrity verification tools to detect unauthorized changes to organization-defined information?", "type": "non-technical"}, {"controlNum": "SI-8", "question": "Does the organization employs spam protection mechanisms at information system entry points to detect unsolicited messages?", "type": "non-technical"}, {"controlNum": "SI-8", "question": "Does the organization employs spam protection mechanisms at information system entry points to take action on unsolicited messages?", "type": "non-technical"}, {"controlNum": "SI-8", "question": "Does the organization employs spam protection mechanisms at information system exit points to detect unsolicited messages?", "type": "non-technical"}, {"controlNum": "SI-8", "question": "Does the organization employs spam protection mechanisms at information system exit points to take action on unsolicited messages?", "type": "non-technical"}, {"controlNum": "SI-8", "question": "Does the organization updates spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures?", "type": "non-technical"}, {"controlNum": "SI-10", "question": "Does the organization defines information inputs requiring validity checks?", "type": "non-technical"}, {"controlNum": "SI-10", "question": "Does the information system checks the validity of organization-defined information inputs?", "type": "technical"}, {"controlNum": "SI-11", "question": "Does the information system generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries?", "type": "technical"}, {"controlNum": "SI-11", "question": "Does the organization defines personnel or roles to whom error messages are to be revealed?", "type": "non-technical"}, {"controlNum": "SI-11", "question": "Does the information system reveals error messages only to organization-defined personnel or roles?", "type": "technical"}, {"controlNum": "SI-12", "question": "Does the organization, in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements handles information within the information system?", "type": "non-technical"}, {"controlNum": "SI-12", "question": "Does the organization, in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements handles output from the information system?", "type": "non-technical"}, {"controlNum": "SI-12", "question": "Does the organization, in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements retains information within the information system?", "type": "non-technical"}, {"controlNum": "SI-12", "question": "Does the organization, in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements retains output from the information system?", "type": "non-technical"}, {"controlNum": "SI-13", "question": "Does the organization defines information system components for which mean time to failure (MTTF) should be determined?", "type": "non-technical"}, {"controlNum": "SI-13", "question": "Does the organization determines MTTF for organization-defined information system components in specific environments of operation?", "type": "non-technical"}, {"controlNum": "SI-13", "question": "Does the organization defines MTTF substitution criteria to be used as a means to exchange active and standby components?", "type": "non-technical"}, {"controlNum": "SI-13", "question": "Does the organization provides substitute information system components at organization-defined MTTF substitution criteria?", "type": "non-technical"}, {"controlNum": "SI-13", "question": "Does the organization provides a means to exchange active and standby components at organization-defined MTTF substitution criteria?", "type": "non-technical"}, {"controlNum": "SI-14", "question": "Does the organization defines non-persistent information system components and services to be implemented?", "type": "non-technical"}, {"controlNum": "SI-14", "question": "Does the organization defines a frequency to terminate non-persistent organization-defined components and services that are initiated in a known state?", "type": "non-technical"}, {"controlNum": "SI-14", "question": "Does the organization implements non-persistent organization-defined information system components and services that are initiated in a known state and terminated one or more of the following periodically at the organization-defined frequency?", "type": "non-technical"}, {"controlNum": "SI-15", "question": "Does the organization defines software programs and/or applications whose information output requires validation to ensure that the information is consistent with the expected content?", "type": "non-technical"}, {"controlNum": "SI-15", "question": "Does the information system validates information output from organization-defined software programs and/or applications to ensure that the information is consistent with the expected content?", "type": "technical"}, {"controlNum": "SI-16", "question": "Does the organization defines security safeguards to be implemented to protect information system memory from unauthorized code execution?", "type": "non-technical"}, {"controlNum": "SI-16", "question": "Does the information system implements organization-defined security safeguards to protect its memory from unauthorized code execution?", "type": "technical"}, {"controlNum": "SI-17", "question": "Does the organization defines fail-safe procedures to be implemented when organization-defined failure conditions occur?", "type": "non-technical"}, {"controlNum": "SI-17", "question": "Does the organization defines failure conditions resulting in organization-defined fail-safe procedures being implemented when such conditions occur?", "type": "non-technical"}, {"controlNum": "SI-17", "question": "Does the information system implements organization-defined fail-safe procedures when organization-defined failure conditions occur?", "type": "technical"}]