Required Security Controls Listing

Shaded box denotes a new requirement since the last release.

ControlTexas DIR Required ByTAMUS Required ByOrg/System ControlDIR Baseline

Access Control (AC)

AC-1 Policy and Procedures2023-07-20O L
AC-2 Account Management2023-07-20O L
AC-2(3) Disable Accounts2024-11-18S M
AC-2(7) Privileged User Accounts2022-08-01O
AC-3 Access Enforcement2023-01-20S L
AC-3(7) Role-based Access Control2022-08-01O S
AC-5 Separation of Duties2023-07-20O M
AC-6 Least Privilege2023-07-20O M
AC-7 Unsuccessful Logon Attempts2023-07-20S L
AC-8 System Use Notification2023-01-202022-08-01O S L
AC-11 Device Lock2024-02-01S
AC-14 Permitted Actions Without Identification or Authentication2023-01-20O L
AC-17 Remote Access2023-07-20O L
AC-18 Wireless Access2023-07-20O L
AC-19 Access Control for Mobile Devices2023-07-202022-12-19O L
AC-20 Use of External Systems2023-07-20O L
AC-22 Publicly Accessible Content2023-01-20O L

Awareness and Training (AT)

AT-1 Policy and Procedures2023-07-20O L
AT-2 Literacy Training and Awareness2023-07-20O L
AT-2(2) Insider Threat2024-11-18O L
AT-3 Role-based Training2023-07-20O L
AT-4 Training Records2023-07-20O L

Audit and Accountability (AU)

AU-1 Policy and Procedures2023-07-20O L
AU-2 Event Logging2023-07-20O L
AU-3 Content of Audit Records2023-01-20S L
AU-4 Audit Log Storage Capacity2023-07-20O S L
AU-5 Response to Audit Logging Process Failures2023-07-20S L
AU-6 Audit Record Review, Analysis, and Reporting2023-07-20O L
AU-8 Time Stamps2023-07-20S L
AU-9 Protection of Audit Information2023-07-20S L
AU-11 Audit Record Retention2023-07-20O L
AU-12 Audit Record Generation2023-07-20S L

Assessment, Authorization, and Monitoring (CA)

CA-1 Policy and Procedures2023-07-20O L
CA-2 Control Assessments2023-07-20O L
CA-3 Information Exchange2023-07-20O L
CA-5 Plan of Action and Milestones2023-01-20O L
CA-6 Authorization2023-07-20O L
CA-7 Continuous Monitoring2023-07-20O L
CA-7(4) Risk Monitoring2023-07-20O S L
CA-8 Penetration Testing2023-07-20O H
CA-9 Internal System Connections2023-07-20O L

Configuration Management (CM)

CM-1 Policy and Procedures2023-07-20O L
CM-2 Baseline Configuration2023-07-20O L
CM-3 Configuration Change Control2024-11-182022-08-01O M
CM-3(2) Testing, Validation, and Documentation of Changes2022-08-01O
CM-4 Impact Analyses2023-07-20O L
CM-5 Access Restrictions for Change2023-07-20O L
CM-6 Configuration Settings2023-07-202022-08-01O S L
CM-7 Least Functionality2023-07-20O S L
CM-8 System Component Inventory2023-07-20O L
CM-10 Software Usage Restrictions2023-01-202022-08-01O L
CM-11 User-installed Software2023-01-202024-02-01O L

Contingency Planning (CP)

CP-1 Policy and Procedures2023-07-20O L
CP-2 Contingency Plan2023-07-20O L
CP-2(1) Coordinate with Related Plans2022-08-01O
CP-3 Contingency Training2023-07-20O L
CP-4 Contingency Plan Testing2023-01-202022-08-01O L
CP-4(1) Coordinate with Related Plans2022-08-01O
CP-6 Alternate Storage Site2023-01-20O M
CP-8 Telecommunications Services2024-11-18O M
CP-9 System Backup2023-07-20O L
CP-9(3) Separate Storage for Critical Information2022-08-01O
CP-10 System Recovery and Reconstitution2023-07-20O L
CP-11 Alternate Communications Protocols2023-07-20O

Identification and Authentication (IA)

IA-1 Policy and Procedures2023-07-20O L
IA-2 Identification and Authentication (Organizational Users)2023-01-20O S L
IA-2(1) Multi-factor Authentication to Privileged Accounts2024-11-182021-09-13S L
IA-2(2) Multi-factor Authentication to Non-privileged Accounts2023-07-20S L
IA-4 Identifier Management2023-07-20O L
IA-5 Authenticator Management2023-07-20O S L
IA-5(1) Password-based Authentication2024-11-18O S L
IA-6 Authentication Feedback2023-01-20S L
IA-7 Cryptographic Module Authentication2023-01-20S L
IA-8 Identification and Authentication (Non-organizational Users)2023-01-20S L
IA-11 Re-authentication2023-07-202022-08-01O S L
IA-12 Identity Proofing2022-08-01O

Incident Response (IR)

IR-1 Policy and Procedures2023-07-20O L
IR-2 Incident Response Training2023-07-20O L
IR-3 Incident Response Testing2023-07-20O M
IR-4 Incident Handling2023-07-20O L
IR-5 Incident Monitoring2023-07-20O L
IR-6 Incident Reporting2023-07-202022-08-01O L
IR-7 Incident Response Assistance2023-07-20O L
IR-8 Incident Response Plan2023-07-20O L
IR-9 Information Spillage Response2023-07-20O

Maintenance (MA)

MA-1 Policy and Procedures2023-07-20O L
MA-2 Controlled Maintenance2023-07-20O L
MA-4 Nonlocal Maintenance2023-07-20O L
MA-5 Maintenance Personnel2023-01-20O L

Media Protection (MP)

MP-1 Policy and Procedures2023-07-20O L
MP-2 Media Access2023-01-20O L
MP-3 Media Marking2022-08-01O
MP-6 Media Sanitization2023-07-20O L
MP-6(1) Review, Approve, Track, Document, and Verify2024-11-18O H
MP-7 Media Use2023-07-20O L

Physical and Environmental Protection (PE)

PE-1 Policy and Procedures2023-07-20O L
PE-2 Physical Access Authorizations2023-01-20O L
PE-3 Physical Access Control2023-07-20O L
PE-6 Monitoring Physical Access2023-01-20O L
PE-6(3) Video Surveillance2022-08-01O
PE-8 Visitor Access Records2023-07-20O L
PE-12 Emergency Lighting2023-01-20O L
PE-13 Fire Protection2023-01-20O L
PE-14 Environmental Controls2023-07-20O L
PE-15 Water Damage Protection2023-01-20O L
PE-16 Delivery and Removal2023-07-20O L
PE-17 Alternate Work Site2023-07-20O M
PE-18 Location of System Components2021-09-13O

Planning (PL)

PL-1 Policy and Procedures2023-07-20O L
PL-2 System Security and Privacy Plans2023-07-20O L
PL-4 Rules of Behavior2023-07-202022-08-01O L
PL-4(1) Social Media and External Site/Application Usage Restrictions2024-11-18O L
PL-10 Baseline Selection2024-11-18O L
PL-11 Baseline Tailoring2024-11-18O L

Program Management (PM)

PM-1 Information Security Program Plan2023-07-20O
PM-2 Information Security Program Leadership Role2023-07-20O
PM-3 Information Security and Privacy Resources2023-07-20O
PM-4 Plan of Action and Milestones Process2023-07-20O
PM-5 System Inventory2023-07-202022-08-01O
PM-6 Measures of Performance2023-07-20O
PM-7 Enterprise Architecture2023-07-20O
PM-9 Risk Management Strategy2023-07-20O
PM-10 Authorization Process2023-07-20O
PM-14 Testing, Training, and Monitoring2023-07-202022-08-01O
PM-15 Security and Privacy Groups and Associations2023-07-20O
PM-16 Threat Awareness Program2023-07-20O

Personnel Security (PS)

PS-1 Policy and Procedures2023-07-20O L
PS-2 Position Risk Designation2023-01-20O L
PS-3 Personnel Screening2023-01-20O L
PS-4 Personnel Termination2023-07-20O L
PS-5 Personnel Transfer2023-01-20O L
PS-6 Access Agreements2023-01-20O L
PS-7 External Personnel Security2023-01-20O L
PS-8 Personnel Sanctions2023-01-20O L
PS-9 Position Descriptions2024-11-18O L

Personally Identifiable Information Processing and Transparency (PT)

PT-3 Personally Identifiable Information Processing Purposes2022-08-01O

Risk Assessment (RA)

RA-1 Policy and Procedures2023-07-20O L
RA-2 Security Categorization2023-07-202022-08-01O L
RA-3 Risk Assessment2023-07-20O L
RA-3(1) Supply Chain Risk Assessment2023-07-20O L
RA-5 Vulnerability Monitoring and Scanning2023-07-20O L
RA-5(2) Update Vulnerabilities to Be Scanned2024-11-18O L
RA-5(11) Public Disclosure Program2024-11-18O L
RA-7 Risk Response2023-07-20O L

System and Services Acquisition (SA)

SA-1 Policy and Procedures2023-07-20O L
SA-2 Allocation of Resources2023-07-20O L
SA-3 System Development Life Cycle2023-07-202022-08-01O L
SA-4 Acquisition Process2023-07-202022-08-01O L
SA-5 System Documentation2023-07-20O L
SA-8 Security and Privacy Engineering Principles2023-07-20O L
SA-9 External System Services2023-07-20O L
SA-10 Developer Configuration Management2023-07-20O M
SA-11 Developer Testing and Evaluation2023-07-20O M
SA-22 Unsupported System Components2023-07-20O L

System and Communications Protection (SC)

SC-1 Policy and Procedures2023-07-20O L
SC-5 Denial-of-service Protection2023-07-20S L
SC-7 Boundary Protection2023-07-20S L
SC-8 Transmission Confidentiality and Integrity2023-01-20S M
SC-12 Cryptographic Key Establishment and Management2023-01-20O S L
SC-13 Cryptographic Protection2023-07-20S L
SC-15 Collaborative Computing Devices and Applications2023-07-20S L
SC-20 Secure Name/Address Resolution Service (Authoritative Source)2023-01-20S L
SC-21 Secure Name/Address Resolution Service (Recursive or Caching Resolver)2023-01-20S L
SC-22 Architecture and Provisioning for Name/Address Resolution Service2023-01-20S L
SC-39 Process Isolation2023-01-20S L

System and Information Integrity (SI)

SI-1 Policy and Procedures2023-07-20O L
SI-2 Flaw Remediation2023-01-20O L
SI-3 Malicious Code Protection2023-07-20O S L
SI-4 System Monitoring2023-07-202022-08-01O S L
SI-5 Security Alerts, Advisories, and Directives2023-01-20O L
SI-10 Information Input Validation2023-07-20S M
SI-12 Information Management and Retention2023-07-20O L

Supply Chain Risk Management (SR)

SR-1 Policy and Procedures2023-07-20O L
SR-2 Supply Chain Risk Management Plan2023-07-20O L
SR-3 Supply Chain Controls and Processes2023-07-20O S L
SR-5 Acquisition Strategies, Tools, and Methods2023-07-20O L
SR-8 Notification Agreements2023-07-20O L
SR-12 Component Disposal2023-07-20O L