Control Crosswalk

One control — credit across all mapped frameworks. Upload evidence once, satisfy multiple requirements.

162

Total Controls

Verified

Implemented

In Progress

162 controls

No.

Control

Status

Framework Mappings

Evidence

Establish and Maintain Detailed Enterprise Asset Inventory

Establish and maintain an accurate, detailed, and up-to-date...

Address Unauthorized Assets

Ensure that a process exists to address unauthorized assets ...

Utilize an Active Discovery Tool

Utilize an active discovery tool to identify assets connecte...

Use Dynamic Host Configuration Protocol (DHCP) Logging

Use DHCP logging on all DHCP servers or IP address managemen...

Use a Passive Asset Discovery Tool

Use a passive discovery tool to identify assets connected to...

Use a Passive Asset Discovery Tool

Use a passive discovery tool to identify assets connected to...

Establish and Maintain a Software Inventory

Establish and maintain a detailed inventory of all licensed ...

Ensure Authorized Software is Currently Supported

Ensure that only currently supported software is designated ...

Address Unauthorized Software

Ensure that unauthorized software is either removed from use...

Utilize Automated Software Inventory Tools

Utilize software inventory tools throughout the enterprise t...

Allowlist Authorized Software

Use technical controls, such as application allowlisting, to...

Allowlist Authorized Libraries

Use technical controls to ensure that only authorized softwa...

Allowlist Authorized Scripts

Use technical controls, such as digital signatures and versi...

Establish and Maintain a Data Management Process

Establish and maintain a data management process....

Establish and Maintain a Data Inventory

Establish and maintain a data inventory, based on the enterp...

Configure Data Access Control Lists

Configure data access control lists based on a user's need t...

Enforce Data Retention

Retain data according to the enterprise's data management pr...

Securely Dispose of Data

Securely dispose of data as outlined in the enterprise's dat...

Encrypt Data on End-User Devices

Encrypt data on end-user devices containing sensitive data....

Establish and Maintain a Data Classification Scheme

Establish and maintain an overall data classification scheme...

Document Data Flows

Document data flows....

Encrypt Data on Removable Media

Encrypt data on removable media....

Encrypt Sensitive Data in Transit

Encrypt sensitive data in transit....

Encrypt Sensitive Data at Rest

Encrypt sensitive data at rest on servers, applications, and...

Segment Data Processing and Storage Based on Sensitivity

Segment data processing and storage based on the sensitivity...

Deploy a Data Loss Prevention Solution

Implement an automated tool, such as a host-based Data Loss ...

Log Sensitive Data Access

Log sensitive data access, including modification and dispos...

Use a Host-Based Data Loss Prevention (DLP) Solution

Use a host-based data loss prevention (DLP) solution to dete...

Establish and Maintain a Secure Configuration Process

Establish and maintain a secure configuration process for en...

Establish and Maintain a Secure Configuration Process for Network Infrastructure

Establish and maintain a secure configuration process for ne...

Configure Automatic Session Locking on Enterprise Assets

Configure automatic session locking on enterprise assets aft...

Implement and Manage a Firewall on Servers

Implement and manage a firewall on servers, where supported....

Implement and Manage a Firewall on End-User Devices

Implement and manage a host-based firewall or port-filtering...

Securely Manage Enterprise Assets and Software

Securely manage enterprise assets and software....

Manage Default Accounts on Enterprise Assets and Software

Manage default accounts on enterprise assets and software....

Uninstall or Disable Unnecessary Services on Enterprise Assets and Software

Uninstall or disable unnecessary services on enterprise asse...

Configure Trusted DNS Servers on Enterprise Assets

Configure trusted DNS servers on enterprise assets....

Enforce Automatic Device Lockout on Portable End-User Devices

Enforce automatic device lockout following a predetermined t...

Enforce Remote Wipe Capability on Portable End-User Devices

Remotely wipe enterprise data from enterprise-owned portable...

Separate Enterprise Workspaces on Mobile End-User Devices

Ensure separate enterprise workspaces are used on mobile end...

Encrypt Sensitive Data at Rest

Encrypt sensitive data at rest on servers, applications, and...

Establish and Maintain an Inventory of Accounts

Establish and maintain an inventory of all accounts managed ...

Use Unique Passwords

Use unique passwords for all enterprise assets....

Disable Dormant Accounts

Delete or disable any dormant accounts after a period of 45 ...

Restrict Administrator Privileges to Dedicated Administrator Accounts

Restrict administrator privileges to dedicated administrator...

Establish and Maintain an Inventory of Service Accounts

Establish and maintain an inventory of service accounts....

Centralize Account Management

Centralize account management through a directory or identit...

Centralize Access Control

Centralize access control for all enterprise assets....

Establish an Access Granting Process

Establish and follow a process, preferably automated, for gr...

Establish an Access Revoking Process

Establish and follow a process, preferably automated, for re...

Require MFA for Externally-Exposed Applications

Require all externally-exposed enterprise or third-party app...

Require MFA for Remote Network Access

Require MFA for remote network access....

Require MFA for Administrative Access

Require MFA for all administrative access accounts....

Establish and Maintain an Inventory of Authentication and Authorization Systems

Establish and maintain an inventory of the enterprise's auth...

Centralize Access Control

Centralize access control for all enterprise assets through ...

Define and Maintain Role-Based Access Control

Define and maintain role-based access control....

Require MFA for All Administrative Access

Require MFA for all administrative access accounts....

Establish and Maintain a Vulnerability Management Process

Establish and maintain a documented vulnerability management...

Establish and Maintain a Remediation Process

Establish and maintain a risk-based remediation strategy doc...

Perform Automated Operating System Patch Management

Perform operating system updates on enterprise assets throug...

Perform Automated Application Patch Management

Perform application updates on enterprise assets through aut...

Perform Automated Vulnerability Scans of Internal Enterprise Assets

Perform automated vulnerability scans of internal enterprise...

Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets

Perform automated vulnerability scans of externally exposed ...

Remediate Detected Vulnerabilities

Remediate detected vulnerabilities in software through proce...

Establish and Maintain a Penetration Testing Program

Establish and maintain a penetration testing program....

Establish and Maintain an Audit Log Management Process

Establish and maintain an audit log management process that ...

Collect Audit Logs

Collect audit logs. Ensure that logging, per the enterprise'...

Ensure Adequate Audit Log Storage

Ensure that logging destinations maintain adequate storage t...

Standardize Time Synchronization

Standardize time synchronization....

Collect Detailed Audit Logs

Configure detailed audit logging for enterprise assets conta...

Collect DNS Query Audit Logs

Collect DNS query audit logs....

Collect URL Request Audit Logs

Collect URL request audit logs....

Collect Command-Line Audit Logs

Collect command-line audit logs....

Centralize Audit Logs

Centralize, to the extent possible, audit log collection and...

Retain Audit Logs

Retain audit logs across enterprise assets for a minimum of ...

Conduct Audit Log Reviews

Conduct reviews of audit logs to detect anomalies or abnorma...

Collect Service Provider Logs

Collect service provider logs, where supported....

Deploy a Security Information and Event Management (SIEM) Solution

Deploy a Security Information and Event Management (SIEM) so...

Ensure Use of Only Fully Supported Browsers and Email Clients

Ensure only fully supported browsers and email clients are a...

Use DNS Filtering Services

Use DNS filtering services on all enterprise assets to block...

Maintain and Enforce Network-Based URL Filters

Enforce and update network-based URL filters to limit an ent...

Restrict Unnecessary or Unauthorized Browser and Email Client Extensions

Restrict, either through uninstalling or disabling, any unau...

Implement DMARC

To lower the chance of spoofed or modified emails from valid...

Block Unnecessary File Types

Block unnecessary file types attempting to enter the enterpr...

Deploy and Maintain Email Server Anti-Malware Protections

Deploy and maintain email server anti-malware protections....

Deploy and Maintain Anti-Malware Software

Deploy and maintain anti-malware software on all enterprise ...

Configure Automatic Anti-Malware Signature Updates

Configure automatic updates for anti-malware signature files...

Disable Autorun and Autoplay for Removable Media

Disable autorun and autoplay auto-execute functionality for ...

Configure Automatic Anti-Malware Scanning of Removable Media

Configure anti-malware software to automatically scan remova...

Enable Anti-Exploitation Features

Enable anti-exploitation features on enterprise assets and s...

Centrally Manage Anti-Malware Software

Centrally manage anti-malware software....

Use Behavior-Based Anti-Malware Software

Use behavior-based anti-malware software....

Enable Command-Line Audit Logging

Enable command-line audit logging for command shells....

Establish and Maintain a Data Recovery Process

Establish and maintain a data recovery process....

Perform Automated Backups

Perform automated backups of in-scope enterprise assets....

Protect Recovery Data

Protect recovery data with equivalent controls to the origin...

Establish and Maintain an Isolated Instance of Recovery Data

Establish and maintain an isolated instance of recovery data...

Ensure Network Infrastructure is Up-to-Date

Ensure network infrastructure is kept up-to-date....

Establish and Maintain a Secure Network Architecture

Establish and maintain a secure network architecture....

Securely Manage Network Infrastructure

Securely manage network infrastructure....

Establish and Maintain Architecture Diagram(s)

Establish and maintain architecture diagram(s) and/or other ...

Centralize Network Authentication, Authorization, and Auditing (AAA)

Centralize network AAA....

Use of Secure Network Management and Communication Protocols

Use secure network management and communication protocols....

Ensure Remote Devices Utilize a VPN and are Connecting to an Enterprise's AAA Infrastructure

Require users to authenticate to enterprise-managed VPN and ...

Establish and Maintain Dedicated Computing Resources for All Administrative Work

Establish and maintain dedicated computing resources, either...

Deploy Port Access Entity (PAE)

Deploy port access entity (PAE) at Layer 2 for all applicabl...

Encrypt Sensitive Data in Transit

Encrypt sensitive data in transit....

Centralize Security Event Alerting

Centralize security event alerting across enterprise assets ...

Deploy a Host-Based Intrusion Detection Solution

Deploy a host-based intrusion detection solution on enterpri...

Deploy a Network Intrusion Detection Solution

Deploy a network intrusion detection solution on enterprise ...

Perform Traffic Filtering Between Network Segments

Perform traffic filtering between network segments....

Manage Access Control for Remote Assets

Manage access control for assets remotely connecting to ente...

Collect Network Traffic Flow Logs

Collect network traffic flow logs and/or network traffic to ...

Deploy a Host-Based Intrusion Prevention Solution

Deploy a host-based intrusion prevention solution on enterpr...

Deploy a Network Intrusion Prevention Solution

Deploy a network intrusion prevention solution....

Deploy Port-Level Access Control

Deploy port-level access control....

Perform Application Layer Filtering

Perform application layer filtering....

Tune Security Event Alerting Thresholds

Tune security event alerting thresholds monthly, or more fre...

Establish and Maintain a Security Awareness Program

Establish and maintain a security awareness program....

Train Workforce Members to Recognize Social Engineering Attacks

Train workforce members to recognize social engineering atta...

Train Workforce Members on Authentication Best Practices

Train workforce members on authentication best practices....

Train Workforce on Data Handling Best Practices

Train workforce members on how to identify and properly stor...

Train Workforce Members on Causes of Unintentional Data Exposure

Train workforce members to be aware of causes for unintentio...

Train Workforce Members on Recognizing and Reporting Security Incidents

Train workforce members to recognize a potential incident an...

Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates

Train workforce to understand how to verify and report out-o...

Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks

Train workforce members on the dangers of connecting to and ...

Conduct Role-Specific Security Awareness and Skills Training

Conduct role-specific security awareness and skills training...

Establish and Maintain an Inventory of Service Providers

Establish and maintain an inventory of service providers....

Establish and Maintain a Service Provider Management Policy

Establish and maintain a service provider management policy....

Classify Service Providers

Classify service providers....

Ensure Service Provider Contracts Include Security Requirements

Ensure service provider contracts include security requireme...

Assess Service Providers

Assess service providers consistent with the enterprise's se...

Monitor Service Providers

Monitor service providers consistent with the enterprise's s...

Securely Decommission Service Providers

Securely decommission service providers....

Establish and Maintain a Secure Application Development Process

Establish and maintain a secure application development proc...

Establish and Maintain a Process to Accept and Address Software Vulnerabilities

Establish and maintain a process to accept and address repor...

Perform Root Cause Analysis on Security Vulnerabilities

Perform root cause analysis on security vulnerabilities....

Establish and Manage an Inventory of Third-Party Software Components

Establish and manage an updated inventory of third-party com...

Use Up-to-Date and Trusted Third-Party Software Components

Use up-to-date and trusted third-party software components....

Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities

Establish and maintain a severity rating system and process ...

Use Standard Hardening Configuration Templates for Application Infrastructure

Use standard, industry-recommended hardening configuration t...

Separate Production and Non-Production Systems

Maintain separate environments for production and non-produc...

Train Developers in Application Security Concepts and Secure Coding

Ensure that all software development personnel receive train...

Apply Secure Design Principles in Application Architectures

Apply secure design principles in application architectures....

Leverage Vetted Modules or Services for Application Security Components

Leverage vetted modules or services for application security...

Implement Code-Level Security Checks

Apply static and dynamic analysis tools within the applicati...

Conduct Application Penetration Testing

Conduct application penetration testing....

Designate Personnel to Manage Incident Handling

Designate one key person, and at least one backup, who will ...

Establish and Maintain Contact Information for Reporting Security Incidents

Establish and maintain contact information for parties that ...

Establish and Maintain an Enterprise Process for Reporting Incidents

Establish and maintain an enterprise process for the workfor...

Establish and Maintain an Incident Response Process

Establish and maintain an incident response process that add...

Assign Key Roles and Responsibilities

Assign key roles and responsibilities for incident response....

Define Mechanisms for Communicating During Incident Response

Determine which primary and secondary mechanisms will be use...

Conduct Routine Incident Response Exercises

Plan and conduct routine incident response exercises and sce...

Conduct Post-Incident Reviews

Conduct post-incident reviews....

Establish and Maintain Security Incident Thresholds

Establish and maintain security incident thresholds....

Establish and Maintain a Penetration Testing Program

Establish and maintain a penetration testing program appropr...

Perform Periodic External Penetration Tests

Perform periodic external penetration tests based on program...

Remediate Penetration Test Findings

Remediate penetration test findings based on the enterprise'...

Validate Security Measures

Validate security measures after each penetration test....

Perform Periodic Internal Penetration Tests

Perform periodic internal penetration tests based on program...

Perform Periodic Red Team Exercises

Perform periodic red team exercises to test organizational d...