# Control Library | Control Category | Control ID | Control Summary | Control Description | Applicable ITRA Levels (1 / 2/ 3) | EOS Risk Assessment | | --------------------------------------- | ------------ | --------------------------------------- | ---------------------------------------------------------------------------------- | --------------------------------------- | ------------------- | | IT & Cybersecurity Governance | CTRL-GOV-001 | Digital Security Governance Program | Mechanisms to implement cybersecurity and privacy governance controls. | - / - / - | - | | IT & Cybersecurity Governance | CTRL-GOV-002 | Publishing IT Documentation | Mechanisms to establish/maintain/disseminate IT policies/standards/procedures. | - / - / - | - | | IT & Cybersecurity Governance | CTRL-GOV-003 | Periodic Review of IT Documentation | Mechanisms to review program/policies at intervals or upon changes. | - / - / - | - | | Asset Management | CTRL-AST-001 | Asset Inventories | Mechanisms for asset inventories, including software, granularity, accountability. | Y / - / - | Y | | Asset Management | CTRL-AST-002 | Network Diagrams & DFDs | Mechanisms for maintaining diagrams with security details and data flows. | - / - / - | - | | Asset Management | CTRL-AST-003 | Secure Disposal of Equipment | Mechanisms for secure disposal/destruction/repurpose per standards. | - / - / Y (ITRC) | Y (ITRC) | | Asset Management | CTRL-AST-004 | BYOD Usage | Mechanisms to govern BYOD program risks. | - / - / - | - | | Artificial & Autonomous Technologies | CTRL-AAT-001 | AI TEVV Trustworthiness Assessment | Mechanisms to evaluate AI/AAT for trustworthy behavior/security. | - / - / - | - | | Business Continuity & Disaster Recovery | CTRL-BCD-001 | Identify Critical Assets | Mechanisms to document critical systems supporting missions. | - / - / - | - | | Business Continuity & Disaster Recovery | CTRL-BCD-002 | Contingency Plan Testing | Mechanisms for tests/exercises to evaluate plan effectiveness. | Y / Y / - | Y (ITRC) | | Business Continuity & Disaster Recovery | CTRL-BCD-003 | Data Backups | Mechanisms for backups/verification per RTO/RPO, with access restrictions/crypto. | Y / Y / Y (ITRC) | - | | Business Continuity & Disaster Recovery | CTRL-BCD-004 | Contingency Planning & Updates | Mechanisms to update plans with needs/changes/testing. | - / - / - | - | | Capacity & Performance Planning | CTRL-CAP-001 | Capacity Planning | Mechanisms for capacity planning during contingencies. | - / - / Y (ITRC) | - | | Capacity & Performance Planning | CTRL-CAP-002 | Performance Monitoring | Automated mechanisms for monitoring/alerting system health. | Y / Y / Y (ITRC) | - | | Change Management | CTRL-CHG-001 | Configuration Change Control | Mechanisms for governing change control processes. | - / - / - | - | | Change Management | CTRL-CHG-002 | Prohibition Of Changes | Mechanisms to prohibit unauthorized changes. | - / - / - | - | | Change Management | CTRL-CHG-003 | Test, Validate & Document Changes | Mechanisms for testing/documenting in non-prod before prod. | - / - / - | - | | Cloud Security | CTRL-CLD-001 | Cloud Infrastructure Onboarding | Mechanisms to secure cloud services per standards. | - / - / - | - | | Cloud Security | CTRL-CLD-002 | Cloud Security Architecture | Mechanisms for secure cloud design/maintenance. | - / - / - | - | | Cloud Security | CTRL-CLD-003 | API Security | Mechanisms for secure interoperability. | Y / - / - | - | | Cloud Security | CTRL-CLD-004 | Virtual Machine Images | Mechanisms for VM image integrity. | - / - / - | - | | Cloud Security | CTRL-CLD-005 | Multi-Tenant Environments | Mechanisms for tenant segmentation. | Y / - / - | - | | Cloud Security | CTRL-CLD-006 | Data Handling & Portability | Mechanisms for secure data protocols in cloud. | Y / - / - | - | | Cloud Security | CTRL-CLD-007 | Sensitive Data In Public Clouds | Mechanisms to limit sensitive data in public clouds. | Y / - / - | - | | Cloud Security | CTRL-CLD-008 | Cloud Access Point | Mechanisms for CAP boundary protection/monitoring. | - / - / - | - | | Compliance | CTRL-CPL-001 | Statutory/Regulatory Compliance | Mechanisms for identifying/implementing compliance controls. | - / - / Y (ITRC) (If personal data) | - | | Configuration Management | CTRL-CFG-001 | System Hardening | Mechanisms for secure baselines per standards; automate/report. | Y / Y / Y (ITRC) | - | | Configuration Management | CTRL-CFG-002 | Configuration Enforcement | Automated mechanisms for endpoint config monitoring/enforcement. | - / - / - | - | | Continuous Monitoring | CTRL-MON-001 | Centralized Security Event Logs | Mechanisms for SIEM centralized log collection/analysis. | Y / Y / Y (ITCS) | - | | Continuous Monitoring | CTRL-MON-002 | Anomalous Behavior | Mechanisms to detect/respond to anomalous behavior. | - / - / - | - | | Cryptographic Protections | CTRL-CRY-001 | Transmission Confidentiality | Crypto mechanisms for data in transmission. | Y / Y / - (ITCS) (If confidential data) | - | | Cryptographic Protections | CTRL-CRY-002 | Transmission Integrity | Crypto mechanisms for data integrity in transmission. | - / - / - | - | | Cryptographic Protections | CTRL-CRY-003 | Encrypting Data At Rest | Crypto mechanisms for data at rest. | Y / Y / - (ITCS) (If confidential data) | - | | Cryptographic Protections | CTRL-CRY-004 | Cryptographic Key Management | Mechanisms for key management. | Y / - / - | - | | Data Classification & Handling | CTRL-DCH-001 | Data & Asset Classification | Mechanisms for categorizing data/assets per requirements. | - / - / - | - | | Data Classification & Handling | CTRL-DCH-002 | Digital Media Sanitization | Mechanisms for sanitizing media per classification. | - / - / - | - | | Data Classification & Handling | CTRL-DCH-003 | Removable Media Security | Mechanisms to restrict removable media per parameters. | Y / - / - | - | | Data Classification & Handling | CTRL-DCH-004 | Use of External Systems | Mechanisms to govern external data handling. | - / - / - | - | | Data Classification & Handling | CTRL-DCH-005 | Limitations on Use | Mechanisms to restrict sensitive data use/distribution. | - / - / - | - | | Data Classification & Handling | CTRL-DCH-006 | Periodic Scans for Sensitive Data | Mechanisms to scan for sensitive data. | - / - / - | - | | Data Classification & Handling | CTRL-DCH-007 | Ad-Hoc Large File Transfers | Mechanisms to secure large file exchanges. | Y / - / - | - | | Data Classification & Handling | CTRL-DCH-008 | Media & Data Retention | Mechanisms for retention per obligations. | Y / - / - | - | | Data Classification & Handling | CTRL-DCH-009 | Information Location | Mechanisms to identify info locations. | - / - / - | - | | Data Classification & Handling | CTRL-DCH-010 | Transfer of Sensitive Data | Mechanisms to govern cross-border transfers. | Y / - / - | - | | Embedded Technology | CTRL-EMB-001 | Internet of Things (IoT) | Mechanisms to manage IoT risks. | - / - / - | - | | Embedded Technology | CTRL-EMB-002 | Operational Technology (OT) | Mechanisms to manage OT risks. | - / - / - | - | | Endpoint Security | CTRL-END-001 | Malicious Code Protection | Mechanisms for antimalware detection/eradication. | Y / Y / - (ITCS) | - | | Endpoint Security | CTRL-END-002 | Endpoint Protection Measures | Mechanisms for endpoint CIA/safety protection. | Y / - / - | - | | Endpoint Security | CTRL-END-003 | Prohibit Installation Without Privilege | Mechanisms to prohibit unprivileged installs. | Y / - / - | - | | Endpoint Security | CTRL-END-004 | Endpoint File Integrity Monitoring | Mechanisms for FIM detection/reporting. | - / - / - | - | | Endpoint Security | CTRL-END-005 | Phishing & Spam Protection | Mechanisms for anti-phishing/spam. | - / - / - | - | | Human Resources Security | CTRL-HRS-001 | Roles & Responsibilities | Mechanisms to define cybersecurity responsibilities. | - / - / - | - | | Human Resources Security | CTRL-HRS-002 | Personnel Screening | Mechanisms for screening before access. | - / - / - | - | | Human Resources Security | CTRL-HRS-003 | Confidentiality Agreements | Mechanisms for NDAs/confidentiality agreements. | - / - / - | - | | Identification & Authentication | CTRL-IAC-001 | Organizational User Identification | Mechanisms for AAA organizational users. | Y / Y / Y (ITCS) | - | | Identification & Authentication | CTRL-IAC-002 | Non-Organizational User Identification | Mechanisms for AAA third-party users. | Y / - / - | - | | Identification & Authentication | CTRL-IAC-003 | Multi-Factor Authentication | Mechanisms for MFA in specified scenarios. | - / - / - | - | | Identification & Authentication | CTRL-IAC-004 | User Provisioning & De-Provisioning | Mechanisms for registration/de-registration/revocation. | Y / - / - | - | | Identification & Authentication | CTRL-IAC-005 | Role-Based Access Control | Mechanisms for RBAC with need-to-know. | Y / - / - | - | | Identification & Authentication | CTRL-IAC-006 | Account Management | Mechanisms for governing account types. | - / - / - | - | | Identification & Authentication | CTRL-IAC-007 | Privileged Account Management | Mechanisms for restricting privileged access. | Y / Y / Y (ITRC) | - | | Identification & Authentication | CTRL-IAC-008 | Password-Based Authentication | Mechanisms for strong password criteria. | Y / - / - | - | | Incident Response | CTRL-IRO-001 | Incident Handling | Mechanisms for incident lifecycle. | - / - / - | - | | Incident Response | CTRL-IRO-002 | Integrated Incident Response Team | Mechanisms for establishing response team. | - / - / - | - | | Incident Response | CTRL-IRO-003 | Chain of Custody & Forensics | Mechanisms for forensics/chain of custody. | - / - / - | - | | Incident Response | CTRL-IRO-004 | RCA & Lessons Learned | Mechanisms to incorporate lessons learned. | - / - / - | - | | Maintenance | CTRL-MNT-001 | Controlled Maintenance | Mechanisms for lifecycle maintenance. | - / - / - | - | | Maintenance | CTRL-MNT-002 | Maintenance Monitoring | Mechanisms for tracking maintenance quality. | - / - / - | - | | Mobile Device Management | CTRL-MDM-001 | Access Control For Mobile Devices | Mechanisms for mobile access controls. | - / - / - | - | | Mobile Device Management | CTRL-MDM-002 | Device/Container Encryption | Crypto mechanisms for mobile encryption. | - / - / - | - | | Mobile Device Management | CTRL-MDM-003 | Remote Purging | Mechanisms for remote info purge. | - / - / - | - | | Network Security | CTRL-NET-001 | Layered Network Defenses | Mechanisms for layered security design. | Y / Y / - (ITCS) | - | | Network Security | CTRL-NET-002 | Boundary Protection | Mechanisms for boundary monitoring/control. | Y / - / - | - | | Network Security | CTRL-NET-003 | Data Flow Enforcement (ACLs) | Mechanisms for firewall/router configs. | Y / - / - | - | | Network Security | CTRL-NET-004 | Network Segmentation | Mechanisms for resource isolation. | Y / Y / - (ITCS) | - | | Network Security | CTRL-NET-005 | NIDS/NIPS | Mechanisms for intrusion detection/prevention. | Y / - / - | - | | Network Security | CTRL-NET-006 | Remote Access | Mechanisms for secure remote access methods. | Y / Y / - (ITCS) | - | | Network Security | CTRL-NET-007 | Wireless Networking | Mechanisms for wireless control/monitoring. | Y / - / - | - | | Network Security | CTRL-NET-008 | Data Loss Prevention | Mechanisms for DLP on sensitive info. | Y / Y / - (ITCS) (If confidential data) | - | | Network Security | CTRL-NET-009 | DNS & Content Filtering | Mechanisms for proxy/filtering traffic. | Y / - / - | - | | Physical & Environmental Security | CTRL-PES-001 | Physical Access Control | Mechanisms for physical access enforcement. | Y / - / - | - | | Physical & Environmental Security | CTRL-PES-002 | Supporting Utilities | Mechanisms for utility protection (power, water, etc.). | Y / - / - | - | | Project & Resource Management | CTRL-PRM-001 | SDLC Management | Mechanisms for SDLC change control. | - / - / - | - | | Risk Management | CTRL-RSK-001 | Risk Management Program | Mechanisms for risk controls implementation. | - / - / - | - | | Risk Management | CTRL-RSK-002 | Data Protection Impact Assessment | Mechanisms for DPIA on PD systems. | Y / - / - | - | | Secure Engineering & Architecture | CTRL-SEA-001 | Alignment With Enterprise Architecture | Mechanisms for architecture alignment with security. | Y / - / - | - | | Security Awareness & Training | CTRL-SAT-001 | Security & Privacy Awareness | Mechanisms for role-relevant training. | - / - / - | - | | Security Awareness & Training | CTRL-SAT-002 | Training Records | Mechanisms for documenting/monitoring training. | - / - / - | - | | Security Operations | CTRL-OPS-001 | Security Operations Center | Mechanisms for 24x7 SOC. | - / - / - | - | | Technology Development & Acquisition | CTRL-TDA-001 | Secure Coding | Mechanisms for secure coding principles. | Y / Y / Y | - | | Technology Development & Acquisition | CTRL-TDA-002 | Separation of Environments | Mechanisms for separate dev/test/prod environments. | Y / - / - | - | | Technology Development & Acquisition | CTRL-TDA-003 | Security Testing in Development | Mechanisms for ST\&E plans/remediation. | - / - / - | - | | Technology Development & Acquisition | CTRL-TDA-004 | Use of Live Data | Mechanisms for approving live data in dev/test. | Y / - / - | - | | Technology Development & Acquisition | CTRL-TDA-005 | Access to Source Code | Mechanisms to limit software library changes. | - / - / - | - | | Third-Party Management | CTRL-TPM-001 | Third-Party Criticality Assessments | Mechanisms for assessing critical suppliers. | - / - / - | - | | Third-Party Management | CTRL-TPM-002 | Third-Party Services | Mechanisms for mitigating third-party risks. | - / - / - | - | | Third-Party Management | CTRL-TPM-003 | Third-Party Contract Requirements | Mechanisms for reviewing contracts/NDAs. | - / - / - | - | | Third-Party Management | CTRL-TPM-004 | Monitoring Third-Party Disclosure | Mechanisms for monitoring unauthorized disclosure. | - / - / - | - | | Third-Party Management | CTRL-TPM-005 | Review of Third-Party Services | Mechanisms for auditing TSP compliance. | - / - / - | - | | Third-Party Management | CTRL-TPM-006 | Third-Party Incident Capabilities | Mechanisms for response planning with suppliers. | - / - / - | - | | Threat Management | CTRL-THR-001 | Threat Intelligence Feeds | Mechanisms for using threat intel. | - / - / - | - | | Threat Management | CTRL-THR-002 | Insider Threat Program | Mechanisms for insider threat program. | - / - / - | - | | Vulnerability & Patch Management | CTRL-VPM-001 | Vulnerability Remediation Process | Mechanisms for identifying/remediating vulnerabilities. | Y / - / - | - | | Vulnerability & Patch Management | CTRL-VPM-002 | Software & Firmware Patching | Mechanisms for patching OS/apps/firmware. | Y / Y / - (ITRC) | - | | Vulnerability & Patch Management | CTRL-VPM-003 | Vulnerability Scanning | Mechanisms for recurring scanning. | Y / Y / Y (ITCS) | - | | Vulnerability & Patch Management | CTRL-VPM-004 | Penetration Testing | Mechanisms for conducting pen testing. | Y / Y / - (ITCS) | - | | Web Security | CTRL-WEB-001 | Web Application Firewall | Mechanisms for deploying WAFs. | Y / - / - | - | | Web Security | CTRL-WEB-002 | Client-Facing Web Services | Mechanisms for protecting client data in web services. | - / - / - | - |