Control Library

Control Category	Control ID	Control Summary	Control Description	Applicable ITRA Levels (1 / 2/ 3)	EOS Risk Assessment
IT & Cybersecurity Governance	CTRL-GOV-001	Digital Security Governance Program	Mechanisms to implement cybersecurity and privacy governance controls.	- / - / -	-
IT & Cybersecurity Governance	CTRL-GOV-002	Publishing IT Documentation	Mechanisms to establish/maintain/disseminate IT policies/standards/procedures.	- / - / -	-
IT & Cybersecurity Governance	CTRL-GOV-003	Periodic Review of IT Documentation	Mechanisms to review program/policies at intervals or upon changes.	- / - / -	-
Asset Management	CTRL-AST-001	Asset Inventories	Mechanisms for asset inventories, including software, granularity, accountability.	Y / - / -	Y
Asset Management	CTRL-AST-002	Network Diagrams & DFDs	Mechanisms for maintaining diagrams with security details and data flows.	- / - / -	-
Asset Management	CTRL-AST-003	Secure Disposal of Equipment	Mechanisms for secure disposal/destruction/repurpose per standards.	- / - / Y (ITRC)	Y (ITRC)
Asset Management	CTRL-AST-004	BYOD Usage	Mechanisms to govern BYOD program risks.	- / - / -	-
Artificial & Autonomous Technologies	CTRL-AAT-001	AI TEVV Trustworthiness Assessment	Mechanisms to evaluate AI/AAT for trustworthy behavior/security.	- / - / -	-
Business Continuity & Disaster Recovery	CTRL-BCD-001	Identify Critical Assets	Mechanisms to document critical systems supporting missions.	- / - / -	-
Business Continuity & Disaster Recovery	CTRL-BCD-002	Contingency Plan Testing	Mechanisms for tests/exercises to evaluate plan effectiveness.	Y / Y / -	Y (ITRC)
Business Continuity & Disaster Recovery	CTRL-BCD-003	Data Backups	Mechanisms for backups/verification per RTO/RPO, with access restrictions/crypto.	Y / Y / Y (ITRC)	-
Business Continuity & Disaster Recovery	CTRL-BCD-004	Contingency Planning & Updates	Mechanisms to update plans with needs/changes/testing.	- / - / -	-
Capacity & Performance Planning	CTRL-CAP-001	Capacity Planning	Mechanisms for capacity planning during contingencies.	- / - / Y (ITRC)	-
Capacity & Performance Planning	CTRL-CAP-002	Performance Monitoring	Automated mechanisms for monitoring/alerting system health.	Y / Y / Y (ITRC)	-
Change Management	CTRL-CHG-001	Configuration Change Control	Mechanisms for governing change control processes.	- / - / -	-
Change Management	CTRL-CHG-002	Prohibition Of Changes	Mechanisms to prohibit unauthorized changes.	- / - / -	-
Change Management	CTRL-CHG-003	Test, Validate & Document Changes	Mechanisms for testing/documenting in non-prod before prod.	- / - / -	-
Cloud Security	CTRL-CLD-001	Cloud Infrastructure Onboarding	Mechanisms to secure cloud services per standards.	- / - / -	-
Cloud Security	CTRL-CLD-002	Cloud Security Architecture	Mechanisms for secure cloud design/maintenance.	- / - / -	-
Cloud Security	CTRL-CLD-003	API Security	Mechanisms for secure interoperability.	Y / - / -	-
Cloud Security	CTRL-CLD-004	Virtual Machine Images	Mechanisms for VM image integrity.	- / - / -	-
Cloud Security	CTRL-CLD-005	Multi-Tenant Environments	Mechanisms for tenant segmentation.	Y / - / -	-
Cloud Security	CTRL-CLD-006	Data Handling & Portability	Mechanisms for secure data protocols in cloud.	Y / - / -	-
Cloud Security	CTRL-CLD-007	Sensitive Data In Public Clouds	Mechanisms to limit sensitive data in public clouds.	Y / - / -	-
Cloud Security	CTRL-CLD-008	Cloud Access Point	Mechanisms for CAP boundary protection/monitoring.	- / - / -	-
Compliance	CTRL-CPL-001	Statutory/Regulatory Compliance	Mechanisms for identifying/implementing compliance controls.	- / - / Y (ITRC) (If personal data)	-
Configuration Management	CTRL-CFG-001	System Hardening	Mechanisms for secure baselines per standards; automate/report.	Y / Y / Y (ITRC)	-
Configuration Management	CTRL-CFG-002	Configuration Enforcement	Automated mechanisms for endpoint config monitoring/enforcement.	- / - / -	-
Continuous Monitoring	CTRL-MON-001	Centralized Security Event Logs	Mechanisms for SIEM centralized log collection/analysis.	Y / Y / Y (ITCS)	-
Continuous Monitoring	CTRL-MON-002	Anomalous Behavior	Mechanisms to detect/respond to anomalous behavior.	- / - / -	-
Cryptographic Protections	CTRL-CRY-001	Transmission Confidentiality	Crypto mechanisms for data in transmission.	Y / Y / - (ITCS) (If confidential data)	-
Cryptographic Protections	CTRL-CRY-002	Transmission Integrity	Crypto mechanisms for data integrity in transmission.	- / - / -	-
Cryptographic Protections	CTRL-CRY-003	Encrypting Data At Rest	Crypto mechanisms for data at rest.	Y / Y / - (ITCS) (If confidential data)	-
Cryptographic Protections	CTRL-CRY-004	Cryptographic Key Management	Mechanisms for key management.	Y / - / -	-
Data Classification & Handling	CTRL-DCH-001	Data & Asset Classification	Mechanisms for categorizing data/assets per requirements.	- / - / -	-
Data Classification & Handling	CTRL-DCH-002	Digital Media Sanitization	Mechanisms for sanitizing media per classification.	- / - / -	-
Data Classification & Handling	CTRL-DCH-003	Removable Media Security	Mechanisms to restrict removable media per parameters.	Y / - / -	-
Data Classification & Handling	CTRL-DCH-004	Use of External Systems	Mechanisms to govern external data handling.	- / - / -	-
Data Classification & Handling	CTRL-DCH-005	Limitations on Use	Mechanisms to restrict sensitive data use/distribution.	- / - / -	-
Data Classification & Handling	CTRL-DCH-006	Periodic Scans for Sensitive Data	Mechanisms to scan for sensitive data.	- / - / -	-
Data Classification & Handling	CTRL-DCH-007	Ad-Hoc Large File Transfers	Mechanisms to secure large file exchanges.	Y / - / -	-
Data Classification & Handling	CTRL-DCH-008	Media & Data Retention	Mechanisms for retention per obligations.	Y / - / -	-
Data Classification & Handling	CTRL-DCH-009	Information Location	Mechanisms to identify info locations.	- / - / -	-
Data Classification & Handling	CTRL-DCH-010	Transfer of Sensitive Data	Mechanisms to govern cross-border transfers.	Y / - / -	-
Embedded Technology	CTRL-EMB-001	Internet of Things (IoT)	Mechanisms to manage IoT risks.	- / - / -	-
Embedded Technology	CTRL-EMB-002	Operational Technology (OT)	Mechanisms to manage OT risks.	- / - / -	-
Endpoint Security	CTRL-END-001	Malicious Code Protection	Mechanisms for antimalware detection/eradication.	Y / Y / - (ITCS)	-
Endpoint Security	CTRL-END-002	Endpoint Protection Measures	Mechanisms for endpoint CIA/safety protection.	Y / - / -	-
Endpoint Security	CTRL-END-003	Prohibit Installation Without Privilege	Mechanisms to prohibit unprivileged installs.	Y / - / -	-
Endpoint Security	CTRL-END-004	Endpoint File Integrity Monitoring	Mechanisms for FIM detection/reporting.	- / - / -	-
Endpoint Security	CTRL-END-005	Phishing & Spam Protection	Mechanisms for anti-phishing/spam.	- / - / -	-
Human Resources Security	CTRL-HRS-001	Roles & Responsibilities	Mechanisms to define cybersecurity responsibilities.	- / - / -	-
Human Resources Security	CTRL-HRS-002	Personnel Screening	Mechanisms for screening before access.	- / - / -	-
Human Resources Security	CTRL-HRS-003	Confidentiality Agreements	Mechanisms for NDAs/confidentiality agreements.	- / - / -	-
Identification & Authentication	CTRL-IAC-001	Organizational User Identification	Mechanisms for AAA organizational users.	Y / Y / Y (ITCS)	-
Identification & Authentication	CTRL-IAC-002	Non-Organizational User Identification	Mechanisms for AAA third-party users.	Y / - / -	-
Identification & Authentication	CTRL-IAC-003	Multi-Factor Authentication	Mechanisms for MFA in specified scenarios.	- / - / -	-
Identification & Authentication	CTRL-IAC-004	User Provisioning & De-Provisioning	Mechanisms for registration/de-registration/revocation.	Y / - / -	-
Identification & Authentication	CTRL-IAC-005	Role-Based Access Control	Mechanisms for RBAC with need-to-know.	Y / - / -	-
Identification & Authentication	CTRL-IAC-006	Account Management	Mechanisms for governing account types.	- / - / -	-
Identification & Authentication	CTRL-IAC-007	Privileged Account Management	Mechanisms for restricting privileged access.	Y / Y / Y (ITRC)	-
Identification & Authentication	CTRL-IAC-008	Password-Based Authentication	Mechanisms for strong password criteria.	Y / - / -	-
Incident Response	CTRL-IRO-001	Incident Handling	Mechanisms for incident lifecycle.	- / - / -	-
Incident Response	CTRL-IRO-002	Integrated Incident Response Team	Mechanisms for establishing response team.	- / - / -	-
Incident Response	CTRL-IRO-003	Chain of Custody & Forensics	Mechanisms for forensics/chain of custody.	- / - / -	-
Incident Response	CTRL-IRO-004	RCA & Lessons Learned	Mechanisms to incorporate lessons learned.	- / - / -	-
Maintenance	CTRL-MNT-001	Controlled Maintenance	Mechanisms for lifecycle maintenance.	- / - / -	-
Maintenance	CTRL-MNT-002	Maintenance Monitoring	Mechanisms for tracking maintenance quality.	- / - / -	-
Mobile Device Management	CTRL-MDM-001	Access Control For Mobile Devices	Mechanisms for mobile access controls.	- / - / -	-
Mobile Device Management	CTRL-MDM-002	Device/Container Encryption	Crypto mechanisms for mobile encryption.	- / - / -	-
Mobile Device Management	CTRL-MDM-003	Remote Purging	Mechanisms for remote info purge.	- / - / -	-
Network Security	CTRL-NET-001	Layered Network Defenses	Mechanisms for layered security design.	Y / Y / - (ITCS)	-
Network Security	CTRL-NET-002	Boundary Protection	Mechanisms for boundary monitoring/control.	Y / - / -	-
Network Security	CTRL-NET-003	Data Flow Enforcement (ACLs)	Mechanisms for firewall/router configs.	Y / - / -	-
Network Security	CTRL-NET-004	Network Segmentation	Mechanisms for resource isolation.	Y / Y / - (ITCS)	-
Network Security	CTRL-NET-005	NIDS/NIPS	Mechanisms for intrusion detection/prevention.	Y / - / -	-
Network Security	CTRL-NET-006	Remote Access	Mechanisms for secure remote access methods.	Y / Y / - (ITCS)	-
Network Security	CTRL-NET-007	Wireless Networking	Mechanisms for wireless control/monitoring.	Y / - / -	-
Network Security	CTRL-NET-008	Data Loss Prevention	Mechanisms for DLP on sensitive info.	Y / Y / - (ITCS) (If confidential data)	-
Network Security	CTRL-NET-009	DNS & Content Filtering	Mechanisms for proxy/filtering traffic.	Y / - / -	-
Physical & Environmental Security	CTRL-PES-001	Physical Access Control	Mechanisms for physical access enforcement.	Y / - / -	-
Physical & Environmental Security	CTRL-PES-002	Supporting Utilities	Mechanisms for utility protection (power, water, etc.).	Y / - / -	-
Project & Resource Management	CTRL-PRM-001	SDLC Management	Mechanisms for SDLC change control.	- / - / -	-
Risk Management	CTRL-RSK-001	Risk Management Program	Mechanisms for risk controls implementation.	- / - / -	-
Risk Management	CTRL-RSK-002	Data Protection Impact Assessment	Mechanisms for DPIA on PD systems.	Y / - / -	-
Secure Engineering & Architecture	CTRL-SEA-001	Alignment With Enterprise Architecture	Mechanisms for architecture alignment with security.	Y / - / -	-
Security Awareness & Training	CTRL-SAT-001	Security & Privacy Awareness	Mechanisms for role-relevant training.	- / - / -	-
Security Awareness & Training	CTRL-SAT-002	Training Records	Mechanisms for documenting/monitoring training.	- / - / -	-
Security Operations	CTRL-OPS-001	Security Operations Center	Mechanisms for 24x7 SOC.	- / - / -	-
Technology Development & Acquisition	CTRL-TDA-001	Secure Coding	Mechanisms for secure coding principles.	Y / Y / Y	-
Technology Development & Acquisition	CTRL-TDA-002	Separation of Environments	Mechanisms for separate dev/test/prod environments.	Y / - / -	-
Technology Development & Acquisition	CTRL-TDA-003	Security Testing in Development	Mechanisms for ST&E plans/remediation.	- / - / -	-
Technology Development & Acquisition	CTRL-TDA-004	Use of Live Data	Mechanisms for approving live data in dev/test.	Y / - / -	-
Technology Development & Acquisition	CTRL-TDA-005	Access to Source Code	Mechanisms to limit software library changes.	- / - / -	-
Third-Party Management	CTRL-TPM-001	Third-Party Criticality Assessments	Mechanisms for assessing critical suppliers.	- / - / -	-
Third-Party Management	CTRL-TPM-002	Third-Party Services	Mechanisms for mitigating third-party risks.	- / - / -	-
Third-Party Management	CTRL-TPM-003	Third-Party Contract Requirements	Mechanisms for reviewing contracts/NDAs.	- / - / -	-
Third-Party Management	CTRL-TPM-004	Monitoring Third-Party Disclosure	Mechanisms for monitoring unauthorized disclosure.	- / - / -	-
Third-Party Management	CTRL-TPM-005	Review of Third-Party Services	Mechanisms for auditing TSP compliance.	- / - / -	-
Third-Party Management	CTRL-TPM-006	Third-Party Incident Capabilities	Mechanisms for response planning with suppliers.	- / - / -	-
Threat Management	CTRL-THR-001	Threat Intelligence Feeds	Mechanisms for using threat intel.	- / - / -	-
Threat Management	CTRL-THR-002	Insider Threat Program	Mechanisms for insider threat program.	- / - / -	-
Vulnerability & Patch Management	CTRL-VPM-001	Vulnerability Remediation Process	Mechanisms for identifying/remediating vulnerabilities.	Y / - / -	-
Vulnerability & Patch Management	CTRL-VPM-002	Software & Firmware Patching	Mechanisms for patching OS/apps/firmware.	Y / Y / - (ITRC)	-
Vulnerability & Patch Management	CTRL-VPM-003	Vulnerability Scanning	Mechanisms for recurring scanning.	Y / Y / Y (ITCS)	-
Vulnerability & Patch Management	CTRL-VPM-004	Penetration Testing	Mechanisms for conducting pen testing.	Y / Y / - (ITCS)	-
Web Security	CTRL-WEB-001	Web Application Firewall	Mechanisms for deploying WAFs.	Y / - / -	-
Web Security	CTRL-WEB-002	Client-Facing Web Services	Mechanisms for protecting client data in web services.	- / - / -	-