{
    "count": 110,
    "families": 14,
    "note": "Weight is the DoD Assessment Methodology deduction (5/3/1) applied when a control is unmet, from a start of 110. partial=true controls allow a documented deduct-3 state.",
    "data": [
        {
            "family": "3.1 Access Control",
            "controls": [
                {
                    "id": "3.1.1",
                    "title": "Limit system access to authorized users, processes, and devices",
                    "weight": 5,
                    "partial": false
                },
                {
                    "id": "3.1.2",
                    "title": "Limit access to the transactions and functions users may execute",
                    "weight": 5,
                    "partial": false
                },
                {
                    "id": "3.1.3",
                    "title": "Control the flow of CUI per approved authorizations",
                    "weight": 1,
                    "partial": false
                },
                {
                    "id": "3.1.4",
                    "title": "Separate the duties of individuals",
                    "weight": 1,
                    "partial": false
                },
                {
                    "id": "3.1.5",
                    "title": "Employ least privilege",
                    "weight": 3,
                    "partial": false
                },
                {
                    "id": "3.1.6",
                    "title": "Use non-privileged accounts for non-security functions",
                    "weight": 1,
                    "partial": false
                },
                {
                    "id": "3.1.7",
                    "title": "Prevent non-privileged users from executing privileged functions",
                    "weight": 1,
                    "partial": false
                },
                {
                    "id": "3.1.8",
                    "title": "Limit unsuccessful logon attempts",
                    "weight": 1,
                    "partial": false
                },
                {
                    "id": "3.1.9",
                    "title": "Provide privacy and security notices",
                    "weight": 1,
                    "partial": false
                },
                {
                    "id": "3.1.10",
                    "title": "Use session lock with pattern-hiding displays",
                    "weight": 1,
                    "partial": false
                },
                {
                    "id": "3.1.11",
                    "title": "Terminate user sessions after a defined condition",
                    "weight": 1,
                    "partial": false
                },
                {
                    "id": "3.1.12",
                    "title": "Monitor and control remote access sessions",
                    "weight": 5,
                    "partial": false
                },
                {
                    "id": "3.1.13",
                    "title": "Use cryptographic mechanisms to protect remote access",
                    "weight": 5,
                    "partial": false
                },
                {
                    "id": "3.1.14",
                    "title": "Route remote access via managed access control points",
                    "weight": 1,
                    "partial": false
                },
                {
                    "id": "3.1.15",
                    "title": "Authorize remote execution of privileged commands",
                    "weight": 1,
                    "partial": false
                },
                {
                    "id": "3.1.16",
                    "title": "Authorize wireless access prior to allowing connections",
                    "weight": 5,
                    "partial": false
                },
                {
                    "id": "3.1.17",
                    "title": "Protect wireless access using authentication and encryption",
                    "weight": 5,
                    "partial": false
                },
                {
                    "id": "3.1.18",
                    "title": "Control connection of mobile devices",
                    "weight": 5,
                    "partial": false
                },
                {
                    "id": "3.1.19",
                    "title": "Encrypt CUI on mobile devices and mobile platforms",
                    "weight": 3,
                    "partial": false
                },
                {
                    "id": "3.1.20",
                    "title": "Verify and control connections to external systems",
                    "weight": 1,
                    "partial": false
                },
                {
                    "id": "3.1.21",
                    "title": "Limit use of portable storage devices on external systems",
                    "weight": 1,
                    "partial": false
                },
                {
                    "id": "3.1.22",
                    "title": "Control CUI posted or processed on publicly accessible systems",
                    "weight": 1,
                    "partial": false
                }
            ]
        },
        {
            "family": "3.2 Awareness & Training",
            "controls": [
                {
                    "id": "3.2.1",
                    "title": "Make managers, admins, and users aware of security risks",
                    "weight": 5,
                    "partial": false
                },
                {
                    "id": "3.2.2",
                    "title": "Train personnel to carry out their security responsibilities",
                    "weight": 5,
                    "partial": false
                },
                {
                    "id": "3.2.3",
                    "title": "Provide security awareness training on insider threat",
                    "weight": 1,
                    "partial": false
                }
            ]
        },
        {
            "family": "3.3 Audit & Accountability",
            "controls": [
                {
                    "id": "3.3.1",
                    "title": "Create and retain system audit logs and records",
                    "weight": 5,
                    "partial": false
                },
                {
                    "id": "3.3.2",
                    "title": "Ensure actions can be uniquely traced to individual users",
                    "weight": 3,
                    "partial": false
                },
                {
                    "id": "3.3.3",
                    "title": "Review and update logged events",
                    "weight": 1,
                    "partial": false
                },
                {
                    "id": "3.3.4",
                    "title": "Alert in the event of an audit logging process failure",
                    "weight": 1,
                    "partial": false
                },
                {
                    "id": "3.3.5",
                    "title": "Correlate audit review, analysis, and reporting for investigation",
                    "weight": 5,
                    "partial": false
                },
                {
                    "id": "3.3.6",
                    "title": "Provide audit record reduction and report generation",
                    "weight": 1,
                    "partial": false
                },
                {
                    "id": "3.3.7",
                    "title": "Synchronize system clocks for audit timestamps",
                    "weight": 1,
                    "partial": false
                },
                {
                    "id": "3.3.8",
                    "title": "Protect audit information and tools from unauthorized access",
                    "weight": 1,
                    "partial": false
                },
                {
                    "id": "3.3.9",
                    "title": "Limit audit logging management to a subset of privileged users",
                    "weight": 1,
                    "partial": false
                }
            ]
        },
        {
            "family": "3.4 Configuration Management",
            "controls": [
                {
                    "id": "3.4.1",
                    "title": "Establish and maintain baseline configurations and inventories",
                    "weight": 5,
                    "partial": false
                },
                {
                    "id": "3.4.2",
                    "title": "Establish and enforce security configuration settings",
                    "weight": 5,
                    "partial": false
                },
                {
                    "id": "3.4.3",
                    "title": "Track, review, approve/disapprove, and log changes",
                    "weight": 1,
                    "partial": false
                },
                {
                    "id": "3.4.4",
                    "title": "Analyze the security impact of changes before implementation",
                    "weight": 1,
                    "partial": false
                },
                {
                    "id": "3.4.5",
                    "title": "Define, document, approve, and enforce access for changes",
                    "weight": 5,
                    "partial": false
                },
                {
                    "id": "3.4.6",
                    "title": "Employ least functionality",
                    "weight": 5,
                    "partial": false
                },
                {
                    "id": "3.4.7",
                    "title": "Restrict nonessential programs, ports, protocols, and services",
                    "weight": 5,
                    "partial": false
                },
                {
                    "id": "3.4.8",
                    "title": "Apply deny-by-exception / permit-by-exception for software",
                    "weight": 5,
                    "partial": false
                },
                {
                    "id": "3.4.9",
                    "title": "Control and monitor user-installed software",
                    "weight": 1,
                    "partial": false
                }
            ]
        },
        {
            "family": "3.5 Identification & Authentication",
            "controls": [
                {
                    "id": "3.5.1",
                    "title": "Identify system users, processes, and devices",
                    "weight": 5,
                    "partial": false
                },
                {
                    "id": "3.5.2",
                    "title": "Authenticate users, processes, and devices before access",
                    "weight": 5,
                    "partial": false
                },
                {
                    "id": "3.5.3",
                    "title": "Use multifactor authentication (MFA)",
                    "weight": 5,
                    "partial": true
                },
                {
                    "id": "3.5.4",
                    "title": "Employ replay-resistant authentication",
                    "weight": 1,
                    "partial": false
                },
                {
                    "id": "3.5.5",
                    "title": "Prevent reuse of identifiers for a defined period",
                    "weight": 1,
                    "partial": false
                },
                {
                    "id": "3.5.6",
                    "title": "Disable identifiers after a period of inactivity",
                    "weight": 1,
                    "partial": false
                },
                {
                    "id": "3.5.7",
                    "title": "Enforce minimum password complexity",
                    "weight": 1,
                    "partial": false
                },
                {
                    "id": "3.5.8",
                    "title": "Prohibit password reuse for a number of generations",
                    "weight": 1,
                    "partial": false
                },
                {
                    "id": "3.5.9",
                    "title": "Allow temporary password use with immediate change",
                    "weight": 1,
                    "partial": false
                },
                {
                    "id": "3.5.10",
                    "title": "Store and transmit only cryptographically-protected passwords",
                    "weight": 5,
                    "partial": false
                },
                {
                    "id": "3.5.11",
                    "title": "Obscure feedback of authentication information",
                    "weight": 1,
                    "partial": false
                }
            ]
        },
        {
            "family": "3.6 Incident Response",
            "controls": [
                {
                    "id": "3.6.1",
                    "title": "Establish an operational incident-handling capability",
                    "weight": 5,
                    "partial": false
                },
                {
                    "id": "3.6.2",
                    "title": "Track, document, and report incidents",
                    "weight": 5,
                    "partial": false
                },
                {
                    "id": "3.6.3",
                    "title": "Test the organizational incident response capability",
                    "weight": 1,
                    "partial": false
                }
            ]
        },
        {
            "family": "3.7 Maintenance",
            "controls": [
                {
                    "id": "3.7.1",
                    "title": "Perform maintenance on organizational systems",
                    "weight": 3,
                    "partial": false
                },
                {
                    "id": "3.7.2",
                    "title": "Control tools, techniques, mechanisms, and personnel for maintenance",
                    "weight": 5,
                    "partial": false
                },
                {
                    "id": "3.7.3",
                    "title": "Sanitize equipment removed for off-site maintenance",
                    "weight": 1,
                    "partial": false
                },
                {
                    "id": "3.7.4",
                    "title": "Check media with diagnostic/test programs for malicious code",
                    "weight": 3,
                    "partial": false
                },
                {
                    "id": "3.7.5",
                    "title": "Require MFA for nonlocal maintenance sessions",
                    "weight": 5,
                    "partial": false
                },
                {
                    "id": "3.7.6",
                    "title": "Supervise maintenance by personnel without required access",
                    "weight": 1,
                    "partial": false
                }
            ]
        },
        {
            "family": "3.8 Media Protection",
            "controls": [
                {
                    "id": "3.8.1",
                    "title": "Protect system media (paper and digital) containing CUI",
                    "weight": 3,
                    "partial": false
                },
                {
                    "id": "3.8.2",
                    "title": "Limit access to CUI on system media to authorized users",
                    "weight": 3,
                    "partial": false
                },
                {
                    "id": "3.8.3",
                    "title": "Sanitize or destroy media containing CUI before disposal/reuse",
                    "weight": 5,
                    "partial": false
                },
                {
                    "id": "3.8.4",
                    "title": "Mark media with CUI markings and distribution limitations",
                    "weight": 1,
                    "partial": false
                },
                {
                    "id": "3.8.5",
                    "title": "Control access to and account for media during transport",
                    "weight": 1,
                    "partial": false
                },
                {
                    "id": "3.8.6",
                    "title": "Encrypt CUI stored on digital media during transport",
                    "weight": 1,
                    "partial": false
                },
                {
                    "id": "3.8.7",
                    "title": "Control the use of removable media on system components",
                    "weight": 5,
                    "partial": false
                },
                {
                    "id": "3.8.8",
                    "title": "Prohibit use of portable storage with no identifiable owner",
                    "weight": 3,
                    "partial": false
                },
                {
                    "id": "3.8.9",
                    "title": "Protect the confidentiality of backup CUI at storage locations",
                    "weight": 1,
                    "partial": false
                }
            ]
        },
        {
            "family": "3.9 Personnel Security",
            "controls": [
                {
                    "id": "3.9.1",
                    "title": "Screen individuals prior to authorizing access to CUI",
                    "weight": 3,
                    "partial": false
                },
                {
                    "id": "3.9.2",
                    "title": "Protect CUI during and after personnel actions",
                    "weight": 5,
                    "partial": false
                }
            ]
        },
        {
            "family": "3.10 Physical Protection",
            "controls": [
                {
                    "id": "3.10.1",
                    "title": "Limit physical access to systems, equipment, and environments",
                    "weight": 5,
                    "partial": false
                },
                {
                    "id": "3.10.2",
                    "title": "Protect and monitor the physical facility and infrastructure",
                    "weight": 5,
                    "partial": false
                },
                {
                    "id": "3.10.3",
                    "title": "Escort visitors and monitor visitor activity",
                    "weight": 1,
                    "partial": false
                },
                {
                    "id": "3.10.4",
                    "title": "Maintain audit logs of physical access",
                    "weight": 1,
                    "partial": false
                },
                {
                    "id": "3.10.5",
                    "title": "Control and manage physical access devices",
                    "weight": 1,
                    "partial": false
                },
                {
                    "id": "3.10.6",
                    "title": "Enforce safeguarding measures for CUI at alternate work sites",
                    "weight": 1,
                    "partial": false
                }
            ]
        },
        {
            "family": "3.11 Risk Assessment",
            "controls": [
                {
                    "id": "3.11.1",
                    "title": "Periodically assess risk from system operations and CUI",
                    "weight": 3,
                    "partial": false
                },
                {
                    "id": "3.11.2",
                    "title": "Scan for vulnerabilities periodically and when identified",
                    "weight": 5,
                    "partial": false
                },
                {
                    "id": "3.11.3",
                    "title": "Remediate vulnerabilities per risk assessments",
                    "weight": 1,
                    "partial": false
                }
            ]
        },
        {
            "family": "3.12 Security Assessment",
            "controls": [
                {
                    "id": "3.12.1",
                    "title": "Periodically assess security controls for effectiveness",
                    "weight": 5,
                    "partial": false
                },
                {
                    "id": "3.12.2",
                    "title": "Develop and implement plans of action (POA&M)",
                    "weight": 3,
                    "partial": false
                },
                {
                    "id": "3.12.3",
                    "title": "Monitor security controls on an ongoing basis",
                    "weight": 5,
                    "partial": false
                },
                {
                    "id": "3.12.4",
                    "title": "Develop, document, and maintain system security plans (SSP)",
                    "weight": 1,
                    "partial": false
                }
            ]
        },
        {
            "family": "3.13 System & Communications Protection",
            "controls": [
                {
                    "id": "3.13.1",
                    "title": "Monitor, control, and protect communications at boundaries",
                    "weight": 5,
                    "partial": false
                },
                {
                    "id": "3.13.2",
                    "title": "Employ architectural designs and principles that promote security",
                    "weight": 5,
                    "partial": false
                },
                {
                    "id": "3.13.3",
                    "title": "Separate user functionality from system management functionality",
                    "weight": 1,
                    "partial": false
                },
                {
                    "id": "3.13.4",
                    "title": "Prevent unauthorized information transfer via shared resources",
                    "weight": 1,
                    "partial": false
                },
                {
                    "id": "3.13.5",
                    "title": "Implement subnetworks for publicly accessible components",
                    "weight": 5,
                    "partial": false
                },
                {
                    "id": "3.13.6",
                    "title": "Deny network traffic by default, allow by exception",
                    "weight": 5,
                    "partial": false
                },
                {
                    "id": "3.13.7",
                    "title": "Prevent split tunneling on remote devices",
                    "weight": 1,
                    "partial": false
                },
                {
                    "id": "3.13.8",
                    "title": "Use cryptographic mechanisms to protect CUI in transit",
                    "weight": 3,
                    "partial": false
                },
                {
                    "id": "3.13.9",
                    "title": "Terminate network connections at the end of sessions",
                    "weight": 1,
                    "partial": false
                },
                {
                    "id": "3.13.10",
                    "title": "Establish and manage cryptographic keys",
                    "weight": 1,
                    "partial": false
                },
                {
                    "id": "3.13.11",
                    "title": "Employ FIPS-validated cryptography to protect CUI",
                    "weight": 5,
                    "partial": true
                },
                {
                    "id": "3.13.12",
                    "title": "Prohibit remote activation of collaborative computing devices",
                    "weight": 1,
                    "partial": false
                },
                {
                    "id": "3.13.13",
                    "title": "Control and monitor the use of mobile code",
                    "weight": 1,
                    "partial": false
                },
                {
                    "id": "3.13.14",
                    "title": "Control and monitor the use of Voice over IP (VoIP)",
                    "weight": 1,
                    "partial": false
                },
                {
                    "id": "3.13.15",
                    "title": "Protect the authenticity of communications sessions",
                    "weight": 5,
                    "partial": false
                },
                {
                    "id": "3.13.16",
                    "title": "Protect the confidentiality of CUI at rest",
                    "weight": 1,
                    "partial": false
                }
            ]
        },
        {
            "family": "3.14 System & Information Integrity",
            "controls": [
                {
                    "id": "3.14.1",
                    "title": "Identify, report, and correct system flaws in a timely manner",
                    "weight": 5,
                    "partial": false
                },
                {
                    "id": "3.14.2",
                    "title": "Provide protection from malicious code",
                    "weight": 5,
                    "partial": false
                },
                {
                    "id": "3.14.3",
                    "title": "Monitor system security alerts and advisories and act on them",
                    "weight": 5,
                    "partial": false
                },
                {
                    "id": "3.14.4",
                    "title": "Update malicious code protection mechanisms",
                    "weight": 5,
                    "partial": false
                },
                {
                    "id": "3.14.5",
                    "title": "Perform periodic and real-time scans of files",
                    "weight": 3,
                    "partial": false
                },
                {
                    "id": "3.14.6",
                    "title": "Monitor systems and inbound/outbound traffic for attacks",
                    "weight": 5,
                    "partial": false
                },
                {
                    "id": "3.14.7",
                    "title": "Identify unauthorized use of organizational systems",
                    "weight": 3,
                    "partial": false
                }
            ]
        }
    ]
}