| AC-17 |
Remote Access |
Not Implemented
|
No
|
|
| AC-18 |
Wireless Access |
Not Implemented
|
No
|
|
| AC-19 |
Access Control for Mobile Devices |
Not Implemented
|
No
|
|
| AC-2 |
Account Management |
Not Implemented
|
No
|
|
| AC-20 |
Use of External Systems |
Not Implemented
|
No
|
|
| AC-22 |
Publicly Accessible Content |
Not Implemented
|
No
|
|
| AC-3 |
Access Enforcement |
Not Implemented
|
No
|
|
| AC-7 |
Unsuccessful Logon Attempts |
Not Implemented
|
No
|
|
| AC-8 |
System Use Notification |
Not Implemented
|
No
|
|
| AT-1 |
Policy and Procedures |
Not Implemented
|
No
|
|
| AT-2 |
Literacy Training and Awareness |
Not Implemented
|
No
|
|
| AT-3 |
Role-based Training |
Not Implemented
|
No
|
|
| AT-4 |
Training Records |
Not Implemented
|
No
|
|
| AU-1 |
Policy and Procedures |
Not Implemented
|
No
|
|
| AU-11 |
Audit Record Retention |
Not Implemented
|
No
|
|
| AU-12 |
Audit Record Generation |
Not Implemented
|
No
|
|
| AU-2 |
Event Logging |
Not Implemented
|
No
|
|
| AU-3 |
Content of Audit Records |
Not Implemented
|
No
|
|
| AU-4 |
Audit Log Storage Capacity |
Not Implemented
|
No
|
|
| AU-5 |
Response to Audit Logging Process Failures |
Not Implemented
|
No
|
|
| AU-6 |
Audit Record Review, Analysis, and Reporting |
Not Implemented
|
No
|
|
| AU-7 |
Audit Record Reduction and Report Generation |
Not Implemented
|
No
|
|
| AU-8 |
Time Stamps |
Not Implemented
|
No
|
|
| AU-9 |
Protection of Audit Information |
Not Implemented
|
No
|
|
| CA-1 |
Policy and Procedures |
Not Implemented
|
No
|
|
| CA-2 |
Control Assessments |
Not Implemented
|
No
|
|
| CA-3 |
Information Exchange |
Not Implemented
|
No
|
|
| CA-5 |
Plan of Action and Milestones |
Not Implemented
|
No
|
|
| CA-6 |
Authorization |
Not Implemented
|
No
|
|
| CA-7 |
Continuous Monitoring |
Not Implemented
|
No
|
|
| CA-9 |
Internal System Connections |
Not Implemented
|
No
|
|
| CM-1 |
Policy and Procedures |
Not Implemented
|
No
|
|
| CM-10 |
Software Usage Restrictions |
Not Implemented
|
No
|
|
| CM-11 |
User-installed Software |
Not Implemented
|
No
|
|
| CM-2 |
Baseline Configuration |
Not Implemented
|
No
|
|
| CM-4 |
Impact Analyses |
Not Implemented
|
No
|
|
| CM-6 |
Configuration Settings |
Not Implemented
|
No
|
|
| CM-7 |
Least Functionality |
Not Implemented
|
No
|
|
| CM-8 |
System Component Inventory |
Not Implemented
|
No
|
|
| AC-14 |
Permitted Actions Without Identification or Authentication |
Implemented
|
No
|
|
| CP-1 |
Policy and Procedures |
Not Implemented
|
No
|
|
| CP-10 |
System Recovery and Reconstitution |
Not Implemented
|
No
|
|
| CP-2 |
Contingency Plan |
Not Implemented
|
No
|
|
| CP-3 |
Contingency Training |
Not Implemented
|
No
|
|
| CP-4 |
Contingency Plan Testing |
Not Implemented
|
No
|
|
| CP-9 |
System Backup |
Inherited
|
Yes
|
|
| IA-1 |
Policy and Procedures |
Not Implemented
|
No
|
|
| IA-12 |
Identity Proofing |
Not Implemented
|
No
|
|
| IA-2 |
Identification and Authentication (organizational Users) |
Not Implemented
|
No
|
|
| IA-4 |
Identifier Management |
Not Implemented
|
No
|
|
| IA-5 |
Authenticator Management |
Not Implemented
|
No
|
|
| IA-8 |
Identification and Authentication (non-organizational Users) |
Not Implemented
|
No
|
|
| IR-1 |
Policy and Procedures |
Not Implemented
|
No
|
|
| IR-2 |
Incident Response Training |
Not Implemented
|
No
|
|
| IR-4 |
Incident Handling |
Not Implemented
|
No
|
|
| IR-5 |
Incident Monitoring |
Not Implemented
|
No
|
|
| IR-6 |
Incident Reporting |
Not Implemented
|
No
|
|
| IR-7 |
Incident Response Assistance |
Not Implemented
|
No
|
|
| IR-8 |
Incident Response Plan |
Not Implemented
|
No
|
|
| MA-1 |
Policy and Procedures |
Not Implemented
|
No
|
|
| MA-2 |
Controlled Maintenance |
Not Implemented
|
No
|
|
| MA-4 |
Nonlocal Maintenance |
Not Implemented
|
No
|
|
| MA-5 |
Maintenance Personnel |
Not Implemented
|
No
|
|
| MP-1 |
Policy and Procedures |
Inherited
|
Yes
|
|
| MP-2 |
Media Access |
Inherited
|
Yes
|
|
| MP-6 |
Media Sanitization |
Inherited
|
Yes
|
|
| MP-7 |
Media Use |
Inherited
|
Yes
|
|
| PE-1 |
Policy and Procedures |
Inherited
|
Yes
|
|
| PE-12 |
Emergency Lighting |
Inherited
|
Yes
|
|
| PE-13 |
Fire Protection |
Inherited
|
Yes
|
|
| PE-14 |
Environmental Controls |
Inherited
|
Yes
|
|
| PE-15 |
Water Damage Protection |
Inherited
|
Yes
|
|
| PE-16 |
Delivery and Removal |
Inherited
|
Yes
|
|
| PE-2 |
Physical Access Authorizations |
Inherited
|
Yes
|
|
| PE-3 |
Physical Access Control |
Inherited
|
Yes
|
|
| PE-6 |
Monitoring Physical Access |
Inherited
|
Yes
|
|
| PE-8 |
Visitor Access Records |
Inherited
|
Yes
|
|
| PL-1 |
Policy and Procedures |
Not Implemented
|
No
|
|
| PL-10 |
Baseline Selection |
Not Implemented
|
No
|
|
| PL-11 |
Baseline Tailoring |
Not Implemented
|
No
|
|
| PL-2 |
System Security and Privacy Plans |
Not Implemented
|
No
|
|
| PL-4 |
Rules of Behavior |
Not Implemented
|
No
|
|
| PS-1 |
Policy and Procedures |
Inherited
|
Yes
|
|
| PS-2 |
Position Risk Designation |
Inherited
|
Yes
|
|
| PS-3 |
Personnel Screening |
Inherited
|
Yes
|
|
| PS-4 |
Personnel Termination |
Inherited
|
Yes
|
|
| PS-5 |
Personnel Transfer |
Inherited
|
Yes
|
|
| PS-6 |
Access Agreements |
Inherited
|
Yes
|
|
| PS-7 |
External Personnel Security |
Inherited
|
Yes
|
|
| PS-8 |
Personnel Sanctions |
Inherited
|
Yes
|
|
| PS-9 |
Position Descriptions |
Inherited
|
Yes
|
|
| RA-1 |
Policy and Procedures |
Not Implemented
|
No
|
|
| RA-2 |
Security Categorization |
Not Implemented
|
No
|
|
| RA-3 |
Risk Assessment |
Not Implemented
|
No
|
|
| RA-5 |
Vulnerability Monitoring and Scanning |
Not Implemented
|
No
|
|
| RA-7 |
Risk Response |
Not Implemented
|
No
|
|
| RA-9 |
Criticality Analysis |
Not Implemented
|
No
|
|
| SA-1 |
Policy and Procedures |
Not Implemented
|
No
|
|
| SA-10 |
Developer Configuration Management |
Not Implemented
|
No
|
|
| SA-11 |
Developer Testing and Evaluation |
Not Implemented
|
No
|
|
| SA-2 |
Allocation of Resources |
Not Implemented
|
No
|
|
| SA-3 |
System Development Life Cycle |
Not Implemented
|
No
|
|
| SA-4 |
Acquisition Process |
Inherited
|
Yes
|
|
| SA-5 |
System Documentation |
Inherited
|
Yes
|
|
| SA-8 |
Security and Privacy Engineering Principles |
Not Implemented
|
No
|
|
| SA-9 |
External System Services |
Inherited
|
Yes
|
|
| SC-1 |
Policy and Procedures |
Not Implemented
|
No
|
|
| SC-12 |
Cryptographic Key Establishment and Management |
Not Implemented
|
No
|
|
| SC-13 |
Cryptographic Protection |
Not Implemented
|
No
|
|
| SC-15 |
Collaborative Computing Devices and Applications |
Not Implemented
|
No
|
|
| SC-20 |
Secure Name/address Resolution Service (authoritative Source) |
Not Implemented
|
No
|
|
| SC-21 |
Secure Name/address Resolution Service (recursive or Caching Resolver) |
Not Implemented
|
No
|
|
| SC-22 |
Architecture and Provisioning for Name/address Resolution Service |
Not Implemented
|
No
|
|
| SC-39 |
Process Isolation |
Not Implemented
|
No
|
|
| SC-5 |
Denial-of-service Protection |
Not Implemented
|
No
|
|
| SC-7 |
Boundary Protection |
Not Implemented
|
No
|
|
| SI-1 |
Policy and Procedures |
Not Implemented
|
No
|
|
| SI-12 |
Information Management and Retention |
Not Implemented
|
No
|
|
| SI-2 |
Flaw Remediation |
Not Implemented
|
No
|
|
| SI-3 |
Malicious Code Protection |
Not Implemented
|
No
|
|
| SI-4 |
System Monitoring |
Not Implemented
|
No
|
|
| SI-5 |
Security Alerts, Advisories, and Directives |
Not Implemented
|
No
|
|
| SR-1 |
Policy and Procedures |
Not Implemented
|
No
|
|
| SR-10 |
Inspection of Systems or Components |
Not Implemented
|
No
|
|
| SR-11 |
Component Authenticity |
Not Implemented
|
No
|
|
| SR-12 |
Component Disposal |
Not Implemented
|
No
|
|
| SR-2 |
Supply Chain Risk Management Plan |
Not Implemented
|
No
|
|
| SR-9 |
Tamper Resistance and Detection |
Not Implemented
|
No
|
|
| AC-1 |
Policy and Procedures |
Implemented
|
No
|
|