NIST, Computer Security Division, Computer Security Resource Center
ASSESSMENT CASES - DOwnload page
Key to Download Case Assessment Files:
There is a Microsoft (MS) Word or PDF file for each assessment case, and an assessment case for each security control identified below. For example, file name: Assessment Case – AC-02 ipd.doc is the Word file for assessment case for the Access Control family security control number AC-2, which is named Account Management.
To make it easier to download these assessment cases, we created 18 separate zip files. There is a zip MS Word file and/or a zip PDF file for each security control family. All assessment case files for a particular family (ex. Access Control, Maintenance, etc.) are within one zip file. For example, for the Access Control family, there are 20 MS Word or 20 PDF documents inside the zip file, for the 20 separate assessment cases that are included in Access Control family. There are 17 separate families for these assessment cases. The tables below should help you figure out what family you need to download and/or what files to open within that particular family. The 18th zip file contains ALL of the assessment case files for all 17 families, which are separately zipped up in one zipped file.
Word files: Download All 17 families in 1 zip file (zip)
PDF files: Download All 17 families in 1 zip file (zip)
Note: After downloading the complete set of 17 families in one zipped file, once the file is unzipped, then you will find each family in its own separate zipped file - 17 zipped files total. Once a particular family zipped file is unzipped, then you will find multiple MS Word files - one for each Control Name for that particular family. Refer to tables below for guidance for titles of each control name.
ACCESS CONTROL
| CONTROL NUMBER |
CONTROL NAME |
| AC-1 | Access Control Policy and Procedures |
| AC-2 | Account Management |
| AC-3 | Access Enforcement |
| AC-4 | Information Flow Enforcement |
| AC-5 | Separation of Duties |
| AC-6 | Least Privilege |
| AC-7 | Unsuccessful Login Attempts |
| AC-8 | System Use Notification |
| AC-9 | Previous Logon Notification |
| AC-10 | Concurrent Session Control |
| AC-11 | Session Lock |
| AC-12 | Session Termination |
| AC-13 | Supervision and Review—Access Control |
| AC-14 | Permitted Actions without Identification or Authentication |
| AC-15 | Automated Marking |
| AC-16 | Automated Labeling |
| AC-17 | Remote Access |
| AC-18 | Wireless Access Restrictions |
| AC-19 | Access Control for Portable and Mobile Devices |
| AC-20 | Use of External Information Systems |
Download the 20 Access Control Assessment Cases
|
|
AWARENESS AND TRAINING
| CONTROL NUMBER |
CONTROL NAME |
| AT-1 | Security Awareness and Training Policy and Procedures |
| AT-2 | Security Awareness |
| AT-3 | Security Training |
| AT-4 | Security Training Records |
| AT-5 | Contacts with Security Groups and Associations |
Download the 5 Awareness and Training Assessment Cases
|
|
AUDIT AND ACCOUNTABILITY
| CONTROL NUMBER |
CONTROL NAME |
| AU-1 | Audit and Accountability Policy and Procedures |
| AU-2 | Auditable Events |
| AU-3 | Content of Audit Records |
| AU-4 | Audit Storage Capacity |
| AU-5 | Response to Audit Processing Failures |
| AU-6 | Audit Monitoring, Analysis, and Reporting |
| AU-7 | Audit Reduction and Report Generation |
| AU-8 | Time Stamps |
| AU-9 | Protection of Audit Information |
| AU-10 | Non-repudiation |
| AU-11 | Audit Record Retention |
Download the 11 Audit and Accountability Assessment Cases
|
|
CERTIFICATION, ACCREDITATION AND SECURITY ASSESSMENTS
| CONTROL NUMBER |
CONTROL NAME |
| CA-1 | Certification, Accreditation, and Security Assessment Policies and Procedures |
| CA-2 | Security Assessments |
| CA-3 | Information System Connections |
| CA-4 | Security Certification |
| CA-5 | Plan of Action and Milestones |
| CA-6 | Security Accreditation |
| CA-7 | Continuous Monitoring |
Download the 7 Certification, Accreditation and Security Assessment Cases
|
|
CONFIGURATION MANAGEMENT
| CONTROL NUMBER |
CONTROL NAME |
| CM-1 | Configuration Management Policy and Procedures |
| CM-2 | Baseline Configuration |
| CM-3 | Configuration Change Control |
| CM-4 | Monitoring Configuration Changes |
| CM-5 | Access Restrictions for Change |
| CM-6 | Configuration Settings |
| CM-7 | Least Functionality |
| CM-8 | Information System Component Inventory |
Download the 8 Configuration Management Assessment Cases
|
|
CONTINGENCY PLANNING
| CONTROL NUMBER |
CONTROL NAME |
| CP-1 | Contingency Planning Policy and Procedures |
| CP-2 | Contingency Plan |
| CP-3 | Contingency Training |
| CP-4 | Contingency Plan Testing and Exercises |
| CP-5 | Contingency Plan Update |
| CP-6 | Alternate Storage Site |
| CP-7 | Alternate Processing Site |
| CP-8 | Telecommunications Services |
| CP-9 | Information System Backup |
| CP-10 | Information System Recovery and Reconstitution |
Download the 10 Contingency Planning Assessment Cases
|
|
IDENTIFICATION AND AUTHENTICATION
| CONTROL NUMBER |
CONTROL NAME |
| IA-1 | Identification and Authentication Policy and Procedures |
| IA-2 | User Identification and Authentication |
| IA-3 | Device Identification and Authentication |
| IA-4 | Identifier Management |
| IA-5 | Authenticator Management |
| IA-6 | Authenticator Feedback |
| IA-7 | Cryptographic Module Authentication |
Download the 7 Identification and Authentication Assessment Cases
|
|
INCIDENT RESPONSE
| CONTROL NUMBER |
CONTROL NAME |
| IR-1 | Incident Response Policy and Procedures |
| IR-2 | Incident Response Training |
| IR-3 | Incident Response Testing and Exercises |
| IR-4 | Incident Handling |
| IR-5 | Incident Monitoring |
| IR-6 | Incident Reporting |
| IR-7 | Incident Response Assistance |
Download the 7 Incident Response Assessment Cases
|
|
MAINTENANCE
| CONTROL NUMBER |
CONTROL NAME |
| MA-1 | System Maintenance Policy and Procedures |
| MA-2 | Controlled Maintenance |
| MA-3 | Maintenance Tools |
| MA-4 | Remote Maintenance |
| MA-5 | Maintenance Personnel |
| MA-6 | Timely Maintenance |
Download the 6 Maintenance Assessment Cases
|
|
MEDIA PROTECTION
| CONTROL NUMBER |
CONTROL NAME |
| MP-1 | Media Protection Policy and Procedures |
| MP-2 | Media Access |
| MP-3 | Media Labeling |
| MP-4 | Media Storage |
| MP-5 | Media Transport |
| MP-6 | Media Sanitization and Disposal |
Download the 6 Media Protection Assessment Cases
|
|
PHYSICAL AND ENVIRONMENTAL PROTECTION
| CONTROL NUMBER |
CONTROL NAME |
| PE-1 | Physical and Environmental Protection Policy and Procedures |
| PE-2 | Physical Access Authorizations |
| PE-3 | Physical Access Control |
| PE-4 | Access Control for Transmission Medium |
| PE-5 | Access Control for Display Medium |
| PE-6 | Monitoring Physical Access |
| PE-7 | Visitor Control |
| PE-8 | Access Records |
| PE-9 | Power Equipment and Power Cabling |
| PE-10 | Emergency Shutoff |
| PE-11 | Emergency Power |
| PE-12 | Emergency Lighting |
| PE-13 | Fire Protection |
| PE-14 | Temperature and Humidity Controls |
| PE-15 | Water Damage Protection |
| PE-16 | Delivery and Removal |
| PE-17 | Alternate Work Site |
| PE-18 | Location of Information System Components |
| PE-19 | Information Leakage |
Download the 19 Physical and Environmental Protection Assessment Cases
|
|
PLANNING
| CONTROL NUMBER |
CONTROL NAME |
| PL-1 | Security Planning Policy and Procedures |
| PL-2 | System Security Plan |
| PL-3 | System Security Plan Update |
| PL-4 | Rules of Behavior |
| PL-5 | Privacy Impact Assessment |
| PL-6 | Security-Related Activity Planning |
Download the 6 Planning Assessment Cases
|
|
PERSONNEL SECURITY
| CONTROL NUMBER |
CONTROL NAME |
| PS-1 | Personnel Security Policy and Procedures |
| PS-2 | Position Categorization |
| PS-3 | Personnel Screening |
| PS-4 | Personnel Termination |
| PS-5 | Personnel Transfer |
| PS-6 | Access Agreements |
| PS-7 | Third-Party Personnel Security |
| PS-8 | Personnel Sanctions |
Download the 8 Personnel Security Assessment Cases
|
|
RISK ASSESSMENT
| CONTROL NUMBER |
CONTROL NAME |
| RA-1 | Risk Assessment Policy and Procedures |
| RA-2 | Security Categorization |
| RA-3 | Risk Assessment |
| RA-4 | Risk Assessment Update |
| RA-5 | Vulnerability Scanning |
Download the 5 Risk Assessment Cases
|
|
SYSTEM AND SERVICES ACQUISITION
| CONTROL NUMBER |
CONTROL NAME |
| SA-1 | System and Services Acquisition Policy and Procedures |
| SA-2 | Allocation of Resources |
| SA-3 | Life Cycle Support |
| SA-4 | Acquisitions |
| SA-5 | Information System Documentation |
| SA-6 | Software Usage Restrictions |
| SA-7 | User Installed Software |
| SA-8 | Security Engineering Principles |
| SA-9 | External Information System Services |
| SA-10 | Developer Configuration Management |
| SA-11 | Developer Security Testing |
Download the 11 System and Services Acquisition Assessment Cases
|
|
SYSTEM AND COMMUNICATIONS PROTECTION
| CONTROL NUMBER |
CONTROL NAME |
| SC-1 | System and Communications Protection Policy and Procedures |
| SC-2 | Application Partitioning |
| SC-3 | Security Function Isolation |
| SC-4 | Information Remnance |
| SC-5 | Denial of Service Protection |
| SC-6 | Resource Priority |
| SC-7 | Boundary Protection |
| SC-8 | Transmission Integrity |
| SC-9 | Transmission Confidentiality |
| SC-10 | Network Disconnect |
| SC-11 | Trusted Path |
| SC-12 | Cryptographic Key Establishment and Management |
| SC-13 | Use of Cryptography |
| SC-14 | Public Access Protections |
| SC-15 | Collaborative Computing |
| SC-16 | Transmission of Security Parameters |
| SC-17 | Public Key Infrastructure Certificates |
| SC-18 | Mobile Code |
| SC-19 | Voice Over Internet Protocol |
| SC-20 | Secure Name /Address Resolution Service (Authoritative Source) |
| SC-21 | Secure Name /Address Resolution Service (Recursive or Caching Resolver) |
| SC-22 | Architecture and Provisioning for Name/Address Resolution Service |
| SC-23 | Session Authenticity |
Download the 23 System and Communications Protection Assessment Cases
|
|
SYSTEM AND INFORMATION INTEGRITY
| CONTROL NUMBER |
CONTROL NAME |
| SI-1 | System and Information Integrity Policy and Procedures |
| SI-2 | Flaw Remediation |
| SI-3 | Malicious Code Protection |
| SI-4 | Information System Monitoring Tools and Techniques |
| SI-5 | Security Alerts and Advisories |
| SI-6 | Security Functionality Verification |
| SI-7 | Software and Information Integrity |
| SI-8 | Spam Protection |
| SI-9 | Information Input Restrictions |
| SI-10 | Information Accuracy, Completeness, Validity, and Authenticity |
| SI-11 | Error Handling |
| SI-12 | Information Output Handling and Retention |
Download the 12 System and Information Integrity Assessment Cases
|
|