{ "total": 1305, "compensating_controls": [ { "control_id": "GOV-01.1", "risk_if_not_implemented": "Without Steering Committee & Program Oversight, security risks may go unmanaged, resulting in uncontrolled exposures and misaligned security investments.", "compensating_control_1": { "control_id": "GOV-04", "name": "Assigned Security, Compliance & Resilience Responsibilities", "description": "Mechanisms exist to assign one or more qualified individuals with the mission and resources to centrally-manage, coordinate, develop, implement and maintain an enterprise-wide Security, Compliance & Resilience Program (SCRP).", "justification": "Assigned Security, Compliance & Resilience Responsibilities (GOV-04) provides resilience and recovery capability that compensates for the absence of Steering Committee & Program Oversight (GOV-01.1) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "RSK-01", "name": "Risk Management Program", "description": "Mechanisms exist to facilitate the implementation of strategic, operational and tactical risk management controls.", "justification": "Risk Management Program (RSK-01) provides policy-level governance that compensates for the absence of Steering Committee & Program Oversight (GOV-01.1) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "GOV-01.2", "risk_if_not_implemented": "Without Status Reporting To Governing Body, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "GOV-05", "name": "Measures of Performance", "description": "Mechanisms exist to develop, report and monitor Security, Compliance & Resilience Program (SCRP) measures of performance.", "justification": "Measures of Performance (GOV-05) provides overlapping security capability that compensates for the absence of Status Reporting To Governing Body (GOV-01.2) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-02", "name": "Security, Compliance & Resilience Controls Oversight", "description": "Mechanisms exist to provide a security, compliance and resilience controls oversight function that reports to the organization's executive leadership.", "justification": "Security, Compliance & Resilience Controls Oversight (CPL-02) provides resilience and recovery capability that compensates for the absence of Status Reporting To Governing Body (GOV-01.2) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "GOV-01.3", "risk_if_not_implemented": "Without Commitment To Continual Improvements, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "PRM-02", "name": "Security, Compliance & Resilience Resource Management", "description": "Mechanisms exist to address all capital planning and investment requests, including the resources needed to implement the Security, Compliance & Resilience Program (SCRP) and document all exceptions to this requirement.", "justification": "Security, Compliance & Resilience Resource Management (PRM-02) provides resilience and recovery capability that compensates for the absence of Commitment To Continual Improvements (GOV-01.3) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "RSK-01", "name": "Risk Management Program", "description": "Mechanisms exist to facilitate the implementation of strategic, operational and tactical risk management controls.", "justification": "Risk Management Program (RSK-01) provides policy-level governance that compensates for the absence of Commitment To Continual Improvements (GOV-01.3) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "GOV-02.1", "risk_if_not_implemented": "Without Exception Management, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "RSK-04", "name": "Risk Assessment", "description": "Mechanisms exist to conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Risk Assessment (RSK-04) provides periodic assessment and assurance that compensates for the absence of Exception Management (GOV-02.1) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-02", "name": "Security, Compliance & Resilience Controls Oversight", "description": "Mechanisms exist to provide a security, compliance and resilience controls oversight function that reports to the organization's executive leadership.", "justification": "Security, Compliance & Resilience Controls Oversight (CPL-02) provides resilience and recovery capability that compensates for the absence of Exception Management (GOV-02.1) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "GOV-03", "risk_if_not_implemented": "Without Periodic Review & Update of Security, Compliance & Resilience Program, the organization may be unable to recover from disruptions, resulting in data loss and extended downtime.", "compensating_control_1": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of Periodic Review & Update of Security, Compliance & Resilience Program (GOV-03) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "RSK-07", "name": "Risk Assessment Update", "description": "Mechanisms exist to routinely update risk assessments and react accordingly upon identifying new security vulnerabilities, including using outside sources for security vulnerability information.", "justification": "Risk Assessment Update (RSK-07) provides periodic assessment and assurance that compensates for the absence of Periodic Review & Update of Security, Compliance & Resilience Program (GOV-03) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "GOV-04.1", "risk_if_not_implemented": "Without Stakeholder Accountability Structure, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "HRS-11", "name": "Separation of Duties (SoD)", "description": "Mechanisms exist to implement and maintain Separation of Duties (SoD) to prevent potential inappropriate activity without collusion.", "justification": "Separation of Duties (SoD) (HRS-11) provides overlapping security capability that compensates for the absence of Stakeholder Accountability Structure (GOV-04.1) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "GOV-04", "name": "Assigned Security, Compliance & Resilience Responsibilities", "description": "Mechanisms exist to assign one or more qualified individuals with the mission and resources to centrally-manage, coordinate, develop, implement and maintain an enterprise-wide Security, Compliance & Resilience Program (SCRP).", "justification": "Assigned Security, Compliance & Resilience Responsibilities (GOV-04) provides resilience and recovery capability that compensates for the absence of Stakeholder Accountability Structure (GOV-04.1) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "GOV-04.2", "risk_if_not_implemented": "Without Authoritative Chain of Command, AI and autonomous technology risks may go ungoverned, leading to unintended outcomes or exploitation.", "compensating_control_1": { "control_id": "HRS-03", "name": "Defined Roles & Responsibilities", "description": "Mechanisms exist to define cybersecurity roles & responsibilities for all personnel.", "justification": "Defined Roles & Responsibilities (HRS-03) provides overlapping security capability that compensates for the absence of Authoritative Chain of Command (GOV-04.2) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "GOV-04", "name": "Assigned Security, Compliance & Resilience Responsibilities", "description": "Mechanisms exist to assign one or more qualified individuals with the mission and resources to centrally-manage, coordinate, develop, implement and maintain an enterprise-wide Security, Compliance & Resilience Program (SCRP).", "justification": "Assigned Security, Compliance & Resilience Responsibilities (GOV-04) provides resilience and recovery capability that compensates for the absence of Authoritative Chain of Command (GOV-04.2) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "GOV-05", "risk_if_not_implemented": "Without Measures of Performance, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CPL-02", "name": "Security, Compliance & Resilience Controls Oversight", "description": "Mechanisms exist to provide a security, compliance and resilience controls oversight function that reports to the organization's executive leadership.", "justification": "Security, Compliance & Resilience Controls Oversight (CPL-02) provides resilience and recovery capability that compensates for the absence of Measures of Performance (GOV-05) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "RSK-11", "name": "Risk Monitoring", "description": "Mechanisms exist to ensure risk monitoring as an integral part of the continuous monitoring strategy that includes monitoring the effectiveness of security, compliance and resilience controls, compliance and change management.", "justification": "Risk Monitoring (RSK-11) provides detective monitoring capability that compensates for the absence of Measures of Performance (GOV-05) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "GOV-05.1", "risk_if_not_implemented": "Without Key Performance Indicators (KPIs), residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "MON-06", "name": "Monitoring Reporting", "description": "Mechanisms exist to provide an event log report generation capability to aid in detecting and assessing anomalous activities.", "justification": "Monitoring Reporting (MON-06) provides detective monitoring capability that compensates for the absence of Key Performance Indicators (KPIs) (GOV-05.1) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "RSK-11", "name": "Risk Monitoring", "description": "Mechanisms exist to ensure risk monitoring as an integral part of the continuous monitoring strategy that includes monitoring the effectiveness of security, compliance and resilience controls, compliance and change management.", "justification": "Risk Monitoring (RSK-11) provides detective monitoring capability that compensates for the absence of Key Performance Indicators (KPIs) (GOV-05.1) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "GOV-05.2", "risk_if_not_implemented": "Without Key Risk Indicators (KRIs), security risks may go unmanaged, resulting in uncontrolled exposures and misaligned security investments.", "compensating_control_1": { "control_id": "RSK-05", "name": "Risk Ranking", "description": "Mechanisms exist to identify and assign a risk ranking to newly discovered security vulnerabilities that is based on industry-recognized practices.", "justification": "Risk Ranking (RSK-05) provides risk identification and prioritization that compensates for the absence of Key Risk Indicators (KRIs) (GOV-05.2) by enabling informed decisions about where to focus resources to manage residual exposure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-06", "name": "Monitoring Reporting", "description": "Mechanisms exist to provide an event log report generation capability to aid in detecting and assessing anomalous activities.", "justification": "Monitoring Reporting (MON-06) provides detective monitoring capability that compensates for the absence of Key Risk Indicators (KRIs) (GOV-05.2) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "GOV-06", "risk_if_not_implemented": "Without Contacts With Authorities, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IRO-10", "name": "Incident Stakeholder Reporting", "description": "Mechanisms exist to timely-report incidents to applicable:\n(1) Internal stakeholders; \n(2) Affected clients & third-parties; and\n(3) Regulatory authorities.", "justification": "Incident Stakeholder Reporting (IRO-10) provides incident response capability that compensates for the absence of Contacts With Authorities (GOV-06) by enabling timely detection, containment, and recovery from security events in the absence of the primary control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Contacts With Authorities (GOV-06) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "GOV-07", "risk_if_not_implemented": "Without Contacts With Groups & Associations, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "THR-01", "name": "Threat Intelligence Program", "description": "Mechanisms exist to implement a threat intelligence program that includes a cross-organization information-sharing capability that can influence the development of the system and security architectures, selection of security solutions, monitoring, threat hunting, response and recovery activities.", "justification": "Threat Intelligence Program (THR-01) provides policy-level governance that compensates for the absence of Contacts With Groups & Associations (GOV-07) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of Contacts With Groups & Associations (GOV-07) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "GOV-08", "risk_if_not_implemented": "Without Defining Business Context & Mission, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "RSK-01", "name": "Risk Management Program", "description": "Mechanisms exist to facilitate the implementation of strategic, operational and tactical risk management controls.", "justification": "Risk Management Program (RSK-01) provides policy-level governance that compensates for the absence of Defining Business Context & Mission (GOV-08) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PRM-05", "name": "Security, Compliance & Resilience Requirements Definition", "description": "Mechanisms exist to identify critical system components and functions by performing a criticality analysis for critical Technology Assets, Applications and/or Services (TAAS) at pre-defined decision points in the Secure Development Life Cycle (SDLC).", "justification": "Security, Compliance & Resilience Requirements Definition (PRM-05) provides resilience and recovery capability that compensates for the absence of Defining Business Context & Mission (GOV-08) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "GOV-09", "risk_if_not_implemented": "Without Define Control Objectives, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "RSK-01", "name": "Risk Management Program", "description": "Mechanisms exist to facilitate the implementation of strategic, operational and tactical risk management controls.", "justification": "Risk Management Program (RSK-01) provides policy-level governance that compensates for the absence of Define Control Objectives (GOV-09) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-09", "name": "Control Reciprocity", "description": "Mechanisms exist to define instances of control reciprocity within assessment boundaries.", "justification": "Control Reciprocity (CPL-09) provides overlapping security capability that compensates for the absence of Define Control Objectives (GOV-09) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "GOV-10", "risk_if_not_implemented": "Without Data Governance, security risks may go unmanaged, resulting in uncontrolled exposures and misaligned security investments.", "compensating_control_1": { "control_id": "DCH-01", "name": "Data Protection", "description": "Mechanisms exist to facilitate the implementation of data protection controls.", "justification": "Data Protection (DCH-01) provides overlapping security capability that compensates for the absence of Data Governance (GOV-10) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PRI-01", "name": "Data Privacy Program", "description": "Mechanisms exist to facilitate the implementation and operation of data protection controls throughout the data lifecycle to ensure all forms of Personal Data (PD) are processed lawfully, fairly and transparently.", "justification": "Data Privacy Program (PRI-01) provides policy-level governance that compensates for the absence of Data Governance (GOV-10) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "GOV-11", "risk_if_not_implemented": "Without Purpose Validation, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "PRI-04", "name": "Restrict Collection To Identified Purpose", "description": "Mechanisms exist to minimize the collection of Personal Data (PD) to only what is adequate, relevant and limited to the purposes identified in the data privacy notice, including protections against collecting PD from minors without appropriate parental or legal guardian consent.", "justification": "Restrict Collection To Identified Purpose (PRI-04) provides overlapping security capability that compensates for the absence of Purpose Validation (GOV-11) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "DCH-01", "name": "Data Protection", "description": "Mechanisms exist to facilitate the implementation of data protection controls.", "justification": "Data Protection (DCH-01) provides overlapping security capability that compensates for the absence of Purpose Validation (GOV-11) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "GOV-14", "risk_if_not_implemented": "Without Business As Usual (BAU) Security, Compliance & Resilience Practices, the organization may be unable to recover from disruptions, resulting in data loss and extended downtime.", "compensating_control_1": { "control_id": "GOV-01", "name": "Security, Compliance & Resilience Program (SCRP)", "description": "Mechanisms exist to facilitate the implementation of security, compliance and resilience governance controls.", "justification": "Security, Compliance & Resilience Program (SCRP) (GOV-01) provides resilience and recovery capability that compensates for the absence of Business As Usual (BAU) Security, Compliance & Resilience Practices (GOV-14) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "SAT-02", "name": "Security, Compliance & Resilience Awareness Training", "description": "Mechanisms exist to provide all employees and contractors appropriate security, compliance and resilience awareness education and training that is relevant for their job function.", "justification": "Security, Compliance & Resilience Awareness Training (SAT-02) provides personnel training and awareness that compensates for the absence of Business As Usual (BAU) Security, Compliance & Resilience Practices (GOV-14) by reducing human-factor risk by equipping personnel to recognize and respond to relevant threats. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "GOV-15", "risk_if_not_implemented": "Without Operationalizing Security, Compliance & Resilience Capabilities, the organization may be unable to recover from disruptions, resulting in data loss and extended downtime.", "compensating_control_1": { "control_id": "RSK-01", "name": "Risk Management Program", "description": "Mechanisms exist to facilitate the implementation of strategic, operational and tactical risk management controls.", "justification": "Risk Management Program (RSK-01) provides policy-level governance that compensates for the absence of Operationalizing Security, Compliance & Resilience Capabilities (GOV-15) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-09", "name": "Control Reciprocity", "description": "Mechanisms exist to define instances of control reciprocity within assessment boundaries.", "justification": "Control Reciprocity (CPL-09) provides overlapping security capability that compensates for the absence of Operationalizing Security, Compliance & Resilience Capabilities (GOV-15) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "GOV-15.1", "risk_if_not_implemented": "Without Select Controls, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "RSK-04", "name": "Risk Assessment", "description": "Mechanisms exist to conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Risk Assessment (RSK-04) provides periodic assessment and assurance that compensates for the absence of Select Controls (GOV-15.1) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-12", "name": "Statement of Applicability (SOA)", "description": "Mechanisms exist to produce a Statement of Applicability (SOA), or similar document, for compliance-related scoping activities.", "justification": "Statement of Applicability (SOA) (CPL-12) provides overlapping security capability that compensates for the absence of Select Controls (GOV-15.1) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "GOV-15.2", "risk_if_not_implemented": "Without Implement Controls, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "PRM-04", "name": "Security, Compliance & Resilience In Project Management", "description": "Mechanisms exist to assess security, compliance and resilience controls in system project development to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting the requirements.", "justification": "Security, Compliance & Resilience In Project Management (PRM-04) provides resilience and recovery capability that compensates for the absence of Implement Controls (GOV-15.2) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-10", "name": "Control Inheritance", "description": "Mechanisms exist to define instances of control inheritance within assessment boundaries.", "justification": "Control Inheritance (CPL-10) provides overlapping security capability that compensates for the absence of Implement Controls (GOV-15.2) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "GOV-15.3", "risk_if_not_implemented": "Without Assess Controls, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of Assess Controls (GOV-15.3) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAO-02", "name": "Assessments", "description": "Mechanisms exist to formally assess the security, compliance and resilience controls in Technology Assets, Applications and/or Services (TAAS) through Information Assurance Program (IAP) activities to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting expected requirements.", "justification": "Assessments (IAO-02) provides periodic assessment and assurance that compensates for the absence of Assess Controls (GOV-15.3) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "GOV-15.4", "risk_if_not_implemented": "Without Authorize Technology Assets, Applications and/or Services (TAAS), security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "IAC-01", "name": "Identity & Access Management (IAM)", "description": "Mechanisms exist to facilitate the implementation of identification and access management controls.", "justification": "Identity & Access Management (IAM) (IAC-01) provides access control enforcement that compensates for the absence of Authorize Technology Assets, Applications and/or Services (TAAS) (GOV-15.4) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "RSK-04", "name": "Risk Assessment", "description": "Mechanisms exist to conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Risk Assessment (RSK-04) provides periodic assessment and assurance that compensates for the absence of Authorize Technology Assets, Applications and/or Services (TAAS) (GOV-15.4) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "GOV-15.5", "risk_if_not_implemented": "Without Monitor Controls, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Monitor Controls (GOV-15.5) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-02", "name": "Security, Compliance & Resilience Controls Oversight", "description": "Mechanisms exist to provide a security, compliance and resilience controls oversight function that reports to the organization's executive leadership.", "justification": "Security, Compliance & Resilience Controls Oversight (CPL-02) provides resilience and recovery capability that compensates for the absence of Monitor Controls (GOV-15.5) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "GOV-16", "risk_if_not_implemented": "Without Materiality Determination, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "RSK-05", "name": "Risk Ranking", "description": "Mechanisms exist to identify and assign a risk ranking to newly discovered security vulnerabilities that is based on industry-recognized practices.", "justification": "Risk Ranking (RSK-05) provides risk identification and prioritization that compensates for the absence of Materiality Determination (GOV-16) by enabling informed decisions about where to focus resources to manage residual exposure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-02", "name": "Security, Compliance & Resilience Controls Oversight", "description": "Mechanisms exist to provide a security, compliance and resilience controls oversight function that reports to the organization's executive leadership.", "justification": "Security, Compliance & Resilience Controls Oversight (CPL-02) provides resilience and recovery capability that compensates for the absence of Materiality Determination (GOV-16) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "GOV-16.1", "risk_if_not_implemented": "Without Material Risks, security risks may go unmanaged, resulting in uncontrolled exposures and misaligned security investments.", "compensating_control_1": { "control_id": "RSK-04", "name": "Risk Assessment", "description": "Mechanisms exist to conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Risk Assessment (RSK-04) provides periodic assessment and assurance that compensates for the absence of Material Risks (GOV-16.1) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-06", "name": "Monitoring Reporting", "description": "Mechanisms exist to provide an event log report generation capability to aid in detecting and assessing anomalous activities.", "justification": "Monitoring Reporting (MON-06) provides detective monitoring capability that compensates for the absence of Material Risks (GOV-16.1) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "GOV-16.2", "risk_if_not_implemented": "Without Material Threats, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "RSK-11", "name": "Risk Monitoring", "description": "Mechanisms exist to ensure risk monitoring as an integral part of the continuous monitoring strategy that includes monitoring the effectiveness of security, compliance and resilience controls, compliance and change management.", "justification": "Risk Monitoring (RSK-11) provides detective monitoring capability that compensates for the absence of Material Threats (GOV-16.2) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-02", "name": "Security, Compliance & Resilience Controls Oversight", "description": "Mechanisms exist to provide a security, compliance and resilience controls oversight function that reports to the organization's executive leadership.", "justification": "Security, Compliance & Resilience Controls Oversight (CPL-02) provides resilience and recovery capability that compensates for the absence of Material Threats (GOV-16.2) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "GOV-17", "risk_if_not_implemented": "Without Security, Compliance & Resilience Status Reporting, the organization may be unable to recover from disruptions, resulting in data loss and extended downtime.", "compensating_control_1": { "control_id": "CPL-02", "name": "Security, Compliance & Resilience Controls Oversight", "description": "Mechanisms exist to provide a security, compliance and resilience controls oversight function that reports to the organization's executive leadership.", "justification": "Security, Compliance & Resilience Controls Oversight (CPL-02) provides resilience and recovery capability that compensates for the absence of Security, Compliance & Resilience Status Reporting (GOV-17) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-06", "name": "Monitoring Reporting", "description": "Mechanisms exist to provide an event log report generation capability to aid in detecting and assessing anomalous activities.", "justification": "Monitoring Reporting (MON-06) provides detective monitoring capability that compensates for the absence of Security, Compliance & Resilience Status Reporting (GOV-17) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "GOV-18", "risk_if_not_implemented": "Without Quality Management System (QMS), residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of Quality Management System (QMS) (GOV-18) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAO-02", "name": "Assessments", "description": "Mechanisms exist to formally assess the security, compliance and resilience controls in Technology Assets, Applications and/or Services (TAAS) through Information Assurance Program (IAP) activities to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting expected requirements.", "justification": "Assessments (IAO-02) provides periodic assessment and assurance that compensates for the absence of Quality Management System (QMS) (GOV-18) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "GOV-19", "risk_if_not_implemented": "Without Assurance, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of Assurance (GOV-19) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAO-02", "name": "Assessments", "description": "Mechanisms exist to formally assess the security, compliance and resilience controls in Technology Assets, Applications and/or Services (TAAS) through Information Assurance Program (IAP) activities to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting expected requirements.", "justification": "Assessments (IAO-02) provides periodic assessment and assurance that compensates for the absence of Assurance (GOV-19) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "GOV-19.1", "risk_if_not_implemented": "Without Assurance Levels (AL), residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of Assurance Levels (AL) (GOV-19.1) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAO-02", "name": "Assessments", "description": "Mechanisms exist to formally assess the security, compliance and resilience controls in Technology Assets, Applications and/or Services (TAAS) through Information Assurance Program (IAP) activities to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting expected requirements.", "justification": "Assessments (IAO-02) provides periodic assessment and assurance that compensates for the absence of Assurance Levels (AL) (GOV-19.1) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "GOV-19.2", "risk_if_not_implemented": "Without Assessment Objectives (AO), residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IAO-02", "name": "Assessments", "description": "Mechanisms exist to formally assess the security, compliance and resilience controls in Technology Assets, Applications and/or Services (TAAS) through Information Assurance Program (IAP) activities to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting expected requirements.", "justification": "Assessments (IAO-02) provides periodic assessment and assurance that compensates for the absence of Assessment Objectives (AO) (GOV-19.2) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-04", "name": "Audit Activities", "description": "Mechanisms exist to thoughtfully plan audits by including input from operational risk and compliance partners to minimize the impact of audit-related activities on business operations.", "justification": "Audit Activities (CPL-04) provides detective monitoring capability that compensates for the absence of Assessment Objectives (AO) (GOV-19.2) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "GOV-20", "risk_if_not_implemented": "Without Mergers, Acquisitions & Divestitures (MA&D), residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "RSK-04", "name": "Risk Assessment", "description": "Mechanisms exist to conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Risk Assessment (RSK-04) provides periodic assessment and assurance that compensates for the absence of Mergers, Acquisitions & Divestitures (MA&D) (GOV-20) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "TPM-01", "name": "Third-Party Management", "description": "Mechanisms exist to facilitate the implementation of third-party management controls.", "justification": "Third-Party Management (TPM-01) provides third-party oversight that compensates for the absence of Mergers, Acquisitions & Divestitures (MA&D) (GOV-20) by extending security obligations contractually and monitoring third-party risk in lieu of direct control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "GOV-20.1", "risk_if_not_implemented": "Without Virtual Data Room (VDR), residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "TPM-01", "name": "Third-Party Management", "description": "Mechanisms exist to facilitate the implementation of third-party management controls.", "justification": "Third-Party Management (TPM-01) provides third-party oversight that compensates for the absence of Virtual Data Room (VDR) (GOV-20.1) by extending security obligations contractually and monitoring third-party risk in lieu of direct control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "RSK-04", "name": "Risk Assessment", "description": "Mechanisms exist to conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Risk Assessment (RSK-04) provides periodic assessment and assurance that compensates for the absence of Virtual Data Room (VDR) (GOV-20.1) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-01.1", "risk_if_not_implemented": "Without AI & Autonomous Technologies-Related Legal Requirements Definition, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "AAT-08", "name": "Assigned Responsibilities for AI & Autonomous Technologies", "description": "Mechanisms exist to define and differentiate roles and responsibilities for:\n(1) Artificial Intelligence (AI) and Autonomous Technologies (AAT) configurations; and\n(2) Oversight of AAT systems.", "justification": "Assigned Responsibilities for AI & Autonomous Technologies (AAT-08) provides detective monitoring capability that compensates for the absence of AI & Autonomous Technologies-Related Legal Requirements Definition (AAT-01.1) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "GOV-04", "name": "Assigned Security, Compliance & Resilience Responsibilities", "description": "Mechanisms exist to assign one or more qualified individuals with the mission and resources to centrally-manage, coordinate, develop, implement and maintain an enterprise-wide Security, Compliance & Resilience Program (SCRP).", "justification": "Assigned Security, Compliance & Resilience Responsibilities (GOV-04) provides resilience and recovery capability that compensates for the absence of AI & Autonomous Technologies-Related Legal Requirements Definition (AAT-01.1) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-01.3", "risk_if_not_implemented": "Without AI & Autonomous Technologies Value Sustainment, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of AI & Autonomous Technologies Value Sustainment (AAT-01.3) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "GOV-09", "name": "Define Control Objectives", "description": "Mechanisms exist to establish control objectives as the basis for the selection, implementation and management of the organization's internal security, compliance and resilience control system.", "justification": "Define Control Objectives (GOV-09) provides overlapping security capability that compensates for the absence of AI & Autonomous Technologies Value Sustainment (AAT-01.3) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-01.4", "risk_if_not_implemented": "Without AI Model & Agent Inventory & Lifecycle Management, AI and autonomous technology risks may go ungoverned, leading to unintended outcomes or exploitation.", "compensating_control_1": { "control_id": "TPM-01", "name": "Third-Party Management", "description": "Mechanisms exist to facilitate the implementation of third-party management controls.", "justification": "Third-Party Management (TPM-01) provides third-party oversight that compensates for the absence of AI Model & Agent Inventory & Lifecycle Management (AAT-01.4) by extending security obligations contractually and monitoring third-party risk in lieu of direct control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "TPM-05", "name": "Third-Party Contract Requirements", "description": "Mechanisms exist to require contractual requirements for applicable security, compliance and resilience requirements with third-parties, reflecting the organization's needs to protect its Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Third-Party Contract Requirements (TPM-05) provides third-party oversight that compensates for the absence of AI Model & Agent Inventory & Lifecycle Management (AAT-01.4) by extending security obligations contractually and monitoring third-party risk in lieu of direct control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-02", "risk_if_not_implemented": "Without Situational Awareness of AI & Autonomous Technologies, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "THR-01", "name": "Threat Intelligence Program", "description": "Mechanisms exist to implement a threat intelligence program that includes a cross-organization information-sharing capability that can influence the development of the system and security architectures, selection of security solutions, monitoring, threat hunting, response and recovery activities.", "justification": "Threat Intelligence Program (THR-01) provides policy-level governance that compensates for the absence of Situational Awareness of AI & Autonomous Technologies (AAT-02) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Situational Awareness of AI & Autonomous Technologies (AAT-02) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-02.1", "risk_if_not_implemented": "Without AI & Autonomous Technologies Risk Mapping, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "RSK-04", "name": "Risk Assessment", "description": "Mechanisms exist to conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Risk Assessment (RSK-04) provides periodic assessment and assurance that compensates for the absence of AI & Autonomous Technologies Risk Mapping (AAT-02.1) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "THR-10", "name": "Threat Analysis", "description": "Mechanisms exist to identify, assess, prioritize and document the potential impact(s) and likelihood(s) of applicable internal and external threats.", "justification": "Threat Analysis (THR-10) provides overlapping security capability that compensates for the absence of AI & Autonomous Technologies Risk Mapping (AAT-02.1) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-02.2", "risk_if_not_implemented": "Without AI & Autonomous Technologies Internal Controls, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "TPM-02", "name": "Third-Party Criticality Assessments", "description": "Mechanisms exist to identify, prioritize and assess suppliers and partners of critical Technology Assets, Applications and/or Services (TAAS) using a supply chain risk assessment process relative to their importance in supporting the delivery of high-value services.", "justification": "Third-Party Criticality Assessments (TPM-02) provides periodic assessment and assurance that compensates for the absence of AI & Autonomous Technologies Internal Controls (AAT-02.2) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "RSK-09", "name": "Supply Chain Risk Management (SCRM) Plan", "description": "Mechanisms exist to develop a plan for Supply Chain Risk Management (SCRM) associated with the development, acquisition, maintenance and disposal of Technology Assets, Applications and/or Services (TAAS), including documenting selected mitigating actions and monitoring performance against those plans.", "justification": "Supply Chain Risk Management (SCRM) Plan (RSK-09) provides risk identification and prioritization that compensates for the absence of AI & Autonomous Technologies Internal Controls (AAT-02.2) by enabling informed decisions about where to focus resources to manage residual exposure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-02.4", "risk_if_not_implemented": "Without AI Threat Modeling & Risk Assessment, security risks may go unmanaged, resulting in uncontrolled exposures and misaligned security investments.", "compensating_control_1": { "control_id": "RSK-04", "name": "Risk Assessment", "description": "Mechanisms exist to conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Risk Assessment (RSK-04) provides periodic assessment and assurance that compensates for the absence of AI Threat Modeling & Risk Assessment (AAT-02.4) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "THR-10", "name": "Threat Analysis", "description": "Mechanisms exist to identify, assess, prioritize and document the potential impact(s) and likelihood(s) of applicable internal and external threats.", "justification": "Threat Analysis (THR-10) provides overlapping security capability that compensates for the absence of AI Threat Modeling & Risk Assessment (AAT-02.4) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-03", "risk_if_not_implemented": "Without AI & Autonomous Technologies Context Definition, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "RSK-01", "name": "Risk Management Program", "description": "Mechanisms exist to facilitate the implementation of strategic, operational and tactical risk management controls.", "justification": "Risk Management Program (RSK-01) provides policy-level governance that compensates for the absence of AI & Autonomous Technologies Context Definition (AAT-03) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "GOV-08", "name": "Defining Business Context & Mission", "description": "Mechanisms exist to define the context of its business model and document the organization's mission.", "justification": "Defining Business Context & Mission (GOV-08) provides overlapping security capability that compensates for the absence of AI & Autonomous Technologies Context Definition (AAT-03) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-03.1", "risk_if_not_implemented": "Without AI & Autonomous Technologies Mission and Goals Definition, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "AAT-01", "name": "Artificial Intelligence (AI) & Autonomous Technologies Governance", "description": "Mechanisms exist to ensure policies, processes, procedures and practices related to the mapping, measuring and managing of Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks are in place, transparent and implemented effectively.", "justification": "Artificial Intelligence (AI) & Autonomous Technologies Governance (AAT-01) provides detective monitoring capability that compensates for the absence of AI & Autonomous Technologies Mission and Goals Definition (AAT-03.1) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "GOV-08", "name": "Defining Business Context & Mission", "description": "Mechanisms exist to define the context of its business model and document the organization's mission.", "justification": "Defining Business Context & Mission (GOV-08) provides overlapping security capability that compensates for the absence of AI & Autonomous Technologies Mission and Goals Definition (AAT-03.1) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-03.2", "risk_if_not_implemented": "Without Model & AI Agent Documentation, AI and autonomous technology risks may go ungoverned, leading to unintended outcomes or exploitation.", "compensating_control_1": { "control_id": "DCH-02", "name": "Data & Asset Classification", "description": "Mechanisms exist to ensure data and assets are categorized in accordance with applicable statutory, regulatory and contractual requirements.", "justification": "Data & Asset Classification (DCH-02) provides overlapping security capability that compensates for the absence of Model & AI Agent Documentation (AAT-03.2) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PRI-01", "name": "Data Privacy Program", "description": "Mechanisms exist to facilitate the implementation and operation of data protection controls throughout the data lifecycle to ensure all forms of Personal Data (PD) are processed lawfully, fairly and transparently.", "justification": "Data Privacy Program (PRI-01) provides policy-level governance that compensates for the absence of Model & AI Agent Documentation (AAT-03.2) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-04", "risk_if_not_implemented": "Without AI & Autonomous Technologies Business Case, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "RSK-04", "name": "Risk Assessment", "description": "Mechanisms exist to conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Risk Assessment (RSK-04) provides periodic assessment and assurance that compensates for the absence of AI & Autonomous Technologies Business Case (AAT-04) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "GOV-08", "name": "Defining Business Context & Mission", "description": "Mechanisms exist to define the context of its business model and document the organization's mission.", "justification": "Defining Business Context & Mission (GOV-08) provides overlapping security capability that compensates for the absence of AI & Autonomous Technologies Business Case (AAT-04) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-04.1", "risk_if_not_implemented": "Without AI & Autonomous Technologies Potential Benefits Analysis, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "PRM-05", "name": "Security, Compliance & Resilience Requirements Definition", "description": "Mechanisms exist to identify critical system components and functions by performing a criticality analysis for critical Technology Assets, Applications and/or Services (TAAS) at pre-defined decision points in the Secure Development Life Cycle (SDLC).", "justification": "Security, Compliance & Resilience Requirements Definition (PRM-05) provides resilience and recovery capability that compensates for the absence of AI & Autonomous Technologies Potential Benefits Analysis (AAT-04.1) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "RSK-04", "name": "Risk Assessment", "description": "Mechanisms exist to conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Risk Assessment (RSK-04) provides periodic assessment and assurance that compensates for the absence of AI & Autonomous Technologies Potential Benefits Analysis (AAT-04.1) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-04.2", "risk_if_not_implemented": "Without AI & Autonomous Technologies Potential Costs Analysis, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of AI & Autonomous Technologies Potential Costs Analysis (AAT-04.2) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "RSK-04", "name": "Risk Assessment", "description": "Mechanisms exist to conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Risk Assessment (RSK-04) provides periodic assessment and assurance that compensates for the absence of AI & Autonomous Technologies Potential Costs Analysis (AAT-04.2) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-04.3", "risk_if_not_implemented": "Without AI & Autonomous Technologies Targeted Application Scope, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "RSK-04", "name": "Risk Assessment", "description": "Mechanisms exist to conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Risk Assessment (RSK-04) provides periodic assessment and assurance that compensates for the absence of AI & Autonomous Technologies Targeted Application Scope (AAT-04.3) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "AAT-01", "name": "Artificial Intelligence (AI) & Autonomous Technologies Governance", "description": "Mechanisms exist to ensure policies, processes, procedures and practices related to the mapping, measuring and managing of Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks are in place, transparent and implemented effectively.", "justification": "Artificial Intelligence (AI) & Autonomous Technologies Governance (AAT-01) provides detective monitoring capability that compensates for the absence of AI & Autonomous Technologies Targeted Application Scope (AAT-04.3) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-04.4", "risk_if_not_implemented": "Without AI & Autonomous Technologies Cost / Benefit Mapping, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of AI & Autonomous Technologies Cost / Benefit Mapping (AAT-04.4) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "AAT-01", "name": "Artificial Intelligence (AI) & Autonomous Technologies Governance", "description": "Mechanisms exist to ensure policies, processes, procedures and practices related to the mapping, measuring and managing of Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks are in place, transparent and implemented effectively.", "justification": "Artificial Intelligence (AI) & Autonomous Technologies Governance (AAT-01) provides detective monitoring capability that compensates for the absence of AI & Autonomous Technologies Cost / Benefit Mapping (AAT-04.4) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-05", "risk_if_not_implemented": "Without AI & Autonomous Technologies Training, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "AAT-01", "name": "Artificial Intelligence (AI) & Autonomous Technologies Governance", "description": "Mechanisms exist to ensure policies, processes, procedures and practices related to the mapping, measuring and managing of Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks are in place, transparent and implemented effectively.", "justification": "Artificial Intelligence (AI) & Autonomous Technologies Governance (AAT-01) provides detective monitoring capability that compensates for the absence of AI & Autonomous Technologies Training (AAT-05) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "GOV-02", "name": "Publishing Security, Compliance & Resilience Documentation", "description": "Mechanisms exist to establish, maintain and disseminate policies, standards and procedures necessary for secure, compliant and resilient capabilities.", "justification": "Publishing Security, Compliance & Resilience Documentation (GOV-02) provides resilience and recovery capability that compensates for the absence of AI & Autonomous Technologies Training (AAT-05) by ensuring the organization can restore operations and data when the primary control is absent. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-06", "risk_if_not_implemented": "Without AI & Autonomous Technologies Fairness & Bias, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "AAT-10", "name": "Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV)", "description": "Mechanisms exist to implement Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) practices to enable Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related security, resilience and compliance-related conformity testing throughout the lifecycle of the AAT.", "justification": "Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) (AAT-10) provides periodic assessment and assurance that compensates for the absence of AI & Autonomous Technologies Fairness & Bias (AAT-06) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "RSK-04", "name": "Risk Assessment", "description": "Mechanisms exist to conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Risk Assessment (RSK-04) provides periodic assessment and assurance that compensates for the absence of AI & Autonomous Technologies Fairness & Bias (AAT-06) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-07.1", "risk_if_not_implemented": "Without AI & Autonomous Technologies Impact Assessment, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "RSK-04", "name": "Risk Assessment", "description": "Mechanisms exist to conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Risk Assessment (RSK-04) provides periodic assessment and assurance that compensates for the absence of AI & Autonomous Technologies Impact Assessment (AAT-07.1) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "GOV-15", "name": "Operationalizing Security, Compliance & Resilience Capabilities", "description": "Mechanisms exist to compel data and/or process owners to operationalize security, compliance and resilience practices for each Technology Asset, Application and/or Service (TAAS) under their control.", "justification": "Operationalizing Security, Compliance & Resilience Capabilities (GOV-15) provides resilience and recovery capability that compensates for the absence of AI & Autonomous Technologies Impact Assessment (AAT-07.1) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-07.3", "risk_if_not_implemented": "Without AI & Autonomous Technologies Continuous Improvements, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "RSK-04", "name": "Risk Assessment", "description": "Mechanisms exist to conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Risk Assessment (RSK-04) provides periodic assessment and assurance that compensates for the absence of AI & Autonomous Technologies Continuous Improvements (AAT-07.3) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of AI & Autonomous Technologies Continuous Improvements (AAT-07.3) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-08", "risk_if_not_implemented": "Without Assigned Responsibilities for AI & Autonomous Technologies, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "GOV-04", "name": "Assigned Security, Compliance & Resilience Responsibilities", "description": "Mechanisms exist to assign one or more qualified individuals with the mission and resources to centrally-manage, coordinate, develop, implement and maintain an enterprise-wide Security, Compliance & Resilience Program (SCRP).", "justification": "Assigned Security, Compliance & Resilience Responsibilities (GOV-04) provides resilience and recovery capability that compensates for the absence of Assigned Responsibilities for AI & Autonomous Technologies (AAT-08) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "HRS-03", "name": "Defined Roles & Responsibilities", "description": "Mechanisms exist to define cybersecurity roles & responsibilities for all personnel.", "justification": "Defined Roles & Responsibilities (HRS-03) provides overlapping security capability that compensates for the absence of Assigned Responsibilities for AI & Autonomous Technologies (AAT-08) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-09", "risk_if_not_implemented": "Without AI & Autonomous Technologies Risk Profiling, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "RSK-04", "name": "Risk Assessment", "description": "Mechanisms exist to conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Risk Assessment (RSK-04) provides periodic assessment and assurance that compensates for the absence of AI & Autonomous Technologies Risk Profiling (AAT-09) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "THR-10", "name": "Threat Analysis", "description": "Mechanisms exist to identify, assess, prioritize and document the potential impact(s) and likelihood(s) of applicable internal and external threats.", "justification": "Threat Analysis (THR-10) provides overlapping security capability that compensates for the absence of AI & Autonomous Technologies Risk Profiling (AAT-09) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-09.1", "risk_if_not_implemented": "Without AI & Autonomous Technologies High Risk Designations, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "RSK-04", "name": "Risk Assessment", "description": "Mechanisms exist to conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Risk Assessment (RSK-04) provides periodic assessment and assurance that compensates for the absence of AI & Autonomous Technologies High Risk Designations (AAT-09.1) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of AI & Autonomous Technologies High Risk Designations (AAT-09.1) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-10.2", "risk_if_not_implemented": "Without AI TEVV Tools, AI and autonomous technology risks may go ungoverned, leading to unintended outcomes or exploitation.", "compensating_control_1": { "control_id": "TDA-09", "name": "Security, Compliance & Resilience Testing Throughout Development", "description": "Mechanisms exist to require system developers/integrators consult with security, compliance and/or resilience personnel to: \n(1) Create and implement a Security Testing and Evaluation (ST&E) plan, or similar capability;\n(2) Implement a verifiable flaw remediation process to correct weaknesses and deficiencies identified during the control testing and evaluation process; and\n(3) Document the results.", "justification": "Security, Compliance & Resilience Testing Throughout Development (TDA-09) provides periodic assessment and assurance that compensates for the absence of AI TEVV Tools (AAT-10.2) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of AI TEVV Tools (AAT-10.2) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-10.3", "risk_if_not_implemented": "Without AI TEVV Trustworthiness Demonstration, AI and autonomous technology risks may go ungoverned, leading to unintended outcomes or exploitation.", "compensating_control_1": { "control_id": "TDA-06", "name": "Secure Software Development Practices (SSDP)", "description": "Mechanisms exist to develop applications based on Secure Software Development Practices (SSDP).", "justification": "Secure Software Development Practices (SSDP) (TDA-06) provides overlapping security capability that compensates for the absence of AI TEVV Trustworthiness Demonstration (AAT-10.3) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "TDA-09", "name": "Security, Compliance & Resilience Testing Throughout Development", "description": "Mechanisms exist to require system developers/integrators consult with security, compliance and/or resilience personnel to: \n(1) Create and implement a Security Testing and Evaluation (ST&E) plan, or similar capability;\n(2) Implement a verifiable flaw remediation process to correct weaknesses and deficiencies identified during the control testing and evaluation process; and\n(3) Document the results.", "justification": "Security, Compliance & Resilience Testing Throughout Development (TDA-09) provides periodic assessment and assurance that compensates for the absence of AI TEVV Trustworthiness Demonstration (AAT-10.3) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-10.5", "risk_if_not_implemented": "Without AI TEVV Security & Resiliency Assessment, AI and autonomous technology risks may go ungoverned, leading to unintended outcomes or exploitation.", "compensating_control_1": { "control_id": "IAO-06", "name": "Technical Verification", "description": "Mechanisms exist to perform Information Assurance Program (IAP) activities to evaluate the design, implementation and effectiveness of technical security, compliance and resilience controls.", "justification": "Technical Verification (IAO-06) provides overlapping security capability that compensates for the absence of AI TEVV Security & Resiliency Assessment (AAT-10.5) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of AI TEVV Security & Resiliency Assessment (AAT-10.5) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-10.6", "risk_if_not_implemented": "Without AI TEVV Transparency & Accountability Assessment, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "RSK-04", "name": "Risk Assessment", "description": "Mechanisms exist to conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Risk Assessment (RSK-04) provides periodic assessment and assurance that compensates for the absence of AI TEVV Transparency & Accountability Assessment (AAT-10.6) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "AAT-10", "name": "Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV)", "description": "Mechanisms exist to implement Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) practices to enable Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related security, resilience and compliance-related conformity testing throughout the lifecycle of the AAT.", "justification": "Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) (AAT-10) provides periodic assessment and assurance that compensates for the absence of AI TEVV Transparency & Accountability Assessment (AAT-10.6) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-10.7", "risk_if_not_implemented": "Without AI TEVV Privacy Assessment, personal data may be processed without appropriate safeguards, increasing regulatory and reputational risk.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of AI TEVV Privacy Assessment (AAT-10.7) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "AAT-16", "name": "AI & Autonomous Technologies Production Monitoring", "description": "Mechanisms exist to monitor the functionality and behavior of the deployed Artificial Intelligence (AI) and Autonomous Technologies (AAT).", "justification": "AI & Autonomous Technologies Production Monitoring (AAT-16) provides detective monitoring capability that compensates for the absence of AI TEVV Privacy Assessment (AAT-10.7) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-10.8", "risk_if_not_implemented": "Without AI TEVV Fairness & Bias Assessment, AI and autonomous technology risks may go ungoverned, leading to unintended outcomes or exploitation.", "compensating_control_1": { "control_id": "TDA-09", "name": "Security, Compliance & Resilience Testing Throughout Development", "description": "Mechanisms exist to require system developers/integrators consult with security, compliance and/or resilience personnel to: \n(1) Create and implement a Security Testing and Evaluation (ST&E) plan, or similar capability;\n(2) Implement a verifiable flaw remediation process to correct weaknesses and deficiencies identified during the control testing and evaluation process; and\n(3) Document the results.", "justification": "Security, Compliance & Resilience Testing Throughout Development (TDA-09) provides periodic assessment and assurance that compensates for the absence of AI TEVV Fairness & Bias Assessment (AAT-10.8) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "VPM-07", "name": "Penetration Testing", "description": "Mechanisms exist to conduct penetration testing on Technology Assets, Applications and/or Services (TAAS).", "justification": "Penetration Testing (VPM-07) provides periodic assessment and assurance that compensates for the absence of AI TEVV Fairness & Bias Assessment (AAT-10.8) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-10.9", "risk_if_not_implemented": "Without AI & Autonomous Technologies Model Validation, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "VPM-07", "name": "Penetration Testing", "description": "Mechanisms exist to conduct penetration testing on Technology Assets, Applications and/or Services (TAAS).", "justification": "Penetration Testing (VPM-07) provides periodic assessment and assurance that compensates for the absence of AI & Autonomous Technologies Model Validation (AAT-10.9) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "TDA-09", "name": "Security, Compliance & Resilience Testing Throughout Development", "description": "Mechanisms exist to require system developers/integrators consult with security, compliance and/or resilience personnel to: \n(1) Create and implement a Security Testing and Evaluation (ST&E) plan, or similar capability;\n(2) Implement a verifiable flaw remediation process to correct weaknesses and deficiencies identified during the control testing and evaluation process; and\n(3) Document the results.", "justification": "Security, Compliance & Resilience Testing Throughout Development (TDA-09) provides periodic assessment and assurance that compensates for the absence of AI & Autonomous Technologies Model Validation (AAT-10.9) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-10.11", "risk_if_not_implemented": "Without AI TEVV Effectiveness, AI and autonomous technology risks may go ungoverned, leading to unintended outcomes or exploitation.", "compensating_control_1": { "control_id": "IAO-02", "name": "Assessments", "description": "Mechanisms exist to formally assess the security, compliance and resilience controls in Technology Assets, Applications and/or Services (TAAS) through Information Assurance Program (IAP) activities to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting expected requirements.", "justification": "Assessments (IAO-02) provides periodic assessment and assurance that compensates for the absence of AI TEVV Effectiveness (AAT-10.11) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of AI TEVV Effectiveness (AAT-10.11) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-10.12", "risk_if_not_implemented": "Without AI TEVV Comparable Deployment Settings, AI and autonomous technology risks may go ungoverned, leading to unintended outcomes or exploitation.", "compensating_control_1": { "control_id": "TDA-09", "name": "Security, Compliance & Resilience Testing Throughout Development", "description": "Mechanisms exist to require system developers/integrators consult with security, compliance and/or resilience personnel to: \n(1) Create and implement a Security Testing and Evaluation (ST&E) plan, or similar capability;\n(2) Implement a verifiable flaw remediation process to correct weaknesses and deficiencies identified during the control testing and evaluation process; and\n(3) Document the results.", "justification": "Security, Compliance & Resilience Testing Throughout Development (TDA-09) provides periodic assessment and assurance that compensates for the absence of AI TEVV Comparable Deployment Settings (AAT-10.12) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAO-02", "name": "Assessments", "description": "Mechanisms exist to formally assess the security, compliance and resilience controls in Technology Assets, Applications and/or Services (TAAS) through Information Assurance Program (IAP) activities to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting expected requirements.", "justification": "Assessments (IAO-02) provides periodic assessment and assurance that compensates for the absence of AI TEVV Comparable Deployment Settings (AAT-10.12) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-10.13", "risk_if_not_implemented": "Without AI TEVV Post-Deployment Monitoring, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of AI TEVV Post-Deployment Monitoring (AAT-10.13) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "VPM-07", "name": "Penetration Testing", "description": "Mechanisms exist to conduct penetration testing on Technology Assets, Applications and/or Services (TAAS).", "justification": "Penetration Testing (VPM-07) provides periodic assessment and assurance that compensates for the absence of AI TEVV Post-Deployment Monitoring (AAT-10.13) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-10.14", "risk_if_not_implemented": "Without Updating AI & Autonomous Technologies, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "TDA-06", "name": "Secure Software Development Practices (SSDP)", "description": "Mechanisms exist to develop applications based on Secure Software Development Practices (SSDP).", "justification": "Secure Software Development Practices (SSDP) (TDA-06) provides overlapping security capability that compensates for the absence of Updating AI & Autonomous Technologies (AAT-10.14) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of Updating AI & Autonomous Technologies (AAT-10.14) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-10.15", "risk_if_not_implemented": "Without AI TEVV Reporting, AI and autonomous technology risks may go ungoverned, leading to unintended outcomes or exploitation.", "compensating_control_1": { "control_id": "IAO-02", "name": "Assessments", "description": "Mechanisms exist to formally assess the security, compliance and resilience controls in Technology Assets, Applications and/or Services (TAAS) through Information Assurance Program (IAP) activities to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting expected requirements.", "justification": "Assessments (IAO-02) provides periodic assessment and assurance that compensates for the absence of AI TEVV Reporting (AAT-10.15) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "AAT-10", "name": "Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV)", "description": "Mechanisms exist to implement Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) practices to enable Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related security, resilience and compliance-related conformity testing throughout the lifecycle of the AAT.", "justification": "Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) (AAT-10) provides periodic assessment and assurance that compensates for the absence of AI TEVV Reporting (AAT-10.15) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-10.16", "risk_if_not_implemented": "Without AI TEVV Empirically Validated Methods, AI and autonomous technology risks may go ungoverned, leading to unintended outcomes or exploitation.", "compensating_control_1": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of AI TEVV Empirically Validated Methods (AAT-10.16) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAO-06", "name": "Technical Verification", "description": "Mechanisms exist to perform Information Assurance Program (IAP) activities to evaluate the design, implementation and effectiveness of technical security, compliance and resilience controls.", "justification": "Technical Verification (IAO-06) provides overlapping security capability that compensates for the absence of AI TEVV Empirically Validated Methods (AAT-10.16) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-10.17", "risk_if_not_implemented": "Without AI TEVV Benchmarking Content Provenance, AI and autonomous technology risks may go ungoverned, leading to unintended outcomes or exploitation.", "compensating_control_1": { "control_id": "VPM-07", "name": "Penetration Testing", "description": "Mechanisms exist to conduct penetration testing on Technology Assets, Applications and/or Services (TAAS).", "justification": "Penetration Testing (VPM-07) provides periodic assessment and assurance that compensates for the absence of AI TEVV Benchmarking Content Provenance (AAT-10.17) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of AI TEVV Benchmarking Content Provenance (AAT-10.17) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-10.18", "risk_if_not_implemented": "Without AI TEVV Model Collapse Mitigations, AI and autonomous technology risks may go ungoverned, leading to unintended outcomes or exploitation.", "compensating_control_1": { "control_id": "TDA-09", "name": "Security, Compliance & Resilience Testing Throughout Development", "description": "Mechanisms exist to require system developers/integrators consult with security, compliance and/or resilience personnel to: \n(1) Create and implement a Security Testing and Evaluation (ST&E) plan, or similar capability;\n(2) Implement a verifiable flaw remediation process to correct weaknesses and deficiencies identified during the control testing and evaluation process; and\n(3) Document the results.", "justification": "Security, Compliance & Resilience Testing Throughout Development (TDA-09) provides periodic assessment and assurance that compensates for the absence of AI TEVV Model Collapse Mitigations (AAT-10.18) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "AAT-10", "name": "Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV)", "description": "Mechanisms exist to implement Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) practices to enable Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related security, resilience and compliance-related conformity testing throughout the lifecycle of the AAT.", "justification": "Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) (AAT-10) provides periodic assessment and assurance that compensates for the absence of AI TEVV Model Collapse Mitigations (AAT-10.18) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-10.19", "risk_if_not_implemented": "Without AI TEVV Third-Party Risk Management, security risks may go unmanaged, resulting in uncontrolled exposures and misaligned security investments.", "compensating_control_1": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of AI TEVV Third-Party Risk Management (AAT-10.19) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "TDA-06", "name": "Secure Software Development Practices (SSDP)", "description": "Mechanisms exist to develop applications based on Secure Software Development Practices (SSDP).", "justification": "Secure Software Development Practices (SSDP) (TDA-06) provides overlapping security capability that compensates for the absence of AI TEVV Third-Party Risk Management (AAT-10.19) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-11", "risk_if_not_implemented": "Without Robust Stakeholder Engagement for AI & Autonomous Technologies, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "GOV-07", "name": "Contacts With Groups & Associations", "description": "Mechanisms exist to establish contact with selected groups and associations within the security, compliance and resilience communities to: \n(1) Facilitate ongoing cybersecurity and data protection education and training for organizational personnel;\n(2) Maintain currency with recommended cybersecurity and data protection practices, techniques and technologies; and\n(3) Share current cybersecurity and/or data protection-related information including threats, vulnerabilities and incidents.", "justification": "Contacts With Groups & Associations (GOV-07) provides overlapping security capability that compensates for the absence of Robust Stakeholder Engagement for AI & Autonomous Technologies (AAT-11) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of Robust Stakeholder Engagement for AI & Autonomous Technologies (AAT-11) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-11.1", "risk_if_not_implemented": "Without AI & Autonomous Technologies Stakeholder Feedback Integration, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "TPM-01", "name": "Third-Party Management", "description": "Mechanisms exist to facilitate the implementation of third-party management controls.", "justification": "Third-Party Management (TPM-01) provides third-party oversight that compensates for the absence of AI & Autonomous Technologies Stakeholder Feedback Integration (AAT-11.1) by extending security obligations contractually and monitoring third-party risk in lieu of direct control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "GOV-07", "name": "Contacts With Groups & Associations", "description": "Mechanisms exist to establish contact with selected groups and associations within the security, compliance and resilience communities to: \n(1) Facilitate ongoing cybersecurity and data protection education and training for organizational personnel;\n(2) Maintain currency with recommended cybersecurity and data protection practices, techniques and technologies; and\n(3) Share current cybersecurity and/or data protection-related information including threats, vulnerabilities and incidents.", "justification": "Contacts With Groups & Associations (GOV-07) provides overlapping security capability that compensates for the absence of AI & Autonomous Technologies Stakeholder Feedback Integration (AAT-11.1) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-11.2", "risk_if_not_implemented": "Without AI & Autonomous Technologies Ongoing Assessments, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "PRI-06", "name": "Data Subject Empowerment", "description": "Mechanisms exist to provide authenticated data subjects the ability to:\n(1) Access their Personal Data (PD) that is being processed, stored and shared, except where the burden, risk or expense of providing access would be disproportionate to the benefit offered to the data subject through granting access;\n(2) Obtain answers on the specifics of how their PD is collected, received, processed, stored, transmitted, shared, updated and/or disposed; \n(3) Obtain the source(s) of their PD; \n(4) Obtain the categories of their PD being collected, received, processed, stored and shared; \n(5) Request correction to their PD due to inaccuracies;\n(6) Request erasure of their PD; and\n(7) Restrict the further collecting, receiving, processing, storing, transmitting, updated and/or sharing of their PD.", "justification": "Data Subject Empowerment (PRI-06) provides privacy protection that compensates for the absence of AI & Autonomous Technologies Ongoing Assessments (AAT-11.2) by applying alternative privacy safeguards to protect personal data and honor data subject rights. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "GOV-07", "name": "Contacts With Groups & Associations", "description": "Mechanisms exist to establish contact with selected groups and associations within the security, compliance and resilience communities to: \n(1) Facilitate ongoing cybersecurity and data protection education and training for organizational personnel;\n(2) Maintain currency with recommended cybersecurity and data protection practices, techniques and technologies; and\n(3) Share current cybersecurity and/or data protection-related information including threats, vulnerabilities and incidents.", "justification": "Contacts With Groups & Associations (GOV-07) provides overlapping security capability that compensates for the absence of AI & Autonomous Technologies Ongoing Assessments (AAT-11.2) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-11.3", "risk_if_not_implemented": "Without AI & Autonomous Technologies End User Feedback, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "GOV-07", "name": "Contacts With Groups & Associations", "description": "Mechanisms exist to establish contact with selected groups and associations within the security, compliance and resilience communities to: \n(1) Facilitate ongoing cybersecurity and data protection education and training for organizational personnel;\n(2) Maintain currency with recommended cybersecurity and data protection practices, techniques and technologies; and\n(3) Share current cybersecurity and/or data protection-related information including threats, vulnerabilities and incidents.", "justification": "Contacts With Groups & Associations (GOV-07) provides overlapping security capability that compensates for the absence of AI & Autonomous Technologies End User Feedback (AAT-11.3) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of AI & Autonomous Technologies End User Feedback (AAT-11.3) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-11.4", "risk_if_not_implemented": "Without AI & Autonomous Technologies Incident & Error Reporting, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "AAT-13", "name": "AI & Autonomous Technologies Stakeholder Diversity", "description": "Mechanisms exist to ensure Artificial Intelligence (AI) and Autonomous Technologies (AAT) stakeholder competencies, skills and capacities incorporate demographic diversity, broad domain and user experience expertise.", "justification": "AI & Autonomous Technologies Stakeholder Diversity (AAT-13) provides detective monitoring capability that compensates for the absence of AI & Autonomous Technologies Incident & Error Reporting (AAT-11.4) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "GOV-07", "name": "Contacts With Groups & Associations", "description": "Mechanisms exist to establish contact with selected groups and associations within the security, compliance and resilience communities to: \n(1) Facilitate ongoing cybersecurity and data protection education and training for organizational personnel;\n(2) Maintain currency with recommended cybersecurity and data protection practices, techniques and technologies; and\n(3) Share current cybersecurity and/or data protection-related information including threats, vulnerabilities and incidents.", "justification": "Contacts With Groups & Associations (GOV-07) provides overlapping security capability that compensates for the absence of AI & Autonomous Technologies Incident & Error Reporting (AAT-11.4) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-12.3", "risk_if_not_implemented": "Without Data Source Lineage & Origin Disclosure, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "TPM-05", "name": "Third-Party Contract Requirements", "description": "Mechanisms exist to require contractual requirements for applicable security, compliance and resilience requirements with third-parties, reflecting the organization's needs to protect its Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Third-Party Contract Requirements (TPM-05) provides third-party oversight that compensates for the absence of Data Source Lineage & Origin Disclosure (AAT-12.3) by extending security obligations contractually and monitoring third-party risk in lieu of direct control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "AAT-12", "name": "AI & Autonomous Technologies Intellectual Property Infringement Protections", "description": "Mechanisms exist to prevent third-party Intellectual Property (IP) rights infringement by Artificial Intelligence (AI) and Autonomous Technologies (AAT).", "justification": "AI & Autonomous Technologies Intellectual Property Infringement Protections (AAT-12) provides detective monitoring capability that compensates for the absence of Data Source Lineage & Origin Disclosure (AAT-12.3) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-12.4", "risk_if_not_implemented": "Without Digital Content Modification Logging, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Digital Content Modification Logging (AAT-12.4) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "TPM-01", "name": "Third-Party Management", "description": "Mechanisms exist to facilitate the implementation of third-party management controls.", "justification": "Third-Party Management (TPM-01) provides third-party oversight that compensates for the absence of Digital Content Modification Logging (AAT-12.4) by extending security obligations contractually and monitoring third-party risk in lieu of direct control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-13", "risk_if_not_implemented": "Without AI & Autonomous Technologies Stakeholder Diversity, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "HRS-03", "name": "Defined Roles & Responsibilities", "description": "Mechanisms exist to define cybersecurity roles & responsibilities for all personnel.", "justification": "Defined Roles & Responsibilities (HRS-03) provides overlapping security capability that compensates for the absence of AI & Autonomous Technologies Stakeholder Diversity (AAT-13) by addressing related risk objectives through an alternative control mechanism aligned with People applicability. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "GOV-07", "name": "Contacts With Groups & Associations", "description": "Mechanisms exist to establish contact with selected groups and associations within the security, compliance and resilience communities to: \n(1) Facilitate ongoing cybersecurity and data protection education and training for organizational personnel;\n(2) Maintain currency with recommended cybersecurity and data protection practices, techniques and technologies; and\n(3) Share current cybersecurity and/or data protection-related information including threats, vulnerabilities and incidents.", "justification": "Contacts With Groups & Associations (GOV-07) provides overlapping security capability that compensates for the absence of AI & Autonomous Technologies Stakeholder Diversity (AAT-13) by addressing related risk objectives through an alternative control mechanism aligned with People applicability. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-13.1", "risk_if_not_implemented": "Without AI & Autonomous Technologies Stakeholder Competencies, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "GOV-07", "name": "Contacts With Groups & Associations", "description": "Mechanisms exist to establish contact with selected groups and associations within the security, compliance and resilience communities to: \n(1) Facilitate ongoing cybersecurity and data protection education and training for organizational personnel;\n(2) Maintain currency with recommended cybersecurity and data protection practices, techniques and technologies; and\n(3) Share current cybersecurity and/or data protection-related information including threats, vulnerabilities and incidents.", "justification": "Contacts With Groups & Associations (GOV-07) provides overlapping security capability that compensates for the absence of AI & Autonomous Technologies Stakeholder Competencies (AAT-13.1) by addressing related risk objectives through an alternative control mechanism aligned with People applicability. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "HRS-03", "name": "Defined Roles & Responsibilities", "description": "Mechanisms exist to define cybersecurity roles & responsibilities for all personnel.", "justification": "Defined Roles & Responsibilities (HRS-03) provides overlapping security capability that compensates for the absence of AI & Autonomous Technologies Stakeholder Competencies (AAT-13.1) by addressing related risk objectives through an alternative control mechanism aligned with People applicability. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-14", "risk_if_not_implemented": "Without AI & Autonomous Technologies Requirements Definitions, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "PRM-05", "name": "Security, Compliance & Resilience Requirements Definition", "description": "Mechanisms exist to identify critical system components and functions by performing a criticality analysis for critical Technology Assets, Applications and/or Services (TAAS) at pre-defined decision points in the Secure Development Life Cycle (SDLC).", "justification": "Security, Compliance & Resilience Requirements Definition (PRM-05) provides resilience and recovery capability that compensates for the absence of AI & Autonomous Technologies Requirements Definitions (AAT-14) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "TDA-02", "name": "Minimum Viable Product (MVP) Security Requirements", "description": "Mechanisms exist to design, develop and produce Technology Assets, Applications and/or Services (TAAS) in such a way that risk-based technical and functional specifications ensure Minimum Viable Product (MVP) criteria establish an appropriate level of security and resiliency based on applicable risks and threats.", "justification": "Minimum Viable Product (MVP) Security Requirements (TDA-02) provides overlapping security capability that compensates for the absence of AI & Autonomous Technologies Requirements Definitions (AAT-14) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-14.1", "risk_if_not_implemented": "Without AI & Autonomous Technologies Implementation Tasks Definition, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "TDA-02", "name": "Minimum Viable Product (MVP) Security Requirements", "description": "Mechanisms exist to design, develop and produce Technology Assets, Applications and/or Services (TAAS) in such a way that risk-based technical and functional specifications ensure Minimum Viable Product (MVP) criteria establish an appropriate level of security and resiliency based on applicable risks and threats.", "justification": "Minimum Viable Product (MVP) Security Requirements (TDA-02) provides overlapping security capability that compensates for the absence of AI & Autonomous Technologies Implementation Tasks Definition (AAT-14.1) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PRM-05", "name": "Security, Compliance & Resilience Requirements Definition", "description": "Mechanisms exist to identify critical system components and functions by performing a criticality analysis for critical Technology Assets, Applications and/or Services (TAAS) at pre-defined decision points in the Secure Development Life Cycle (SDLC).", "justification": "Security, Compliance & Resilience Requirements Definition (PRM-05) provides resilience and recovery capability that compensates for the absence of AI & Autonomous Technologies Implementation Tasks Definition (AAT-14.1) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-15.1", "risk_if_not_implemented": "Without AI & Autonomous Technologies Negative Residual Risks, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "RSK-04", "name": "Risk Assessment", "description": "Mechanisms exist to conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Risk Assessment (RSK-04) provides periodic assessment and assurance that compensates for the absence of AI & Autonomous Technologies Negative Residual Risks (AAT-15.1) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "GOV-08", "name": "Defining Business Context & Mission", "description": "Mechanisms exist to define the context of its business model and document the organization's mission.", "justification": "Defining Business Context & Mission (GOV-08) provides overlapping security capability that compensates for the absence of AI & Autonomous Technologies Negative Residual Risks (AAT-15.1) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-16", "risk_if_not_implemented": "Without AI & Autonomous Technologies Production Monitoring, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of AI & Autonomous Technologies Production Monitoring (AAT-16) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of AI & Autonomous Technologies Production Monitoring (AAT-16) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-16.1", "risk_if_not_implemented": "Without AI & Autonomous Technologies Measurement Approaches, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of AI & Autonomous Technologies Measurement Approaches (AAT-16.1) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "AAT-10", "name": "Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV)", "description": "Mechanisms exist to implement Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) practices to enable Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related security, resilience and compliance-related conformity testing throughout the lifecycle of the AAT.", "justification": "Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) (AAT-10) provides periodic assessment and assurance that compensates for the absence of AI & Autonomous Technologies Measurement Approaches (AAT-16.1) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-16.2", "risk_if_not_implemented": "Without Measuring AI & Autonomous Technologies Effectiveness, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "MON-16", "name": "Anomalous Behavior", "description": "Mechanisms exist to utilize User & Entity Behavior Analytics (UEBA) and/or User Activity Monitoring (UAM) solutions to detect and respond to anomalous behavior that could indicate account compromise or other malicious activities.", "justification": "Anomalous Behavior (MON-16) provides detective monitoring capability that compensates for the absence of Measuring AI & Autonomous Technologies Effectiveness (AAT-16.2) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Measuring AI & Autonomous Technologies Effectiveness (AAT-16.2) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-16.3", "risk_if_not_implemented": "Without Unmeasurable AI & Autonomous Technologies Risks, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Unmeasurable AI & Autonomous Technologies Risks (AAT-16.3) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IRO-04", "name": "Incident Response Plan (IRP)", "description": "Mechanisms exist to maintain and make available a current and viable Incident Response Plan (IRP) to all stakeholders.", "justification": "Incident Response Plan (IRP) (IRO-04) provides incident response capability that compensates for the absence of Unmeasurable AI & Autonomous Technologies Risks (AAT-16.3) by enabling timely detection, containment, and recovery from security events in the absence of the primary control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-16.4", "risk_if_not_implemented": "Without Efficacy of AI & Autonomous Technologies Measurement, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "IRO-01", "name": "Incident Response Operations", "description": "Mechanisms exist to implement and govern processes and documentation to facilitate an organization-wide response capability for cybersecurity and data protection-related incidents.", "justification": "Incident Response Operations (IRO-01) provides incident response capability that compensates for the absence of Efficacy of AI & Autonomous Technologies Measurement (AAT-16.4) by enabling timely detection, containment, and recovery from security events in the absence of the primary control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Efficacy of AI & Autonomous Technologies Measurement (AAT-16.4) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-16.5", "risk_if_not_implemented": "Without AI & Autonomous Technologies Domain Expert Reviews, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "MON-06", "name": "Monitoring Reporting", "description": "Mechanisms exist to provide an event log report generation capability to aid in detecting and assessing anomalous activities.", "justification": "Monitoring Reporting (MON-06) provides detective monitoring capability that compensates for the absence of AI & Autonomous Technologies Domain Expert Reviews (AAT-16.5) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-02", "name": "Security, Compliance & Resilience Controls Oversight", "description": "Mechanisms exist to provide a security, compliance and resilience controls oversight function that reports to the organization's executive leadership.", "justification": "Security, Compliance & Resilience Controls Oversight (CPL-02) provides resilience and recovery capability that compensates for the absence of AI & Autonomous Technologies Domain Expert Reviews (AAT-16.5) by ensuring the organization can restore operations and data when the primary control is absent. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-16.7", "risk_if_not_implemented": "Without Pre-Trained AI & Autonomous Technologies Models, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "MON-16", "name": "Anomalous Behavior", "description": "Mechanisms exist to utilize User & Entity Behavior Analytics (UEBA) and/or User Activity Monitoring (UAM) solutions to detect and respond to anomalous behavior that could indicate account compromise or other malicious activities.", "justification": "Anomalous Behavior (MON-16) provides detective monitoring capability that compensates for the absence of Pre-Trained AI & Autonomous Technologies Models (AAT-16.7) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of Pre-Trained AI & Autonomous Technologies Models (AAT-16.7) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-16.8", "risk_if_not_implemented": "Without AI & Autonomous Technologies Event Logging, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of AI & Autonomous Technologies Event Logging (AAT-16.8) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IRO-01", "name": "Incident Response Operations", "description": "Mechanisms exist to implement and govern processes and documentation to facilitate an organization-wide response capability for cybersecurity and data protection-related incidents.", "justification": "Incident Response Operations (IRO-01) provides incident response capability that compensates for the absence of AI & Autonomous Technologies Event Logging (AAT-16.8) by enabling timely detection, containment, and recovery from security events in the absence of the primary control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-16.9", "risk_if_not_implemented": "Without Serious Incident Reporting For AI & Autonomous Technologies, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of Serious Incident Reporting For AI & Autonomous Technologies (AAT-16.9) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-16", "name": "Anomalous Behavior", "description": "Mechanisms exist to utilize User & Entity Behavior Analytics (UEBA) and/or User Activity Monitoring (UAM) solutions to detect and respond to anomalous behavior that could indicate account compromise or other malicious activities.", "justification": "Anomalous Behavior (MON-16) provides detective monitoring capability that compensates for the absence of Serious Incident Reporting For AI & Autonomous Technologies (AAT-16.9) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-16.10", "risk_if_not_implemented": "Without Serious Incident Root Cause Analysis (RCA) For AI & Autonomous Technologies, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "MON-02", "name": "Centralized Collection of Security Event Logs", "description": "Mechanisms exist to utilize a Security Incident Event Manager (SIEM), or similar automated tool, to support the centralized collection of security-related event logs.", "justification": "Centralized Collection of Security Event Logs (MON-02) provides detective monitoring capability that compensates for the absence of Serious Incident Root Cause Analysis (RCA) For AI & Autonomous Technologies (AAT-16.10) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-17", "name": "Event Log Analysis & Triage", "description": "Mechanisms exist to ensure event log reviews include analysis and triage practices that integrate with the organization's established incident response processes.", "justification": "Event Log Analysis & Triage (MON-17) provides detective monitoring capability that compensates for the absence of Serious Incident Root Cause Analysis (RCA) For AI & Autonomous Technologies (AAT-16.10) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-16.11", "risk_if_not_implemented": "Without Anomaly Detection & Human Oversight, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "IRO-04", "name": "Incident Response Plan (IRP)", "description": "Mechanisms exist to maintain and make available a current and viable Incident Response Plan (IRP) to all stakeholders.", "justification": "Incident Response Plan (IRP) (IRO-04) provides incident response capability that compensates for the absence of Anomaly Detection & Human Oversight (AAT-16.11) by enabling timely detection, containment, and recovery from security events in the absence of the primary control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Anomaly Detection & Human Oversight (AAT-16.11) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-16.12", "risk_if_not_implemented": "Without Human-in-the-Loop & Escalation, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "MON-17", "name": "Event Log Analysis & Triage", "description": "Mechanisms exist to ensure event log reviews include analysis and triage practices that integrate with the organization's established incident response processes.", "justification": "Event Log Analysis & Triage (MON-17) provides detective monitoring capability that compensates for the absence of Human-in-the-Loop & Escalation (AAT-16.12) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of Human-in-the-Loop & Escalation (AAT-16.12) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-16.13", "risk_if_not_implemented": "Without Emergent Behavior & Collusion Protections, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of Emergent Behavior & Collusion Protections (AAT-16.13) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IRO-01", "name": "Incident Response Operations", "description": "Mechanisms exist to implement and govern processes and documentation to facilitate an organization-wide response capability for cybersecurity and data protection-related incidents.", "justification": "Incident Response Operations (IRO-01) provides incident response capability that compensates for the absence of Emergent Behavior & Collusion Protections (AAT-16.13) by enabling timely detection, containment, and recovery from security events in the absence of the primary control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-16.14", "risk_if_not_implemented": "Without Multi-Agent Trust & Communication Validation, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "MON-06", "name": "Monitoring Reporting", "description": "Mechanisms exist to provide an event log report generation capability to aid in detecting and assessing anomalous activities.", "justification": "Monitoring Reporting (MON-06) provides detective monitoring capability that compensates for the absence of Multi-Agent Trust & Communication Validation (AAT-16.14) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Multi-Agent Trust & Communication Validation (AAT-16.14) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-17.2", "risk_if_not_implemented": "Without AI & Autonomous Technologies Environmental Impact & Sustainability, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of AI & Autonomous Technologies Environmental Impact & Sustainability (AAT-17.2) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "RSK-04", "name": "Risk Assessment", "description": "Mechanisms exist to conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Risk Assessment (RSK-04) provides periodic assessment and assurance that compensates for the absence of AI & Autonomous Technologies Environmental Impact & Sustainability (AAT-17.2) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-17.3", "risk_if_not_implemented": "Without Previously Unknown AI & Autonomous Technologies Threats & Risks, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "IAC-20", "name": "Access Enforcement", "description": "Mechanisms exist to enforce Logical Access Control (LAC) permissions that conform to the principle of \"least privilege.\"", "justification": "Access Enforcement (IAC-20) provides access control enforcement that compensates for the absence of Previously Unknown AI & Autonomous Technologies Threats & Risks (AAT-17.3) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Previously Unknown AI & Autonomous Technologies Threats & Risks (AAT-17.3) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-17.4", "risk_if_not_implemented": "Without Novel Risk Assessment Methods & Technologies, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "IRO-04", "name": "Incident Response Plan (IRP)", "description": "Mechanisms exist to maintain and make available a current and viable Incident Response Plan (IRP) to all stakeholders.", "justification": "Incident Response Plan (IRP) (IRO-04) provides incident response capability that compensates for the absence of Novel Risk Assessment Methods & Technologies (AAT-17.4) by enabling timely detection, containment, and recovery from security events in the absence of the primary control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Novel Risk Assessment Methods & Technologies (AAT-17.4) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-17.5", "risk_if_not_implemented": "Without Fine Tuning Risk Mitigation, security risks may go unmanaged, resulting in uncontrolled exposures and misaligned security investments.", "compensating_control_1": { "control_id": "RSK-04", "name": "Risk Assessment", "description": "Mechanisms exist to conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Risk Assessment (RSK-04) provides periodic assessment and assurance that compensates for the absence of Fine Tuning Risk Mitigation (AAT-17.5) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IRO-04", "name": "Incident Response Plan (IRP)", "description": "Mechanisms exist to maintain and make available a current and viable Incident Response Plan (IRP) to all stakeholders.", "justification": "Incident Response Plan (IRP) (IRO-04) provides incident response capability that compensates for the absence of Fine Tuning Risk Mitigation (AAT-17.5) by enabling timely detection, containment, and recovery from security events in the absence of the primary control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-18", "risk_if_not_implemented": "Without AI & Autonomous Technologies Risk Tracking Approaches, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "RSK-11", "name": "Risk Monitoring", "description": "Mechanisms exist to ensure risk monitoring as an integral part of the continuous monitoring strategy that includes monitoring the effectiveness of security, compliance and resilience controls, compliance and change management.", "justification": "Risk Monitoring (RSK-11) provides detective monitoring capability that compensates for the absence of AI & Autonomous Technologies Risk Tracking Approaches (AAT-18) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of AI & Autonomous Technologies Risk Tracking Approaches (AAT-18) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-19", "risk_if_not_implemented": "Without AI & Autonomous Technologies Conformity, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of AI & Autonomous Technologies Conformity (AAT-19) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAO-02", "name": "Assessments", "description": "Mechanisms exist to formally assess the security, compliance and resilience controls in Technology Assets, Applications and/or Services (TAAS) through Information Assurance Program (IAP) activities to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting expected requirements.", "justification": "Assessments (IAO-02) provides periodic assessment and assurance that compensates for the absence of AI & Autonomous Technologies Conformity (AAT-19) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-19.1", "risk_if_not_implemented": "Without Manipulative or Deceptive Techniques, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CPL-09", "name": "Control Reciprocity", "description": "Mechanisms exist to define instances of control reciprocity within assessment boundaries.", "justification": "Control Reciprocity (CPL-09) provides overlapping security capability that compensates for the absence of Manipulative or Deceptive Techniques (AAT-19.1) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Manipulative or Deceptive Techniques (AAT-19.1) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-19.2", "risk_if_not_implemented": "Without Materially Distorting Behaviors, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IAO-02", "name": "Assessments", "description": "Mechanisms exist to formally assess the security, compliance and resilience controls in Technology Assets, Applications and/or Services (TAAS) through Information Assurance Program (IAP) activities to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting expected requirements.", "justification": "Assessments (IAO-02) provides periodic assessment and assurance that compensates for the absence of Materially Distorting Behaviors (AAT-19.2) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of Materially Distorting Behaviors (AAT-19.2) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-19.3", "risk_if_not_implemented": "Without Social Scoring, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Social Scoring (AAT-19.3) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-09", "name": "Control Reciprocity", "description": "Mechanisms exist to define instances of control reciprocity within assessment boundaries.", "justification": "Control Reciprocity (CPL-09) provides overlapping security capability that compensates for the absence of Social Scoring (AAT-19.3) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-19.4", "risk_if_not_implemented": "Without Detrimental or Unfavorable Treatment, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of Detrimental or Unfavorable Treatment (AAT-19.4) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAO-02", "name": "Assessments", "description": "Mechanisms exist to formally assess the security, compliance and resilience controls in Technology Assets, Applications and/or Services (TAAS) through Information Assurance Program (IAP) activities to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting expected requirements.", "justification": "Assessments (IAO-02) provides periodic assessment and assurance that compensates for the absence of Detrimental or Unfavorable Treatment (AAT-19.4) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-19.5", "risk_if_not_implemented": "Without Risk and Criminal Profiling, security risks may go unmanaged, resulting in uncontrolled exposures and misaligned security investments.", "compensating_control_1": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Risk and Criminal Profiling (AAT-19.5) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of Risk and Criminal Profiling (AAT-19.5) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-19.6", "risk_if_not_implemented": "Without Populating Facial Recognition Databases, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IAO-02", "name": "Assessments", "description": "Mechanisms exist to formally assess the security, compliance and resilience controls in Technology Assets, Applications and/or Services (TAAS) through Information Assurance Program (IAP) activities to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting expected requirements.", "justification": "Assessments (IAO-02) provides periodic assessment and assurance that compensates for the absence of Populating Facial Recognition Databases (AAT-19.6) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Populating Facial Recognition Databases (AAT-19.6) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-19.7", "risk_if_not_implemented": "Without Emotion Inference, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CPL-09", "name": "Control Reciprocity", "description": "Mechanisms exist to define instances of control reciprocity within assessment boundaries.", "justification": "Control Reciprocity (CPL-09) provides overlapping security capability that compensates for the absence of Emotion Inference (AAT-19.7) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAO-02", "name": "Assessments", "description": "Mechanisms exist to formally assess the security, compliance and resilience controls in Technology Assets, Applications and/or Services (TAAS) through Information Assurance Program (IAP) activities to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting expected requirements.", "justification": "Assessments (IAO-02) provides periodic assessment and assurance that compensates for the absence of Emotion Inference (AAT-19.7) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-19.8", "risk_if_not_implemented": "Without Biometric Categorization, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of Biometric Categorization (AAT-19.8) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Biometric Categorization (AAT-19.8) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-20.1", "risk_if_not_implemented": "Without AI & Autonomous Technologies Transparency, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "TDA-06", "name": "Secure Software Development Practices (SSDP)", "description": "Mechanisms exist to develop applications based on Secure Software Development Practices (SSDP).", "justification": "Secure Software Development Practices (SSDP) (TDA-06) provides overlapping security capability that compensates for the absence of AI & Autonomous Technologies Transparency (AAT-20.1) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "SEA-01", "name": "Secure Engineering Principles", "description": "Mechanisms exist to facilitate the implementation of industry-recognized security, compliance and resilience practices in the specification, design, development, implementation and modification of Technology Assets, Applications and/or Services (TAAS).", "justification": "Secure Engineering Principles (SEA-01) provides overlapping security capability that compensates for the absence of AI & Autonomous Technologies Transparency (AAT-20.1) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-20.2", "risk_if_not_implemented": "Without AI & Autonomous Technologies Implementation Documentation, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "TDA-06", "name": "Secure Software Development Practices (SSDP)", "description": "Mechanisms exist to develop applications based on Secure Software Development Practices (SSDP).", "justification": "Secure Software Development Practices (SSDP) (TDA-06) provides overlapping security capability that compensates for the absence of AI & Autonomous Technologies Implementation Documentation (AAT-20.2) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAO-04", "name": "Threat Analysis & Flaw Remediation During Development", "description": "Mechanisms exist to require system developers and integrators to create and execute a Security Testing and Evaluation (ST&E) plan, or similar process, to identify and remediate flaws during development.", "justification": "Threat Analysis & Flaw Remediation During Development (IAO-04) provides vulnerability management that compensates for the absence of AI & Autonomous Technologies Implementation Documentation (AAT-20.2) by reducing the exploitable attack surface by addressing known weaknesses before they are leveraged. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-20.3", "risk_if_not_implemented": "Without AI & Autonomous Technologies Human Domain Knowledge Reliance, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "TDA-06", "name": "Secure Software Development Practices (SSDP)", "description": "Mechanisms exist to develop applications based on Secure Software Development Practices (SSDP).", "justification": "Secure Software Development Practices (SSDP) (TDA-06) provides overlapping security capability that compensates for the absence of AI & Autonomous Technologies Human Domain Knowledge Reliance (AAT-20.3) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "TDA-09", "name": "Security, Compliance & Resilience Testing Throughout Development", "description": "Mechanisms exist to require system developers/integrators consult with security, compliance and/or resilience personnel to: \n(1) Create and implement a Security Testing and Evaluation (ST&E) plan, or similar capability;\n(2) Implement a verifiable flaw remediation process to correct weaknesses and deficiencies identified during the control testing and evaluation process; and\n(3) Document the results.", "justification": "Security, Compliance & Resilience Testing Throughout Development (TDA-09) provides periodic assessment and assurance that compensates for the absence of AI & Autonomous Technologies Human Domain Knowledge Reliance (AAT-20.3) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-21", "risk_if_not_implemented": "Without AI & Autonomous Technologies Registration, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "GOV-10", "name": "Data Governance", "description": "Mechanisms exist to facilitate data governance to oversee the organization's policies, standards and procedures so that sensitive/regulated data is effectively managed and maintained in accordance with applicable statutory, regulatory and contractual obligations.", "justification": "Data Governance (GOV-10) provides policy-level governance that compensates for the absence of AI & Autonomous Technologies Registration (AAT-21) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of AI & Autonomous Technologies Registration (AAT-21) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-22", "risk_if_not_implemented": "Without AI & Autonomous Technologies Deployment, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "CFG-01", "name": "Configuration Management Program", "description": "Mechanisms exist to facilitate the implementation of configuration management controls.", "justification": "Configuration Management Program (CFG-01) provides policy-level governance that compensates for the absence of AI & Autonomous Technologies Deployment (AAT-22) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CHG-01", "name": "Change Management Program", "description": "Mechanisms exist to facilitate the implementation of a change management program.", "justification": "Change Management Program (CHG-01) provides policy-level governance that compensates for the absence of AI & Autonomous Technologies Deployment (AAT-22) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-22.1", "risk_if_not_implemented": "Without AI & Autonomous Technologies Human Oversight, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "CFG-02", "name": "Secure Baseline Configurations", "description": "Mechanisms exist to develop, document and maintain secure baseline configurations for Technology Assets, Applications and/or Services (TAAS) that are consistent with industry-accepted system hardening standards.", "justification": "Secure Baseline Configurations (CFG-02) provides configuration hardening that compensates for the absence of AI & Autonomous Technologies Human Oversight (AAT-22.1) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CHG-03", "name": "Security Impact Analysis for Changes", "description": "Mechanisms exist to analyze proposed changes for potential security impacts, prior to the implementation of the change.", "justification": "Security Impact Analysis for Changes (CHG-03) provides risk identification and prioritization that compensates for the absence of AI & Autonomous Technologies Human Oversight (AAT-22.1) by enabling informed decisions about where to focus resources to manage residual exposure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-22.2", "risk_if_not_implemented": "Without AI & Autonomous Technologies Oversight Measures, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "CHG-02", "name": "Configuration Change Control", "description": "Mechanisms exist to govern the technical configuration change control processes.", "justification": "Configuration Change Control (CHG-02) provides configuration hardening that compensates for the absence of AI & Autonomous Technologies Oversight Measures (AAT-22.2) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CFG-06", "name": "Configuration Enforcement", "description": "Automated mechanisms exist to monitor, enforce and report on configurations for endpoint devices.", "justification": "Configuration Enforcement (CFG-06) provides configuration hardening that compensates for the absence of AI & Autonomous Technologies Oversight Measures (AAT-22.2) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-22.3", "risk_if_not_implemented": "Without AI & Autonomous Technologies Separate Verification, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "CFG-06", "name": "Configuration Enforcement", "description": "Automated mechanisms exist to monitor, enforce and report on configurations for endpoint devices.", "justification": "Configuration Enforcement (CFG-06) provides configuration hardening that compensates for the absence of AI & Autonomous Technologies Separate Verification (AAT-22.3) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of AI & Autonomous Technologies Separate Verification (AAT-22.3) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-22.4", "risk_if_not_implemented": "Without AI & Autonomous Technologies Oversight Functions Competency, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "CHG-02", "name": "Configuration Change Control", "description": "Mechanisms exist to govern the technical configuration change control processes.", "justification": "Configuration Change Control (CHG-02) provides configuration hardening that compensates for the absence of AI & Autonomous Technologies Oversight Functions Competency (AAT-22.4) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CFG-02", "name": "Secure Baseline Configurations", "description": "Mechanisms exist to develop, document and maintain secure baseline configurations for Technology Assets, Applications and/or Services (TAAS) that are consistent with industry-accepted system hardening standards.", "justification": "Secure Baseline Configurations (CFG-02) provides configuration hardening that compensates for the absence of AI & Autonomous Technologies Oversight Functions Competency (AAT-22.4) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-22.5", "risk_if_not_implemented": "Without AI & Autonomous Technologies Data Relevance, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of AI & Autonomous Technologies Data Relevance (AAT-22.5) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CFG-06", "name": "Configuration Enforcement", "description": "Automated mechanisms exist to monitor, enforce and report on configurations for endpoint devices.", "justification": "Configuration Enforcement (CFG-06) provides configuration hardening that compensates for the absence of AI & Autonomous Technologies Data Relevance (AAT-22.5) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-22.6", "risk_if_not_implemented": "Without AI & Autonomous Technologies Irregularity Reporting, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "CFG-01", "name": "Configuration Management Program", "description": "Mechanisms exist to facilitate the implementation of configuration management controls.", "justification": "Configuration Management Program (CFG-01) provides policy-level governance that compensates for the absence of AI & Autonomous Technologies Irregularity Reporting (AAT-22.6) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CHG-02", "name": "Configuration Change Control", "description": "Mechanisms exist to govern the technical configuration change control processes.", "justification": "Configuration Change Control (CHG-02) provides configuration hardening that compensates for the absence of AI & Autonomous Technologies Irregularity Reporting (AAT-22.6) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-22.7", "risk_if_not_implemented": "Without AI & Autonomous Technologies Use Notification To Employees, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "CHG-03", "name": "Security Impact Analysis for Changes", "description": "Mechanisms exist to analyze proposed changes for potential security impacts, prior to the implementation of the change.", "justification": "Security Impact Analysis for Changes (CHG-03) provides risk identification and prioritization that compensates for the absence of AI & Autonomous Technologies Use Notification To Employees (AAT-22.7) by enabling informed decisions about where to focus resources to manage residual exposure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CFG-06", "name": "Configuration Enforcement", "description": "Automated mechanisms exist to monitor, enforce and report on configurations for endpoint devices.", "justification": "Configuration Enforcement (CFG-06) provides configuration hardening that compensates for the absence of AI & Autonomous Technologies Use Notification To Employees (AAT-22.7) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-22.8", "risk_if_not_implemented": "Without AI & Autonomous Technologies Use Notification To Users, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "CFG-02", "name": "Secure Baseline Configurations", "description": "Mechanisms exist to develop, document and maintain secure baseline configurations for Technology Assets, Applications and/or Services (TAAS) that are consistent with industry-accepted system hardening standards.", "justification": "Secure Baseline Configurations (CFG-02) provides configuration hardening that compensates for the absence of AI & Autonomous Technologies Use Notification To Users (AAT-22.8) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of AI & Autonomous Technologies Use Notification To Users (AAT-22.8) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-23", "risk_if_not_implemented": "Without AI & Autonomous Technologies Output Marking, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "DCH-04", "name": "Media Marking", "description": "Mechanisms exist to mark media in accordance with data protection requirements so that personnel are alerted to distribution limitations, handling caveats and applicable security requirements.", "justification": "Media Marking (DCH-04) provides overlapping security capability that compensates for the absence of AI & Autonomous Technologies Output Marking (AAT-23) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "DCH-05", "name": "Cybersecurity & Data Protection Attributes", "description": "Mechanisms exist to bind cybersecurity and data protection attributes to information as it is stored, transmitted and processed.", "justification": "Cybersecurity & Data Protection Attributes (DCH-05) provides overlapping security capability that compensates for the absence of AI & Autonomous Technologies Output Marking (AAT-23) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-24", "risk_if_not_implemented": "Without Real World Testing of AI & Autonomous Technologies, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "AAT-10", "name": "Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV)", "description": "Mechanisms exist to implement Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) practices to enable Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related security, resilience and compliance-related conformity testing throughout the lifecycle of the AAT.", "justification": "Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) (AAT-10) provides periodic assessment and assurance that compensates for the absence of Real World Testing of AI & Autonomous Technologies (AAT-24) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "VPM-07", "name": "Penetration Testing", "description": "Mechanisms exist to conduct penetration testing on Technology Assets, Applications and/or Services (TAAS).", "justification": "Penetration Testing (VPM-07) provides periodic assessment and assurance that compensates for the absence of Real World Testing of AI & Autonomous Technologies (AAT-24) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-25", "risk_if_not_implemented": "Without AI & Autonomous Technologies System Value Chain, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "TPM-01", "name": "Third-Party Management", "description": "Mechanisms exist to facilitate the implementation of third-party management controls.", "justification": "Third-Party Management (TPM-01) provides third-party oversight that compensates for the absence of AI & Autonomous Technologies System Value Chain (AAT-25) by extending security obligations contractually and monitoring third-party risk in lieu of direct control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "RSK-09", "name": "Supply Chain Risk Management (SCRM) Plan", "description": "Mechanisms exist to develop a plan for Supply Chain Risk Management (SCRM) associated with the development, acquisition, maintenance and disposal of Technology Assets, Applications and/or Services (TAAS), including documenting selected mitigating actions and monitoring performance against those plans.", "justification": "Supply Chain Risk Management (SCRM) Plan (RSK-09) provides risk identification and prioritization that compensates for the absence of AI & Autonomous Technologies System Value Chain (AAT-25) by enabling informed decisions about where to focus resources to manage residual exposure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-25.1", "risk_if_not_implemented": "Without AI & Autonomous Technologies System Value Chain Fallbacks, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "TPM-03", "name": "Supply Chain Risk Management (SCRM)", "description": "Mechanisms exist to:\n(1) Evaluate security risks and threats associated with Technology Assets, Applications and/or Services (TAAS) supply chains; and\n(2) Take appropriate remediation actions to minimize the organization's exposure to those risks and threats, as necessary.", "justification": "Supply Chain Risk Management (SCRM) (TPM-03) provides risk identification and prioritization that compensates for the absence of AI & Autonomous Technologies System Value Chain Fallbacks (AAT-25.1) by enabling informed decisions about where to focus resources to manage residual exposure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "RSK-09", "name": "Supply Chain Risk Management (SCRM) Plan", "description": "Mechanisms exist to develop a plan for Supply Chain Risk Management (SCRM) associated with the development, acquisition, maintenance and disposal of Technology Assets, Applications and/or Services (TAAS), including documenting selected mitigating actions and monitoring performance against those plans.", "justification": "Supply Chain Risk Management (SCRM) Plan (RSK-09) provides risk identification and prioritization that compensates for the absence of AI & Autonomous Technologies System Value Chain Fallbacks (AAT-25.1) by enabling informed decisions about where to focus resources to manage residual exposure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-26", "risk_if_not_implemented": "Without AI & Autonomous Technologies Testing Techniques, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "TDA-09", "name": "Security, Compliance & Resilience Testing Throughout Development", "description": "Mechanisms exist to require system developers/integrators consult with security, compliance and/or resilience personnel to: \n(1) Create and implement a Security Testing and Evaluation (ST&E) plan, or similar capability;\n(2) Implement a verifiable flaw remediation process to correct weaknesses and deficiencies identified during the control testing and evaluation process; and\n(3) Document the results.", "justification": "Security, Compliance & Resilience Testing Throughout Development (TDA-09) provides periodic assessment and assurance that compensates for the absence of AI & Autonomous Technologies Testing Techniques (AAT-26) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "VPM-07", "name": "Penetration Testing", "description": "Mechanisms exist to conduct penetration testing on Technology Assets, Applications and/or Services (TAAS).", "justification": "Penetration Testing (VPM-07) provides periodic assessment and assurance that compensates for the absence of AI & Autonomous Technologies Testing Techniques (AAT-26) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-26.1", "risk_if_not_implemented": "Without Generative Artificial Intelligence (GAI) Identification, AI and autonomous technology risks may go ungoverned, leading to unintended outcomes or exploitation.", "compensating_control_1": { "control_id": "VPM-07", "name": "Penetration Testing", "description": "Mechanisms exist to conduct penetration testing on Technology Assets, Applications and/or Services (TAAS).", "justification": "Penetration Testing (VPM-07) provides periodic assessment and assurance that compensates for the absence of Generative Artificial Intelligence (GAI) Identification (AAT-26.1) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "AAT-10", "name": "Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV)", "description": "Mechanisms exist to implement Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) practices to enable Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related security, resilience and compliance-related conformity testing throughout the lifecycle of the AAT.", "justification": "Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) (AAT-10) provides periodic assessment and assurance that compensates for the absence of Generative Artificial Intelligence (GAI) Identification (AAT-26.1) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-26.2", "risk_if_not_implemented": "Without AI & Autonomous Technologies Capabilities Testing, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "TDA-09", "name": "Security, Compliance & Resilience Testing Throughout Development", "description": "Mechanisms exist to require system developers/integrators consult with security, compliance and/or resilience personnel to: \n(1) Create and implement a Security Testing and Evaluation (ST&E) plan, or similar capability;\n(2) Implement a verifiable flaw remediation process to correct weaknesses and deficiencies identified during the control testing and evaluation process; and\n(3) Document the results.", "justification": "Security, Compliance & Resilience Testing Throughout Development (TDA-09) provides periodic assessment and assurance that compensates for the absence of AI & Autonomous Technologies Capabilities Testing (AAT-26.2) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of AI & Autonomous Technologies Capabilities Testing (AAT-26.2) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-26.3", "risk_if_not_implemented": "Without Real-World Testing, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "VPM-07", "name": "Penetration Testing", "description": "Mechanisms exist to conduct penetration testing on Technology Assets, Applications and/or Services (TAAS).", "justification": "Penetration Testing (VPM-07) provides periodic assessment and assurance that compensates for the absence of Real-World Testing (AAT-26.3) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "TDA-09", "name": "Security, Compliance & Resilience Testing Throughout Development", "description": "Mechanisms exist to require system developers/integrators consult with security, compliance and/or resilience personnel to: \n(1) Create and implement a Security Testing and Evaluation (ST&E) plan, or similar capability;\n(2) Implement a verifiable flaw remediation process to correct weaknesses and deficiencies identified during the control testing and evaluation process; and\n(3) Document the results.", "justification": "Security, Compliance & Resilience Testing Throughout Development (TDA-09) provides periodic assessment and assurance that compensates for the absence of Real-World Testing (AAT-26.3) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-26.4", "risk_if_not_implemented": "Without Documenting Testing Guidance, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of Documenting Testing Guidance (AAT-26.4) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "TDA-09", "name": "Security, Compliance & Resilience Testing Throughout Development", "description": "Mechanisms exist to require system developers/integrators consult with security, compliance and/or resilience personnel to: \n(1) Create and implement a Security Testing and Evaluation (ST&E) plan, or similar capability;\n(2) Implement a verifiable flaw remediation process to correct weaknesses and deficiencies identified during the control testing and evaluation process; and\n(3) Document the results.", "justification": "Security, Compliance & Resilience Testing Throughout Development (TDA-09) provides periodic assessment and assurance that compensates for the absence of Documenting Testing Guidance (AAT-26.4) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-27", "risk_if_not_implemented": "Without AI & Autonomous Technologies Output Filtering, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "NET-17", "name": "Data Loss Prevention (DLP)", "description": "Automated mechanisms exist to implement Data Loss Prevention (DLP) to protect sensitive information as it is stored, transmitted and processed.", "justification": "Data Loss Prevention (DLP) (NET-17) provides detective monitoring capability that compensates for the absence of AI & Autonomous Technologies Output Filtering (AAT-27) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "END-04", "name": "Malicious Code Protection (Anti-Malware)", "description": "Mechanisms exist to utilize antimalware technologies to detect and eradicate malicious code.", "justification": "Malicious Code Protection (Anti-Malware) (END-04) provides overlapping security capability that compensates for the absence of AI & Autonomous Technologies Output Filtering (AAT-27) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-27.1", "risk_if_not_implemented": "Without Human Moderation, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "NET-17", "name": "Data Loss Prevention (DLP)", "description": "Automated mechanisms exist to implement Data Loss Prevention (DLP) to protect sensitive information as it is stored, transmitted and processed.", "justification": "Data Loss Prevention (DLP) (NET-17) provides detective monitoring capability that compensates for the absence of Human Moderation (AAT-27.1) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-17", "name": "Event Log Analysis & Triage", "description": "Mechanisms exist to ensure event log reviews include analysis and triage practices that integrate with the organization's established incident response processes.", "justification": "Event Log Analysis & Triage (MON-17) provides detective monitoring capability that compensates for the absence of Human Moderation (AAT-27.1) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-28", "risk_if_not_implemented": "Without AI Model Resilience, the organization may be unable to recover from disruptions, resulting in data loss and extended downtime.", "compensating_control_1": { "control_id": "BCD-01", "name": "Business Continuity Management System (BCMS)", "description": "Mechanisms exist to facilitate the implementation of contingency planning controls to help ensure resilient Technology Assets, Applications and/or Services (TAAS) (e.g., Continuity of Operations Plan (COOP) or Business Continuity & Disaster Recovery (BC/DR) playbooks).", "justification": "Business Continuity Management System (BCMS) (BCD-01) provides resilience and recovery capability that compensates for the absence of AI Model Resilience (AAT-28) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "RSK-01", "name": "Risk Management Program", "description": "Mechanisms exist to facilitate the implementation of strategic, operational and tactical risk management controls.", "justification": "Risk Management Program (RSK-01) provides policy-level governance that compensates for the absence of AI Model Resilience (AAT-28) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-28.1", "risk_if_not_implemented": "Without Model Pollution, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "BCD-11", "name": "Data Backups", "description": "Mechanisms exist to create recurring backups of data, software and/or system images, as well as verify the integrity of these backups, to ensure the availability of the data to satisfy Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).", "justification": "Data Backups (BCD-11) provides resilience and recovery capability that compensates for the absence of Model Pollution (AAT-28.1) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "BCD-09", "name": "Alternate Processing Site", "description": "Mechanisms exist to establish an alternate processing site that provides security measures equivalent to that of the primary site.", "justification": "Alternate Processing Site (BCD-09) provides resilience and recovery capability that compensates for the absence of Model Pollution (AAT-28.1) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-28.2", "risk_if_not_implemented": "Without Cascading Hallucination Defense, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "BCD-09", "name": "Alternate Processing Site", "description": "Mechanisms exist to establish an alternate processing site that provides security measures equivalent to that of the primary site.", "justification": "Alternate Processing Site (BCD-09) provides resilience and recovery capability that compensates for the absence of Cascading Hallucination Defense (AAT-28.2) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "BCD-11", "name": "Data Backups", "description": "Mechanisms exist to create recurring backups of data, software and/or system images, as well as verify the integrity of these backups, to ensure the availability of the data to satisfy Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).", "justification": "Data Backups (BCD-11) provides resilience and recovery capability that compensates for the absence of Cascading Hallucination Defense (AAT-28.2) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-28.3", "risk_if_not_implemented": "Without Resource Exhaustion & DoS Resilience, the organization may be unable to recover from disruptions, resulting in data loss and extended downtime.", "compensating_control_1": { "control_id": "BCD-01", "name": "Business Continuity Management System (BCMS)", "description": "Mechanisms exist to facilitate the implementation of contingency planning controls to help ensure resilient Technology Assets, Applications and/or Services (TAAS) (e.g., Continuity of Operations Plan (COOP) or Business Continuity & Disaster Recovery (BC/DR) playbooks).", "justification": "Business Continuity Management System (BCMS) (BCD-01) provides resilience and recovery capability that compensates for the absence of Resource Exhaustion & DoS Resilience (AAT-28.3) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "BCD-11", "name": "Data Backups", "description": "Mechanisms exist to create recurring backups of data, software and/or system images, as well as verify the integrity of these backups, to ensure the availability of the data to satisfy Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).", "justification": "Data Backups (BCD-11) provides resilience and recovery capability that compensates for the absence of Resource Exhaustion & DoS Resilience (AAT-28.3) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-29", "risk_if_not_implemented": "Without AI Agent Governance, security risks may go unmanaged, resulting in uncontrolled exposures and misaligned security investments.", "compensating_control_1": { "control_id": "AAT-01", "name": "Artificial Intelligence (AI) & Autonomous Technologies Governance", "description": "Mechanisms exist to ensure policies, processes, procedures and practices related to the mapping, measuring and managing of Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks are in place, transparent and implemented effectively.", "justification": "Artificial Intelligence (AI) & Autonomous Technologies Governance (AAT-01) provides detective monitoring capability that compensates for the absence of AI Agent Governance (AAT-29) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of AI Agent Governance (AAT-29) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-29.1", "risk_if_not_implemented": "Without Infrastructure Hardening & Isolation, systems may operate with insecure settings or unauthorized changes, expanding the attack surface.", "compensating_control_1": { "control_id": "IAC-20", "name": "Access Enforcement", "description": "Mechanisms exist to enforce Logical Access Control (LAC) permissions that conform to the principle of \"least privilege.\"", "justification": "Access Enforcement (IAC-20) provides access control enforcement that compensates for the absence of Infrastructure Hardening & Isolation (AAT-29.1) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-12", "name": "Session Audit", "description": "Mechanisms exist to provide session audit capabilities that can: \n(1) Capture and log all content related to a user session; and\n(2) Remotely view all content related to an established user session in real time.", "justification": "Session Audit (MON-12) provides detective monitoring capability that compensates for the absence of Infrastructure Hardening & Isolation (AAT-29.1) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-29.2", "risk_if_not_implemented": "Without AI Agent Limitations, AI and autonomous technology risks may go ungoverned, leading to unintended outcomes or exploitation.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of AI Agent Limitations (AAT-29.2) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-20", "name": "Access Enforcement", "description": "Mechanisms exist to enforce Logical Access Control (LAC) permissions that conform to the principle of \"least privilege.\"", "justification": "Access Enforcement (IAC-20) provides access control enforcement that compensates for the absence of AI Agent Limitations (AAT-29.2) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-29.3", "risk_if_not_implemented": "Without Tool & API Invocation Controls, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IAC-21", "name": "Least Privilege", "description": "Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.", "justification": "Least Privilege (IAC-21) provides access control enforcement that compensates for the absence of Tool & API Invocation Controls (AAT-29.3) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Tool & API Invocation Controls (AAT-29.3) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-29.4", "risk_if_not_implemented": "Without Orchestration Protocol Safeguards, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "MON-12", "name": "Session Audit", "description": "Mechanisms exist to provide session audit capabilities that can: \n(1) Capture and log all content related to a user session; and\n(2) Remotely view all content related to an established user session in real time.", "justification": "Session Audit (MON-12) provides detective monitoring capability that compensates for the absence of Orchestration Protocol Safeguards (AAT-29.4) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-20", "name": "Access Enforcement", "description": "Mechanisms exist to enforce Logical Access Control (LAC) permissions that conform to the principle of \"least privilege.\"", "justification": "Access Enforcement (IAC-20) provides access control enforcement that compensates for the absence of Orchestration Protocol Safeguards (AAT-29.4) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-29.5", "risk_if_not_implemented": "Without Data Pipeline & Input Integrity, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "AAT-01", "name": "Artificial Intelligence (AI) & Autonomous Technologies Governance", "description": "Mechanisms exist to ensure policies, processes, procedures and practices related to the mapping, measuring and managing of Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks are in place, transparent and implemented effectively.", "justification": "Artificial Intelligence (AI) & Autonomous Technologies Governance (AAT-01) provides detective monitoring capability that compensates for the absence of Data Pipeline & Input Integrity (AAT-29.5) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-20", "name": "Access Enforcement", "description": "Mechanisms exist to enforce Logical Access Control (LAC) permissions that conform to the principle of \"least privilege.\"", "justification": "Access Enforcement (IAC-20) provides access control enforcement that compensates for the absence of Data Pipeline & Input Integrity (AAT-29.5) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-29.6", "risk_if_not_implemented": "Without Privileged Role & Delegation Boundaries, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "IAC-20", "name": "Access Enforcement", "description": "Mechanisms exist to enforce Logical Access Control (LAC) permissions that conform to the principle of \"least privilege.\"", "justification": "Access Enforcement (IAC-20) provides access control enforcement that compensates for the absence of Privileged Role & Delegation Boundaries (AAT-29.6) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "AAT-01", "name": "Artificial Intelligence (AI) & Autonomous Technologies Governance", "description": "Mechanisms exist to ensure policies, processes, procedures and practices related to the mapping, measuring and managing of Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks are in place, transparent and implemented effectively.", "justification": "Artificial Intelligence (AI) & Autonomous Technologies Governance (AAT-01) provides detective monitoring capability that compensates for the absence of Privileged Role & Delegation Boundaries (AAT-29.6) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-29.7", "risk_if_not_implemented": "Without AI Agent Data Access Restrictions, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of AI Agent Data Access Restrictions (AAT-29.7) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "AAT-01", "name": "Artificial Intelligence (AI) & Autonomous Technologies Governance", "description": "Mechanisms exist to ensure policies, processes, procedures and practices related to the mapping, measuring and managing of Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks are in place, transparent and implemented effectively.", "justification": "Artificial Intelligence (AI) & Autonomous Technologies Governance (AAT-01) provides detective monitoring capability that compensates for the absence of AI Agent Data Access Restrictions (AAT-29.7) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-29.8", "risk_if_not_implemented": "Without Data Extraction, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IAC-21", "name": "Least Privilege", "description": "Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.", "justification": "Least Privilege (IAC-21) provides access control enforcement that compensates for the absence of Data Extraction (AAT-29.8) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-20", "name": "Access Enforcement", "description": "Mechanisms exist to enforce Logical Access Control (LAC) permissions that conform to the principle of \"least privilege.\"", "justification": "Access Enforcement (IAC-20) provides access control enforcement that compensates for the absence of Data Extraction (AAT-29.8) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-29.9", "risk_if_not_implemented": "Without AI Agent Identity & Impersonation Defense, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "MON-12", "name": "Session Audit", "description": "Mechanisms exist to provide session audit capabilities that can: \n(1) Capture and log all content related to a user session; and\n(2) Remotely view all content related to an established user session in real time.", "justification": "Session Audit (MON-12) provides detective monitoring capability that compensates for the absence of AI Agent Identity & Impersonation Defense (AAT-29.9) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of AI Agent Identity & Impersonation Defense (AAT-29.9) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-29.10", "risk_if_not_implemented": "Without AI Agent Logic Integrity, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "IAC-20", "name": "Access Enforcement", "description": "Mechanisms exist to enforce Logical Access Control (LAC) permissions that conform to the principle of \"least privilege.\"", "justification": "Access Enforcement (IAC-20) provides access control enforcement that compensates for the absence of AI Agent Logic Integrity (AAT-29.10) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-21", "name": "Least Privilege", "description": "Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.", "justification": "Least Privilege (IAC-21) provides access control enforcement that compensates for the absence of AI Agent Logic Integrity (AAT-29.10) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-29.11", "risk_if_not_implemented": "Without Sandboxing AI Agents, AI and autonomous technology risks may go ungoverned, leading to unintended outcomes or exploitation.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Sandboxing AI Agents (AAT-29.11) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-12", "name": "Session Audit", "description": "Mechanisms exist to provide session audit capabilities that can: \n(1) Capture and log all content related to a user session; and\n(2) Remotely view all content related to an established user session in real time.", "justification": "Session Audit (MON-12) provides detective monitoring capability that compensates for the absence of Sandboxing AI Agents (AAT-29.11) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-29.12", "risk_if_not_implemented": "Without Prompt Injection Defense, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IAC-21", "name": "Least Privilege", "description": "Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.", "justification": "Least Privilege (IAC-21) provides access control enforcement that compensates for the absence of Prompt Injection Defense (AAT-29.12) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-12", "name": "Session Audit", "description": "Mechanisms exist to provide session audit capabilities that can: \n(1) Capture and log all content related to a user session; and\n(2) Remotely view all content related to an established user session in real time.", "justification": "Session Audit (MON-12) provides detective monitoring capability that compensates for the absence of Prompt Injection Defense (AAT-29.12) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-29.13", "risk_if_not_implemented": "Without Agent Kill Switch / User Control, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "MON-12", "name": "Session Audit", "description": "Mechanisms exist to provide session audit capabilities that can: \n(1) Capture and log all content related to a user session; and\n(2) Remotely view all content related to an established user session in real time.", "justification": "Session Audit (MON-12) provides detective monitoring capability that compensates for the absence of Agent Kill Switch / User Control (AAT-29.13) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-21", "name": "Least Privilege", "description": "Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.", "justification": "Least Privilege (IAC-21) provides access control enforcement that compensates for the absence of Agent Kill Switch / User Control (AAT-29.13) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-29.14", "risk_if_not_implemented": "Without Adversarial & Red Team Testing, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "AAT-29", "name": "AI Agent Governance", "description": "Mechanisms exist to ensure AI agents are designed, developed and deployed to securely operate under human oversight.", "justification": "AI Agent Governance (AAT-29) provides policy-level governance that compensates for the absence of Adversarial & Red Team Testing (AAT-29.14) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Adversarial & Red Team Testing (AAT-29.14) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-29.15", "risk_if_not_implemented": "Without Self-Modification Controls, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IAC-20", "name": "Access Enforcement", "description": "Mechanisms exist to enforce Logical Access Control (LAC) permissions that conform to the principle of \"least privilege.\"", "justification": "Access Enforcement (IAC-20) provides access control enforcement that compensates for the absence of Self-Modification Controls (AAT-29.15) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Self-Modification Controls (AAT-29.15) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-29.16", "risk_if_not_implemented": "Without Purging AI Agent Data, AI and autonomous technology risks may go ungoverned, leading to unintended outcomes or exploitation.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Purging AI Agent Data (AAT-29.16) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-21", "name": "Least Privilege", "description": "Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.", "justification": "Least Privilege (IAC-21) provides access control enforcement that compensates for the absence of Purging AI Agent Data (AAT-29.16) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-29.17", "risk_if_not_implemented": "Without Delegation and Chaining Control, AI and autonomous technology risks may go ungoverned, leading to unintended outcomes or exploitation.", "compensating_control_1": { "control_id": "IAC-21", "name": "Least Privilege", "description": "Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.", "justification": "Least Privilege (IAC-21) provides access control enforcement that compensates for the absence of Delegation and Chaining Control (AAT-29.17) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-12", "name": "Session Audit", "description": "Mechanisms exist to provide session audit capabilities that can: \n(1) Capture and log all content related to a user session; and\n(2) Remotely view all content related to an established user session in real time.", "justification": "Session Audit (MON-12) provides detective monitoring capability that compensates for the absence of Delegation and Chaining Control (AAT-29.17) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-29.18", "risk_if_not_implemented": "Without Behavioral Drift Detection, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "MON-12", "name": "Session Audit", "description": "Mechanisms exist to provide session audit capabilities that can: \n(1) Capture and log all content related to a user session; and\n(2) Remotely view all content related to an established user session in real time.", "justification": "Session Audit (MON-12) provides detective monitoring capability that compensates for the absence of Behavioral Drift Detection (AAT-29.18) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-20", "name": "Access Enforcement", "description": "Mechanisms exist to enforce Logical Access Control (LAC) permissions that conform to the principle of \"least privilege.\"", "justification": "Access Enforcement (IAC-20) provides access control enforcement that compensates for the absence of Behavioral Drift Detection (AAT-29.18) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-29.19", "risk_if_not_implemented": "Without AI Agent Action Authentication & Authorization, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "IAC-20", "name": "Access Enforcement", "description": "Mechanisms exist to enforce Logical Access Control (LAC) permissions that conform to the principle of \"least privilege.\"", "justification": "Access Enforcement (IAC-20) provides access control enforcement that compensates for the absence of AI Agent Action Authentication & Authorization (AAT-29.19) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-12", "name": "Session Audit", "description": "Mechanisms exist to provide session audit capabilities that can: \n(1) Capture and log all content related to a user session; and\n(2) Remotely view all content related to an established user session in real time.", "justification": "Session Audit (MON-12) provides detective monitoring capability that compensates for the absence of AI Agent Action Authentication & Authorization (AAT-29.19) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-29.20", "risk_if_not_implemented": "Without Transparency & Audit, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Transparency & Audit (AAT-29.20) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-20", "name": "Access Enforcement", "description": "Mechanisms exist to enforce Logical Access Control (LAC) permissions that conform to the principle of \"least privilege.\"", "justification": "Access Enforcement (IAC-20) provides access control enforcement that compensates for the absence of Transparency & Audit (AAT-29.20) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-29.21", "risk_if_not_implemented": "Without Explainability, AI and autonomous technology risks may go ungoverned, leading to unintended outcomes or exploitation.", "compensating_control_1": { "control_id": "IAC-21", "name": "Least Privilege", "description": "Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.", "justification": "Least Privilege (IAC-21) provides access control enforcement that compensates for the absence of Explainability (AAT-29.21) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Explainability (AAT-29.21) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-29.22", "risk_if_not_implemented": "Without Ethics, Fairness & Bias Detection, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "MON-12", "name": "Session Audit", "description": "Mechanisms exist to provide session audit capabilities that can: \n(1) Capture and log all content related to a user session; and\n(2) Remotely view all content related to an established user session in real time.", "justification": "Session Audit (MON-12) provides detective monitoring capability that compensates for the absence of Ethics, Fairness & Bias Detection (AAT-29.22) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Ethics, Fairness & Bias Detection (AAT-29.22) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-29.23", "risk_if_not_implemented": "Without Agent Output Integrity & Verification, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IAC-20", "name": "Access Enforcement", "description": "Mechanisms exist to enforce Logical Access Control (LAC) permissions that conform to the principle of \"least privilege.\"", "justification": "Access Enforcement (IAC-20) provides access control enforcement that compensates for the absence of Agent Output Integrity & Verification (AAT-29.23) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-21", "name": "Least Privilege", "description": "Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.", "justification": "Least Privilege (IAC-21) provides access control enforcement that compensates for the absence of Agent Output Integrity & Verification (AAT-29.23) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-30", "risk_if_not_implemented": "Without Agentic Output Traceability & Repudiation, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "MON-09", "name": "Non-Repudiation", "description": "Mechanisms exist to utilize a non-repudiation capability to protect against an individual falsely denying having performed a particular action.", "justification": "Non-Repudiation (MON-09) provides overlapping security capability that compensates for the absence of Agentic Output Traceability & Repudiation (AAT-30) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-12", "name": "Session Audit", "description": "Mechanisms exist to provide session audit capabilities that can: \n(1) Capture and log all content related to a user session; and\n(2) Remotely view all content related to an established user session in real time.", "justification": "Session Audit (MON-12) provides detective monitoring capability that compensates for the absence of Agentic Output Traceability & Repudiation (AAT-30) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-30.1", "risk_if_not_implemented": "Without AI Agent Logging, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "MON-08", "name": "Protection of Event Logs", "description": "Mechanisms exist to protect event logs and audit tools from unauthorized access, modification and deletion.", "justification": "Protection of Event Logs (MON-08) provides detective monitoring capability that compensates for the absence of AI Agent Logging (AAT-30.1) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-09", "name": "Non-Repudiation", "description": "Mechanisms exist to utilize a non-repudiation capability to protect against an individual falsely denying having performed a particular action.", "justification": "Non-Repudiation (MON-09) provides overlapping security capability that compensates for the absence of AI Agent Logging (AAT-30.1) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-30.2", "risk_if_not_implemented": "Without Session Management, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "MON-09", "name": "Non-Repudiation", "description": "Mechanisms exist to utilize a non-repudiation capability to protect against an individual falsely denying having performed a particular action.", "justification": "Non-Repudiation (MON-09) provides overlapping security capability that compensates for the absence of Session Management (AAT-30.2) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-08", "name": "Protection of Event Logs", "description": "Mechanisms exist to protect event logs and audit tools from unauthorized access, modification and deletion.", "justification": "Protection of Event Logs (MON-08) provides detective monitoring capability that compensates for the absence of Session Management (AAT-30.2) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-31", "risk_if_not_implemented": "Without Human-in-the-Loop Workload & Manipulation, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "HRS-11", "name": "Separation of Duties (SoD)", "description": "Mechanisms exist to implement and maintain Separation of Duties (SoD) to prevent potential inappropriate activity without collusion.", "justification": "Separation of Duties (SoD) (HRS-11) provides overlapping security capability that compensates for the absence of Human-in-the-Loop Workload & Manipulation (AAT-31) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-21", "name": "Least Privilege", "description": "Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.", "justification": "Least Privilege (IAC-21) provides access control enforcement that compensates for the absence of Human-in-the-Loop Workload & Manipulation (AAT-31) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-32", "risk_if_not_implemented": "Without Robotic Process Automation (RPA), residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "AAT-01", "name": "Artificial Intelligence (AI) & Autonomous Technologies Governance", "description": "Mechanisms exist to ensure policies, processes, procedures and practices related to the mapping, measuring and managing of Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks are in place, transparent and implemented effectively.", "justification": "Artificial Intelligence (AI) & Autonomous Technologies Governance (AAT-01) provides detective monitoring capability that compensates for the absence of Robotic Process Automation (RPA) (AAT-32) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CHG-01", "name": "Change Management Program", "description": "Mechanisms exist to facilitate the implementation of a change management program.", "justification": "Change Management Program (CHG-01) provides policy-level governance that compensates for the absence of Robotic Process Automation (RPA) (AAT-32) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AAT-32.1", "risk_if_not_implemented": "Without Business Process Task Enumeration, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CHG-02", "name": "Configuration Change Control", "description": "Mechanisms exist to govern the technical configuration change control processes.", "justification": "Configuration Change Control (CHG-02) provides configuration hardening that compensates for the absence of Business Process Task Enumeration (AAT-32.1) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Business Process Task Enumeration (AAT-32.1) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AST-01.1", "risk_if_not_implemented": "Without Asset-Service Dependencies, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "AST-02", "name": "Asset Inventories", "description": "Mechanisms exist to perform inventories of Technology Assets, Applications, Services and/or Data (TAASD) that:\n(1) Accurately reflects the current TAASD in use; \n(2) Identifies authorized software products, including business justification details;\n(3) Is at the level of granularity deemed necessary for tracking and reporting;\n(4) Includes organization-defined information deemed necessary to achieve effective property accountability; and\n(5) Is available for review and audit by designated organizational personnel.", "justification": "Asset Inventories (AST-02) provides overlapping security capability that compensates for the absence of Asset-Service Dependencies (AST-01.1) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "GOV-10", "name": "Data Governance", "description": "Mechanisms exist to facilitate data governance to oversee the organization's policies, standards and procedures so that sensitive/regulated data is effectively managed and maintained in accordance with applicable statutory, regulatory and contractual obligations.", "justification": "Data Governance (GOV-10) provides policy-level governance that compensates for the absence of Asset-Service Dependencies (AST-01.1) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AST-01.2", "risk_if_not_implemented": "Without Stakeholder Identification & Involvement, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "DCH-02", "name": "Data & Asset Classification", "description": "Mechanisms exist to ensure data and assets are categorized in accordance with applicable statutory, regulatory and contractual requirements.", "justification": "Data & Asset Classification (DCH-02) provides overlapping security capability that compensates for the absence of Stakeholder Identification & Involvement (AST-01.2) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "AST-02", "name": "Asset Inventories", "description": "Mechanisms exist to perform inventories of Technology Assets, Applications, Services and/or Data (TAASD) that:\n(1) Accurately reflects the current TAASD in use; \n(2) Identifies authorized software products, including business justification details;\n(3) Is at the level of granularity deemed necessary for tracking and reporting;\n(4) Includes organization-defined information deemed necessary to achieve effective property accountability; and\n(5) Is available for review and audit by designated organizational personnel.", "justification": "Asset Inventories (AST-02) provides overlapping security capability that compensates for the absence of Stakeholder Identification & Involvement (AST-01.2) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AST-01.3", "risk_if_not_implemented": "Without Standardized Naming Convention, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "GOV-10", "name": "Data Governance", "description": "Mechanisms exist to facilitate data governance to oversee the organization's policies, standards and procedures so that sensitive/regulated data is effectively managed and maintained in accordance with applicable statutory, regulatory and contractual obligations.", "justification": "Data Governance (GOV-10) provides policy-level governance that compensates for the absence of Standardized Naming Convention (AST-01.3) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "AST-02", "name": "Asset Inventories", "description": "Mechanisms exist to perform inventories of Technology Assets, Applications, Services and/or Data (TAASD) that:\n(1) Accurately reflects the current TAASD in use; \n(2) Identifies authorized software products, including business justification details;\n(3) Is at the level of granularity deemed necessary for tracking and reporting;\n(4) Includes organization-defined information deemed necessary to achieve effective property accountability; and\n(5) Is available for review and audit by designated organizational personnel.", "justification": "Asset Inventories (AST-02) provides overlapping security capability that compensates for the absence of Standardized Naming Convention (AST-01.3) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AST-01.4", "risk_if_not_implemented": "Without Approved Technologies, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "AST-02", "name": "Asset Inventories", "description": "Mechanisms exist to perform inventories of Technology Assets, Applications, Services and/or Data (TAASD) that:\n(1) Accurately reflects the current TAASD in use; \n(2) Identifies authorized software products, including business justification details;\n(3) Is at the level of granularity deemed necessary for tracking and reporting;\n(4) Includes organization-defined information deemed necessary to achieve effective property accountability; and\n(5) Is available for review and audit by designated organizational personnel.", "justification": "Asset Inventories (AST-02) provides overlapping security capability that compensates for the absence of Approved Technologies (AST-01.4) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "DCH-02", "name": "Data & Asset Classification", "description": "Mechanisms exist to ensure data and assets are categorized in accordance with applicable statutory, regulatory and contractual requirements.", "justification": "Data & Asset Classification (DCH-02) provides overlapping security capability that compensates for the absence of Approved Technologies (AST-01.4) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AST-01.5", "risk_if_not_implemented": "Without Authorized To Connect, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "RSK-01", "name": "Risk Management Program", "description": "Mechanisms exist to facilitate the implementation of strategic, operational and tactical risk management controls.", "justification": "Risk Management Program (RSK-01) provides policy-level governance that compensates for the absence of Authorized To Connect (AST-01.5) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "AST-02", "name": "Asset Inventories", "description": "Mechanisms exist to perform inventories of Technology Assets, Applications, Services and/or Data (TAASD) that:\n(1) Accurately reflects the current TAASD in use; \n(2) Identifies authorized software products, including business justification details;\n(3) Is at the level of granularity deemed necessary for tracking and reporting;\n(4) Includes organization-defined information deemed necessary to achieve effective property accountability; and\n(5) Is available for review and audit by designated organizational personnel.", "justification": "Asset Inventories (AST-02) provides overlapping security capability that compensates for the absence of Authorized To Connect (AST-01.5) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AST-02.1", "risk_if_not_implemented": "Without Updates During Installations / Removals, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "AST-31", "name": "Asset Categorization", "description": "Mechanisms exist to categorize Technology Assets, Applications and/or Services (TAAS).", "justification": "Asset Categorization (AST-31) provides overlapping security capability that compensates for the absence of Updates During Installations / Removals (AST-02.1) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "DCH-02", "name": "Data & Asset Classification", "description": "Mechanisms exist to ensure data and assets are categorized in accordance with applicable statutory, regulatory and contractual requirements.", "justification": "Data & Asset Classification (DCH-02) provides overlapping security capability that compensates for the absence of Updates During Installations / Removals (AST-02.1) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AST-02.2", "risk_if_not_implemented": "Without Automated Unauthorized Component Detection, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "AST-32", "name": "Automated Network Asset Discovery", "description": "Mechanisms exist to automate network asset discovery through Software Defined Networking (SDN), or similar technologies, that analyzes network traffic to:\n(1) Identify;\n(2) Document; and \n(3) Track devices.", "justification": "Automated Network Asset Discovery (AST-32) provides network-level access restriction that compensates for the absence of Automated Unauthorized Component Detection (AST-02.2) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Automated Unauthorized Component Detection (AST-02.2) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AST-02.3", "risk_if_not_implemented": "Without Component Duplication Avoidance, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "AST-02", "name": "Asset Inventories", "description": "Mechanisms exist to perform inventories of Technology Assets, Applications, Services and/or Data (TAASD) that:\n(1) Accurately reflects the current TAASD in use; \n(2) Identifies authorized software products, including business justification details;\n(3) Is at the level of granularity deemed necessary for tracking and reporting;\n(4) Includes organization-defined information deemed necessary to achieve effective property accountability; and\n(5) Is available for review and audit by designated organizational personnel.", "justification": "Asset Inventories (AST-02) provides overlapping security capability that compensates for the absence of Component Duplication Avoidance (AST-02.3) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CFG-02", "name": "Secure Baseline Configurations", "description": "Mechanisms exist to develop, document and maintain secure baseline configurations for Technology Assets, Applications and/or Services (TAAS) that are consistent with industry-accepted system hardening standards.", "justification": "Secure Baseline Configurations (CFG-02) provides configuration hardening that compensates for the absence of Component Duplication Avoidance (AST-02.3) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AST-02.4", "risk_if_not_implemented": "Without Approved Baseline Deviations, systems may operate with insecure settings or unauthorized changes, expanding the attack surface.", "compensating_control_1": { "control_id": "CFG-01", "name": "Configuration Management Program", "description": "Mechanisms exist to facilitate the implementation of configuration management controls.", "justification": "Configuration Management Program (CFG-01) provides policy-level governance that compensates for the absence of Approved Baseline Deviations (AST-02.4) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "AST-02", "name": "Asset Inventories", "description": "Mechanisms exist to perform inventories of Technology Assets, Applications, Services and/or Data (TAASD) that:\n(1) Accurately reflects the current TAASD in use; \n(2) Identifies authorized software products, including business justification details;\n(3) Is at the level of granularity deemed necessary for tracking and reporting;\n(4) Includes organization-defined information deemed necessary to achieve effective property accountability; and\n(5) Is available for review and audit by designated organizational personnel.", "justification": "Asset Inventories (AST-02) provides overlapping security capability that compensates for the absence of Approved Baseline Deviations (AST-02.4) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AST-02.5", "risk_if_not_implemented": "Without Network Access Control (NAC), unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Network Access Control (NAC) (AST-02.5) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "AST-02", "name": "Asset Inventories", "description": "Mechanisms exist to perform inventories of Technology Assets, Applications, Services and/or Data (TAASD) that:\n(1) Accurately reflects the current TAASD in use; \n(2) Identifies authorized software products, including business justification details;\n(3) Is at the level of granularity deemed necessary for tracking and reporting;\n(4) Includes organization-defined information deemed necessary to achieve effective property accountability; and\n(5) Is available for review and audit by designated organizational personnel.", "justification": "Asset Inventories (AST-02) provides overlapping security capability that compensates for the absence of Network Access Control (NAC) (AST-02.5) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AST-02.6", "risk_if_not_implemented": "Without Dynamic Host Configuration Protocol (DHCP) Server Logging, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "AST-31", "name": "Asset Categorization", "description": "Mechanisms exist to categorize Technology Assets, Applications and/or Services (TAAS).", "justification": "Asset Categorization (AST-31) provides overlapping security capability that compensates for the absence of Dynamic Host Configuration Protocol (DHCP) Server Logging (AST-02.6) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "AST-02", "name": "Asset Inventories", "description": "Mechanisms exist to perform inventories of Technology Assets, Applications, Services and/or Data (TAASD) that:\n(1) Accurately reflects the current TAASD in use; \n(2) Identifies authorized software products, including business justification details;\n(3) Is at the level of granularity deemed necessary for tracking and reporting;\n(4) Includes organization-defined information deemed necessary to achieve effective property accountability; and\n(5) Is available for review and audit by designated organizational personnel.", "justification": "Asset Inventories (AST-02) provides overlapping security capability that compensates for the absence of Dynamic Host Configuration Protocol (DHCP) Server Logging (AST-02.6) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AST-02.7", "risk_if_not_implemented": "Without Software Licensing Restrictions, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "DCH-02", "name": "Data & Asset Classification", "description": "Mechanisms exist to ensure data and assets are categorized in accordance with applicable statutory, regulatory and contractual requirements.", "justification": "Data & Asset Classification (DCH-02) provides overlapping security capability that compensates for the absence of Software Licensing Restrictions (AST-02.7) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "AST-31", "name": "Asset Categorization", "description": "Mechanisms exist to categorize Technology Assets, Applications and/or Services (TAAS).", "justification": "Asset Categorization (AST-31) provides overlapping security capability that compensates for the absence of Software Licensing Restrictions (AST-02.7) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AST-02.8", "risk_if_not_implemented": "Without Data Action Mapping, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "AST-32", "name": "Automated Network Asset Discovery", "description": "Mechanisms exist to automate network asset discovery through Software Defined Networking (SDN), or similar technologies, that analyzes network traffic to:\n(1) Identify;\n(2) Document; and \n(3) Track devices.", "justification": "Automated Network Asset Discovery (AST-32) provides network-level access restriction that compensates for the absence of Data Action Mapping (AST-02.8) by limiting attacker reach and lateral movement opportunities across the environment. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "AST-02", "name": "Asset Inventories", "description": "Mechanisms exist to perform inventories of Technology Assets, Applications, Services and/or Data (TAASD) that:\n(1) Accurately reflects the current TAASD in use; \n(2) Identifies authorized software products, including business justification details;\n(3) Is at the level of granularity deemed necessary for tracking and reporting;\n(4) Includes organization-defined information deemed necessary to achieve effective property accountability; and\n(5) Is available for review and audit by designated organizational personnel.", "justification": "Asset Inventories (AST-02) provides overlapping security capability that compensates for the absence of Data Action Mapping (AST-02.8) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AST-02.9", "risk_if_not_implemented": "Without Configuration Management Database (CMDB), systems may operate with insecure settings or unauthorized changes, expanding the attack surface.", "compensating_control_1": { "control_id": "CFG-02", "name": "Secure Baseline Configurations", "description": "Mechanisms exist to develop, document and maintain secure baseline configurations for Technology Assets, Applications and/or Services (TAAS) that are consistent with industry-accepted system hardening standards.", "justification": "Secure Baseline Configurations (CFG-02) provides configuration hardening that compensates for the absence of Configuration Management Database (CMDB) (AST-02.9) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "AST-02", "name": "Asset Inventories", "description": "Mechanisms exist to perform inventories of Technology Assets, Applications, Services and/or Data (TAASD) that:\n(1) Accurately reflects the current TAASD in use; \n(2) Identifies authorized software products, including business justification details;\n(3) Is at the level of granularity deemed necessary for tracking and reporting;\n(4) Includes organization-defined information deemed necessary to achieve effective property accountability; and\n(5) Is available for review and audit by designated organizational personnel.", "justification": "Asset Inventories (AST-02) provides overlapping security capability that compensates for the absence of Configuration Management Database (CMDB) (AST-02.9) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AST-02.10", "risk_if_not_implemented": "Without Automated Location\nTracking, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "AST-02", "name": "Asset Inventories", "description": "Mechanisms exist to perform inventories of Technology Assets, Applications, Services and/or Data (TAASD) that:\n(1) Accurately reflects the current TAASD in use; \n(2) Identifies authorized software products, including business justification details;\n(3) Is at the level of granularity deemed necessary for tracking and reporting;\n(4) Includes organization-defined information deemed necessary to achieve effective property accountability; and\n(5) Is available for review and audit by designated organizational personnel.", "justification": "Asset Inventories (AST-02) provides overlapping security capability that compensates for the absence of Automated Location\nTracking (AST-02.10) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Automated Location\nTracking (AST-02.10) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AST-02.11", "risk_if_not_implemented": "Without Component Assignment, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "AST-31", "name": "Asset Categorization", "description": "Mechanisms exist to categorize Technology Assets, Applications and/or Services (TAAS).", "justification": "Asset Categorization (AST-31) provides overlapping security capability that compensates for the absence of Component Assignment (AST-02.11) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Component Assignment (AST-02.11) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AST-03", "risk_if_not_implemented": "Without Asset Ownership Assignment, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "HRS-03", "name": "Defined Roles & Responsibilities", "description": "Mechanisms exist to define cybersecurity roles & responsibilities for all personnel.", "justification": "Defined Roles & Responsibilities (HRS-03) provides overlapping security capability that compensates for the absence of Asset Ownership Assignment (AST-03) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "GOV-04", "name": "Assigned Security, Compliance & Resilience Responsibilities", "description": "Mechanisms exist to assign one or more qualified individuals with the mission and resources to centrally-manage, coordinate, develop, implement and maintain an enterprise-wide Security, Compliance & Resilience Program (SCRP).", "justification": "Assigned Security, Compliance & Resilience Responsibilities (GOV-04) provides resilience and recovery capability that compensates for the absence of Asset Ownership Assignment (AST-03) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AST-03.1", "risk_if_not_implemented": "Without Accountability Information, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "HRS-03", "name": "Defined Roles & Responsibilities", "description": "Mechanisms exist to define cybersecurity roles & responsibilities for all personnel.", "justification": "Defined Roles & Responsibilities (HRS-03) provides overlapping security capability that compensates for the absence of Accountability Information (AST-03.1) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-03", "name": "Identification & Authentication for Non-Organizational Users", "description": "Mechanisms exist to uniquely identify and centrally Authenticate, Authorize and Audit (AAA) third-party users and processes that provide services to the organization.", "justification": "Identification & Authentication for Non-Organizational Users (IAC-03) provides access control enforcement that compensates for the absence of Accountability Information (AST-03.1) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AST-03.2", "risk_if_not_implemented": "Without Provenance, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "GOV-04", "name": "Assigned Security, Compliance & Resilience Responsibilities", "description": "Mechanisms exist to assign one or more qualified individuals with the mission and resources to centrally-manage, coordinate, develop, implement and maintain an enterprise-wide Security, Compliance & Resilience Program (SCRP).", "justification": "Assigned Security, Compliance & Resilience Responsibilities (GOV-04) provides resilience and recovery capability that compensates for the absence of Provenance (AST-03.2) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "HRS-03", "name": "Defined Roles & Responsibilities", "description": "Mechanisms exist to define cybersecurity roles & responsibilities for all personnel.", "justification": "Defined Roles & Responsibilities (HRS-03) provides overlapping security capability that compensates for the absence of Provenance (AST-03.2) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AST-04.1", "risk_if_not_implemented": "Without Asset Scope Classification, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "NET-06", "name": "Network Segmentation (macrosegementation)", "description": "Mechanisms exist to ensure network architecture utilizes network segmentation to isolate Technology Assets, Applications and/or Services (TAAS) to protect from other network resources.", "justification": "Network Segmentation (macrosegementation) (NET-06) provides network-level access restriction that compensates for the absence of Asset Scope Classification (AST-04.1) by limiting attacker reach and lateral movement opportunities across the environment. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "AST-04", "name": "Network Diagrams & Data Flow Diagrams (DFDs)", "description": "Mechanisms exist to maintain network architecture diagrams that: \n(1) Contain sufficient detail to assess the security of the network's architecture;\n(2) Reflect the current architecture of the network environment; and\n(3) Document all sensitive/regulated data flows.", "justification": "Network Diagrams & Data Flow Diagrams (DFDs) (AST-04) provides network-level access restriction that compensates for the absence of Asset Scope Classification (AST-04.1) by limiting attacker reach and lateral movement opportunities across the environment. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AST-04.2", "risk_if_not_implemented": "Without Control Applicability Boundary Graphical Representation, network defenses are weakened, enabling lateral movement and exploitation of unprotected pathways.", "compensating_control_1": { "control_id": "NET-01", "name": "Network Security Controls (NSC)", "description": "Mechanisms exist to develop, govern & update procedures to facilitate the implementation of Network Security Controls (NSC).", "justification": "Network Security Controls (NSC) (NET-01) provides network-level access restriction that compensates for the absence of Control Applicability Boundary Graphical Representation (AST-04.2) by limiting attacker reach and lateral movement opportunities across the environment. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "AST-04", "name": "Network Diagrams & Data Flow Diagrams (DFDs)", "description": "Mechanisms exist to maintain network architecture diagrams that: \n(1) Contain sufficient detail to assess the security of the network's architecture;\n(2) Reflect the current architecture of the network environment; and\n(3) Document all sensitive/regulated data flows.", "justification": "Network Diagrams & Data Flow Diagrams (DFDs) (AST-04) provides network-level access restriction that compensates for the absence of Control Applicability Boundary Graphical Representation (AST-04.2) by limiting attacker reach and lateral movement opportunities across the environment. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AST-04.3", "risk_if_not_implemented": "Without Compliance-Specific Asset Identification, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "AST-04", "name": "Network Diagrams & Data Flow Diagrams (DFDs)", "description": "Mechanisms exist to maintain network architecture diagrams that: \n(1) Contain sufficient detail to assess the security of the network's architecture;\n(2) Reflect the current architecture of the network environment; and\n(3) Document all sensitive/regulated data flows.", "justification": "Network Diagrams & Data Flow Diagrams (DFDs) (AST-04) provides network-level access restriction that compensates for the absence of Compliance-Specific Asset Identification (AST-04.3) by limiting attacker reach and lateral movement opportunities across the environment. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-06", "name": "Network Segmentation (macrosegementation)", "description": "Mechanisms exist to ensure network architecture utilizes network segmentation to isolate Technology Assets, Applications and/or Services (TAAS) to protect from other network resources.", "justification": "Network Segmentation (macrosegementation) (NET-06) provides network-level access restriction that compensates for the absence of Compliance-Specific Asset Identification (AST-04.3) by limiting attacker reach and lateral movement opportunities across the environment. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AST-05", "risk_if_not_implemented": "Without Security of Assets & Media, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "PES-01", "name": "Physical & Environmental Protections", "description": "Mechanisms exist to facilitate the operation of physical and environmental protection controls.", "justification": "Physical & Environmental Protections (PES-01) provides physical access control that compensates for the absence of Security of Assets & Media (AST-05) by preventing unauthorized physical interaction with systems and infrastructure. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "DCH-06", "name": "Media Storage", "description": "Mechanisms exist to: \n(1) Physically control and securely store digital and non-digital media within controlled areas using organization-defined security measures; and\n(2) Protect system media until the media are destroyed or sanitized using approved equipment, techniques and procedures.", "justification": "Media Storage (DCH-06) provides overlapping security capability that compensates for the absence of Security of Assets & Media (AST-05) by addressing related risk objectives through an alternative control mechanism aligned with Data applicability. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AST-05.1", "risk_if_not_implemented": "Without Management Approval For External Media Transfer, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "PES-03", "name": "Physical Access Control", "description": "Physical access control mechanisms exist to enforce physical access authorizations for all physical access points (including designated entry/exit points) to facilities (excluding those areas within the facility officially designated as publicly accessible).", "justification": "Physical Access Control (PES-03) provides access control enforcement that compensates for the absence of Management Approval For External Media Transfer (AST-05.1) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "DCH-06", "name": "Media Storage", "description": "Mechanisms exist to: \n(1) Physically control and securely store digital and non-digital media within controlled areas using organization-defined security measures; and\n(2) Protect system media until the media are destroyed or sanitized using approved equipment, techniques and procedures.", "justification": "Media Storage (DCH-06) provides overlapping security capability that compensates for the absence of Management Approval For External Media Transfer (AST-05.1) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AST-06", "risk_if_not_implemented": "Without Unattended End-User Equipment, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "PES-03", "name": "Physical Access Control", "description": "Physical access control mechanisms exist to enforce physical access authorizations for all physical access points (including designated entry/exit points) to facilities (excluding those areas within the facility officially designated as publicly accessible).", "justification": "Physical Access Control (PES-03) provides access control enforcement that compensates for the absence of Unattended End-User Equipment (AST-06) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-24", "name": "Session Lock", "description": "Mechanisms exist to initiate a session lock after an organization-defined time period of inactivity, or upon receiving a request from a user and retain the session lock until the user reestablishes access using established identification and authentication methods.", "justification": "Session Lock (IAC-24) provides overlapping security capability that compensates for the absence of Unattended End-User Equipment (AST-06) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AST-06.1", "risk_if_not_implemented": "Without Asset Storage In Automobiles, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IAC-24", "name": "Session Lock", "description": "Mechanisms exist to initiate a session lock after an organization-defined time period of inactivity, or upon receiving a request from a user and retain the session lock until the user reestablishes access using established identification and authentication methods.", "justification": "Session Lock (IAC-24) provides overlapping security capability that compensates for the absence of Asset Storage In Automobiles (AST-06.1) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PES-03", "name": "Physical Access Control", "description": "Physical access control mechanisms exist to enforce physical access authorizations for all physical access points (including designated entry/exit points) to facilities (excluding those areas within the facility officially designated as publicly accessible).", "justification": "Physical Access Control (PES-03) provides access control enforcement that compensates for the absence of Asset Storage In Automobiles (AST-06.1) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AST-07", "risk_if_not_implemented": "Without Kiosks & Point of Interaction (PoI) Devices, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "PES-03", "name": "Physical Access Control", "description": "Physical access control mechanisms exist to enforce physical access authorizations for all physical access points (including designated entry/exit points) to facilities (excluding those areas within the facility officially designated as publicly accessible).", "justification": "Physical Access Control (PES-03) provides access control enforcement that compensates for the absence of Kiosks & Point of Interaction (PoI) Devices (AST-07) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CFG-03", "name": "Least Functionality", "description": "Mechanisms exist to configure systems to provide only essential capabilities by specifically prohibiting or restricting the use of ports, protocols, and/or services.", "justification": "Least Functionality (CFG-03) provides configuration hardening that compensates for the absence of Kiosks & Point of Interaction (PoI) Devices (AST-07) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AST-08", "risk_if_not_implemented": "Without Physical Tampering Detection, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "PES-05", "name": "Monitoring Physical Access", "description": "Physical access control mechanisms exist to monitor for, detect and respond to physical security incidents.", "justification": "Monitoring Physical Access (PES-05) provides detective monitoring capability that compensates for the absence of Physical Tampering Detection (AST-08) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Physical Tampering Detection (AST-08) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AST-10", "risk_if_not_implemented": "Without Return of Assets, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "AST-03", "name": "Asset Ownership Assignment", "description": "Mechanisms exist to ensure asset ownership responsibilities are assigned, tracked and managed at a team, individual, or responsible organization level to establish a common understanding of requirements for asset protection.", "justification": "Asset Ownership Assignment (AST-03) provides overlapping security capability that compensates for the absence of Return of Assets (AST-10) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "AST-02", "name": "Asset Inventories", "description": "Mechanisms exist to perform inventories of Technology Assets, Applications, Services and/or Data (TAASD) that:\n(1) Accurately reflects the current TAASD in use; \n(2) Identifies authorized software products, including business justification details;\n(3) Is at the level of granularity deemed necessary for tracking and reporting;\n(4) Includes organization-defined information deemed necessary to achieve effective property accountability; and\n(5) Is available for review and audit by designated organizational personnel.", "justification": "Asset Inventories (AST-02) provides overlapping security capability that compensates for the absence of Return of Assets (AST-10) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AST-11", "risk_if_not_implemented": "Without Removal of Assets, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "AST-02", "name": "Asset Inventories", "description": "Mechanisms exist to perform inventories of Technology Assets, Applications, Services and/or Data (TAASD) that:\n(1) Accurately reflects the current TAASD in use; \n(2) Identifies authorized software products, including business justification details;\n(3) Is at the level of granularity deemed necessary for tracking and reporting;\n(4) Includes organization-defined information deemed necessary to achieve effective property accountability; and\n(5) Is available for review and audit by designated organizational personnel.", "justification": "Asset Inventories (AST-02) provides overlapping security capability that compensates for the absence of Removal of Assets (AST-11) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PES-10", "name": "Delivery & Removal", "description": "Physical security mechanisms exist to isolate information processing facilities from points such as delivery and loading areas and other points to avoid unauthorized access.", "justification": "Delivery & Removal (PES-10) provides overlapping security capability that compensates for the absence of Removal of Assets (AST-11) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AST-13", "risk_if_not_implemented": "Without Use of Third-Party Devices, third-party risks may go unmanaged, creating supply-chain exposure that compromises the organization.", "compensating_control_1": { "control_id": "TPM-06", "name": "Third-Party Personnel Security", "description": "Mechanisms exist to control personnel security requirements including security roles and responsibilities for third-party providers.", "justification": "Third-Party Personnel Security (TPM-06) provides third-party oversight that compensates for the absence of Use of Third-Party Devices (AST-13) by extending security obligations contractually and monitoring third-party risk in lieu of direct control. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-03", "name": "Identification & Authentication for Non-Organizational Users", "description": "Mechanisms exist to uniquely identify and centrally Authenticate, Authorize and Audit (AAA) third-party users and processes that provide services to the organization.", "justification": "Identification & Authentication for Non-Organizational Users (IAC-03) provides access control enforcement that compensates for the absence of Use of Third-Party Devices (AST-13) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AST-14", "risk_if_not_implemented": "Without Usage Parameters, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CFG-03", "name": "Least Functionality", "description": "Mechanisms exist to configure systems to provide only essential capabilities by specifically prohibiting or restricting the use of ports, protocols, and/or services.", "justification": "Least Functionality (CFG-03) provides configuration hardening that compensates for the absence of Usage Parameters (AST-14) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-20", "name": "Access Enforcement", "description": "Mechanisms exist to enforce Logical Access Control (LAC) permissions that conform to the principle of \"least privilege.\"", "justification": "Access Enforcement (IAC-20) provides access control enforcement that compensates for the absence of Usage Parameters (AST-14) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AST-14.1", "risk_if_not_implemented": "Without Bluetooth & Wireless Devices, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IAC-20", "name": "Access Enforcement", "description": "Mechanisms exist to enforce Logical Access Control (LAC) permissions that conform to the principle of \"least privilege.\"", "justification": "Access Enforcement (IAC-20) provides access control enforcement that compensates for the absence of Bluetooth & Wireless Devices (AST-14.1) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CFG-03", "name": "Least Functionality", "description": "Mechanisms exist to configure systems to provide only essential capabilities by specifically prohibiting or restricting the use of ports, protocols, and/or services.", "justification": "Least Functionality (CFG-03) provides configuration hardening that compensates for the absence of Bluetooth & Wireless Devices (AST-14.1) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AST-14.2", "risk_if_not_implemented": "Without Infrared Communications, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CFG-03", "name": "Least Functionality", "description": "Mechanisms exist to configure systems to provide only essential capabilities by specifically prohibiting or restricting the use of ports, protocols, and/or services.", "justification": "Least Functionality (CFG-03) provides configuration hardening that compensates for the absence of Infrared Communications (AST-14.2) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-21", "name": "Least Privilege", "description": "Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.", "justification": "Least Privilege (IAC-21) provides access control enforcement that compensates for the absence of Infrared Communications (AST-14.2) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AST-15", "risk_if_not_implemented": "Without Logical Tampering Protection, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "CFG-06", "name": "Configuration Enforcement", "description": "Automated mechanisms exist to monitor, enforce and report on configurations for endpoint devices.", "justification": "Configuration Enforcement (CFG-06) provides configuration hardening that compensates for the absence of Logical Tampering Protection (AST-15) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Logical Tampering Protection (AST-15) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AST-15.1", "risk_if_not_implemented": "Without Technology Asset Inspections, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "CRY-01", "name": "Use of Cryptographic Controls", "description": "Mechanisms exist to facilitate the implementation of cryptographic protections controls using known public standards and trusted cryptographic technologies.", "justification": "Use of Cryptographic Controls (CRY-01) provides cryptographic protection that compensates for the absence of Technology Asset Inspections (AST-15.1) by ensuring data confidentiality and integrity through alternative technical means. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Technology Asset Inspections (AST-15.1) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AST-17", "risk_if_not_implemented": "Without Prohibited Equipment & Services, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CFG-04", "name": "Software Usage Restrictions", "description": "Mechanisms exist to enforce software usage restrictions to comply with applicable contract agreements and copyright laws.", "justification": "Software Usage Restrictions (CFG-04) provides overlapping security capability that compensates for the absence of Prohibited Equipment & Services (AST-17) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-03", "name": "Boundary Protection", "description": "Mechanisms exist to monitor and control communications at the external network boundary and at key internal boundaries within the network.", "justification": "Boundary Protection (NET-03) provides network-level access restriction that compensates for the absence of Prohibited Equipment & Services (AST-17) by limiting attacker reach and lateral movement opportunities across the environment. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AST-18", "risk_if_not_implemented": "Without Roots of Trust Protection, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CFG-06", "name": "Configuration Enforcement", "description": "Automated mechanisms exist to monitor, enforce and report on configurations for endpoint devices.", "justification": "Configuration Enforcement (CFG-06) provides configuration hardening that compensates for the absence of Roots of Trust Protection (AST-18) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Roots of Trust Protection (AST-18) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AST-19", "risk_if_not_implemented": "Without Telecommunications Equipment, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "NET-15", "name": "Wireless Networking", "description": "Mechanisms exist to control authorized wireless usage and monitor for unauthorized wireless access.", "justification": "Wireless Networking (NET-15) provides network-level access restriction that compensates for the absence of Telecommunications Equipment (AST-19) by limiting attacker reach and lateral movement opportunities across the environment. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PES-01", "name": "Physical & Environmental Protections", "description": "Mechanisms exist to facilitate the operation of physical and environmental protection controls.", "justification": "Physical & Environmental Protections (PES-01) provides physical access control that compensates for the absence of Telecommunications Equipment (AST-19) by preventing unauthorized physical interaction with systems and infrastructure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AST-20", "risk_if_not_implemented": "Without Video Teleconference (VTC) Security, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "NET-15", "name": "Wireless Networking", "description": "Mechanisms exist to control authorized wireless usage and monitor for unauthorized wireless access.", "justification": "Wireless Networking (NET-15) provides network-level access restriction that compensates for the absence of Video Teleconference (VTC) Security (AST-20) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CRY-03", "name": "Transmission Confidentiality", "description": "Cryptographic mechanisms exist to protect the confidentiality of data being transmitted.", "justification": "Transmission Confidentiality (CRY-03) provides cryptographic protection that compensates for the absence of Video Teleconference (VTC) Security (AST-20) by ensuring data confidentiality and integrity through alternative technical means. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AST-21", "risk_if_not_implemented": "Without Voice Over Internet Protocol (VoIP) Security, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "NET-15", "name": "Wireless Networking", "description": "Mechanisms exist to control authorized wireless usage and monitor for unauthorized wireless access.", "justification": "Wireless Networking (NET-15) provides network-level access restriction that compensates for the absence of Voice Over Internet Protocol (VoIP) Security (AST-21) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CRY-03", "name": "Transmission Confidentiality", "description": "Cryptographic mechanisms exist to protect the confidentiality of data being transmitted.", "justification": "Transmission Confidentiality (CRY-03) provides cryptographic protection that compensates for the absence of Voice Over Internet Protocol (VoIP) Security (AST-21) by ensuring data confidentiality and integrity through alternative technical means. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AST-22", "risk_if_not_implemented": "Without Microphones & Web Cameras, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "PES-04", "name": "Physical Security of Offices, Rooms & Facilities", "description": "Mechanisms exist to identify systems, equipment and respective operating environments that require limited physical access so that appropriate physical access controls are designed and implemented for offices, rooms and facilities.", "justification": "Physical Security of Offices, Rooms & Facilities (PES-04) provides physical access control that compensates for the absence of Microphones & Web Cameras (AST-22) by preventing unauthorized physical interaction with systems and infrastructure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "AST-14", "name": "Usage Parameters", "description": "Mechanisms exist to monitor and enforce usage parameters that limit the potential damage caused from the unauthorized or unintentional alteration of system parameters.", "justification": "Usage Parameters (AST-14) provides overlapping security capability that compensates for the absence of Microphones & Web Cameras (AST-22) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AST-23", "risk_if_not_implemented": "Without Multi-Function Devices (MFD), residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CFG-02", "name": "Secure Baseline Configurations", "description": "Mechanisms exist to develop, document and maintain secure baseline configurations for Technology Assets, Applications and/or Services (TAAS) that are consistent with industry-accepted system hardening standards.", "justification": "Secure Baseline Configurations (CFG-02) provides configuration hardening that compensates for the absence of Multi-Function Devices (MFD) (AST-23) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-21", "name": "Least Privilege", "description": "Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.", "justification": "Least Privilege (IAC-21) provides access control enforcement that compensates for the absence of Multi-Function Devices (MFD) (AST-23) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AST-24", "risk_if_not_implemented": "Without Travel-Only Devices, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "MDM-01", "name": "Centralized Management Of Mobile Devices", "description": "Mechanisms exist to implement and govern Mobile Device Management (MDM) controls.", "justification": "Centralized Management Of Mobile Devices (MDM-01) provides overlapping security capability that compensates for the absence of Travel-Only Devices (AST-24) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CFG-02", "name": "Secure Baseline Configurations", "description": "Mechanisms exist to develop, document and maintain secure baseline configurations for Technology Assets, Applications and/or Services (TAAS) that are consistent with industry-accepted system hardening standards.", "justification": "Secure Baseline Configurations (CFG-02) provides configuration hardening that compensates for the absence of Travel-Only Devices (AST-24) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AST-25", "risk_if_not_implemented": "Without Re-Imaging Devices After Travel, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CFG-02", "name": "Secure Baseline Configurations", "description": "Mechanisms exist to develop, document and maintain secure baseline configurations for Technology Assets, Applications and/or Services (TAAS) that are consistent with industry-accepted system hardening standards.", "justification": "Secure Baseline Configurations (CFG-02) provides configuration hardening that compensates for the absence of Re-Imaging Devices After Travel (AST-25) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "END-02", "name": "Endpoint Protection Measures", "description": "Mechanisms exist to protect the confidentiality, integrity, availability and safety of endpoint devices.", "justification": "Endpoint Protection Measures (END-02) provides overlapping security capability that compensates for the absence of Re-Imaging Devices After Travel (AST-25) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AST-26", "risk_if_not_implemented": "Without System Administrative Processes, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IAC-21", "name": "Least Privilege", "description": "Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.", "justification": "Least Privilege (IAC-21) provides access control enforcement that compensates for the absence of System Administrative Processes (AST-26) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-12", "name": "Session Audit", "description": "Mechanisms exist to provide session audit capabilities that can: \n(1) Capture and log all content related to a user session; and\n(2) Remotely view all content related to an established user session in real time.", "justification": "Session Audit (MON-12) provides detective monitoring capability that compensates for the absence of System Administrative Processes (AST-26) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AST-27", "risk_if_not_implemented": "Without Jump Server, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IAC-16", "name": "Privileged Account Management (PAM)", "description": "Mechanisms exist to restrict and control privileged access rights for users and Technology Assets, Applications and/or Services (TAAS).", "justification": "Privileged Account Management (PAM) (IAC-16) provides access control enforcement that compensates for the absence of Jump Server (AST-27) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-12", "name": "Session Audit", "description": "Mechanisms exist to provide session audit capabilities that can: \n(1) Capture and log all content related to a user session; and\n(2) Remotely view all content related to an established user session in real time.", "justification": "Session Audit (MON-12) provides detective monitoring capability that compensates for the absence of Jump Server (AST-27) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AST-28", "risk_if_not_implemented": "Without Database Administrative Processes, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IAC-16", "name": "Privileged Account Management (PAM)", "description": "Mechanisms exist to restrict and control privileged access rights for users and Technology Assets, Applications and/or Services (TAAS).", "justification": "Privileged Account Management (PAM) (IAC-16) provides access control enforcement that compensates for the absence of Database Administrative Processes (AST-28) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-12", "name": "Session Audit", "description": "Mechanisms exist to provide session audit capabilities that can: \n(1) Capture and log all content related to a user session; and\n(2) Remotely view all content related to an established user session in real time.", "justification": "Session Audit (MON-12) provides detective monitoring capability that compensates for the absence of Database Administrative Processes (AST-28) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AST-28.1", "risk_if_not_implemented": "Without Database Management System (DBMS), residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "MON-12", "name": "Session Audit", "description": "Mechanisms exist to provide session audit capabilities that can: \n(1) Capture and log all content related to a user session; and\n(2) Remotely view all content related to an established user session in real time.", "justification": "Session Audit (MON-12) provides detective monitoring capability that compensates for the absence of Database Management System (DBMS) (AST-28.1) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-16", "name": "Privileged Account Management (PAM)", "description": "Mechanisms exist to restrict and control privileged access rights for users and Technology Assets, Applications and/or Services (TAAS).", "justification": "Privileged Account Management (PAM) (IAC-16) provides access control enforcement that compensates for the absence of Database Management System (DBMS) (AST-28.1) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AST-29", "risk_if_not_implemented": "Without Radio Frequency Identification (RFID) Security, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "NET-15", "name": "Wireless Networking", "description": "Mechanisms exist to control authorized wireless usage and monitor for unauthorized wireless access.", "justification": "Wireless Networking (NET-15) provides network-level access restriction that compensates for the absence of Radio Frequency Identification (RFID) Security (AST-29) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PES-03", "name": "Physical Access Control", "description": "Physical access control mechanisms exist to enforce physical access authorizations for all physical access points (including designated entry/exit points) to facilities (excluding those areas within the facility officially designated as publicly accessible).", "justification": "Physical Access Control (PES-03) provides access control enforcement that compensates for the absence of Radio Frequency Identification (RFID) Security (AST-29) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AST-29.1", "risk_if_not_implemented": "Without Contactless Access Control Systems, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "PES-03", "name": "Physical Access Control", "description": "Physical access control mechanisms exist to enforce physical access authorizations for all physical access points (including designated entry/exit points) to facilities (excluding those areas within the facility officially designated as publicly accessible).", "justification": "Physical Access Control (PES-03) provides access control enforcement that compensates for the absence of Contactless Access Control Systems (AST-29.1) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-15", "name": "Wireless Networking", "description": "Mechanisms exist to control authorized wireless usage and monitor for unauthorized wireless access.", "justification": "Wireless Networking (NET-15) provides network-level access restriction that compensates for the absence of Contactless Access Control Systems (AST-29.1) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AST-30", "risk_if_not_implemented": "Without Decommissioning, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "AST-09", "name": "Secure Disposal, Destruction or Re-Use of Equipment", "description": "Mechanisms exist to securely dispose of, destroy or repurpose system components using organization-defined techniques and methods to prevent information being recovered from these components.", "justification": "Secure Disposal, Destruction or Re-Use of Equipment (AST-09) provides overlapping security capability that compensates for the absence of Decommissioning (AST-30) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "AST-02", "name": "Asset Inventories", "description": "Mechanisms exist to perform inventories of Technology Assets, Applications, Services and/or Data (TAASD) that:\n(1) Accurately reflects the current TAASD in use; \n(2) Identifies authorized software products, including business justification details;\n(3) Is at the level of granularity deemed necessary for tracking and reporting;\n(4) Includes organization-defined information deemed necessary to achieve effective property accountability; and\n(5) Is available for review and audit by designated organizational personnel.", "justification": "Asset Inventories (AST-02) provides overlapping security capability that compensates for the absence of Decommissioning (AST-30) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AST-31", "risk_if_not_implemented": "Without Asset Categorization, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "DCH-02", "name": "Data & Asset Classification", "description": "Mechanisms exist to ensure data and assets are categorized in accordance with applicable statutory, regulatory and contractual requirements.", "justification": "Data & Asset Classification (DCH-02) provides overlapping security capability that compensates for the absence of Asset Categorization (AST-31) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "AST-02", "name": "Asset Inventories", "description": "Mechanisms exist to perform inventories of Technology Assets, Applications, Services and/or Data (TAASD) that:\n(1) Accurately reflects the current TAASD in use; \n(2) Identifies authorized software products, including business justification details;\n(3) Is at the level of granularity deemed necessary for tracking and reporting;\n(4) Includes organization-defined information deemed necessary to achieve effective property accountability; and\n(5) Is available for review and audit by designated organizational personnel.", "justification": "Asset Inventories (AST-02) provides overlapping security capability that compensates for the absence of Asset Categorization (AST-31) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AST-31.1", "risk_if_not_implemented": "Without Categorize Artificial Intelligence (AI)-Related Technologies, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "AST-02", "name": "Asset Inventories", "description": "Mechanisms exist to perform inventories of Technology Assets, Applications, Services and/or Data (TAASD) that:\n(1) Accurately reflects the current TAASD in use; \n(2) Identifies authorized software products, including business justification details;\n(3) Is at the level of granularity deemed necessary for tracking and reporting;\n(4) Includes organization-defined information deemed necessary to achieve effective property accountability; and\n(5) Is available for review and audit by designated organizational personnel.", "justification": "Asset Inventories (AST-02) provides overlapping security capability that compensates for the absence of Categorize Artificial Intelligence (AI)-Related Technologies (AST-31.1) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "DCH-02", "name": "Data & Asset Classification", "description": "Mechanisms exist to ensure data and assets are categorized in accordance with applicable statutory, regulatory and contractual requirements.", "justification": "Data & Asset Classification (DCH-02) provides overlapping security capability that compensates for the absence of Categorize Artificial Intelligence (AI)-Related Technologies (AST-31.1) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AST-31.2", "risk_if_not_implemented": "Without High-Risk Asset Categorization, security risks may go unmanaged, resulting in uncontrolled exposures and misaligned security investments.", "compensating_control_1": { "control_id": "DCH-02", "name": "Data & Asset Classification", "description": "Mechanisms exist to ensure data and assets are categorized in accordance with applicable statutory, regulatory and contractual requirements.", "justification": "Data & Asset Classification (DCH-02) provides overlapping security capability that compensates for the absence of High-Risk Asset Categorization (AST-31.2) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of High-Risk Asset Categorization (AST-31.2) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AST-31.3", "risk_if_not_implemented": "Without Asset Attributes, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "AST-31", "name": "Asset Categorization", "description": "Mechanisms exist to categorize Technology Assets, Applications and/or Services (TAAS).", "justification": "Asset Categorization (AST-31) provides overlapping security capability that compensates for the absence of Asset Attributes (AST-31.3) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "DCH-02", "name": "Data & Asset Classification", "description": "Mechanisms exist to ensure data and assets are categorized in accordance with applicable statutory, regulatory and contractual requirements.", "justification": "Data & Asset Classification (DCH-02) provides overlapping security capability that compensates for the absence of Asset Attributes (AST-31.3) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "AST-32", "risk_if_not_implemented": "Without Automated Network Asset Discovery, network defenses are weakened, enabling lateral movement and exploitation of unprotected pathways.", "compensating_control_1": { "control_id": "AST-02", "name": "Asset Inventories", "description": "Mechanisms exist to perform inventories of Technology Assets, Applications, Services and/or Data (TAASD) that:\n(1) Accurately reflects the current TAASD in use; \n(2) Identifies authorized software products, including business justification details;\n(3) Is at the level of granularity deemed necessary for tracking and reporting;\n(4) Includes organization-defined information deemed necessary to achieve effective property accountability; and\n(5) Is available for review and audit by designated organizational personnel.", "justification": "Asset Inventories (AST-02) provides overlapping security capability that compensates for the absence of Automated Network Asset Discovery (AST-32) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Automated Network Asset Discovery (AST-32) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "BCD-01.1", "risk_if_not_implemented": "Without Coordinate with Related Plans, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "BCD-11", "name": "Data Backups", "description": "Mechanisms exist to create recurring backups of data, software and/or system images, as well as verify the integrity of these backups, to ensure the availability of the data to satisfy Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).", "justification": "Data Backups (BCD-11) provides resilience and recovery capability that compensates for the absence of Coordinate with Related Plans (BCD-01.1) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "BCD-09", "name": "Alternate Processing Site", "description": "Mechanisms exist to establish an alternate processing site that provides security measures equivalent to that of the primary site.", "justification": "Alternate Processing Site (BCD-09) provides resilience and recovery capability that compensates for the absence of Coordinate with Related Plans (BCD-01.1) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "BCD-01.2", "risk_if_not_implemented": "Without Coordinate With External Service Providers, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "BCD-09", "name": "Alternate Processing Site", "description": "Mechanisms exist to establish an alternate processing site that provides security measures equivalent to that of the primary site.", "justification": "Alternate Processing Site (BCD-09) provides resilience and recovery capability that compensates for the absence of Coordinate With External Service Providers (BCD-01.2) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "BCD-08", "name": "Alternate Storage Site", "description": "Mechanisms exist to establish an alternate storage site that includes both the assets and necessary agreements to permit the storage and recovery of system backup information.", "justification": "Alternate Storage Site (BCD-08) provides resilience and recovery capability that compensates for the absence of Coordinate With External Service Providers (BCD-01.2) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "BCD-01.3", "risk_if_not_implemented": "Without Transfer to Alternate Processing / Storage Site, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "BCD-03", "name": "Contingency Training", "description": "Mechanisms exist to adequately train contingency personnel and applicable stakeholders in their contingency roles and responsibilities.", "justification": "Contingency Training (BCD-03) provides personnel training and awareness that compensates for the absence of Transfer to Alternate Processing / Storage Site (BCD-01.3) by reducing human-factor risk by equipping personnel to recognize and respond to relevant threats. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "SAT-02", "name": "Security, Compliance & Resilience Awareness Training", "description": "Mechanisms exist to provide all employees and contractors appropriate security, compliance and resilience awareness education and training that is relevant for their job function.", "justification": "Security, Compliance & Resilience Awareness Training (SAT-02) provides personnel training and awareness that compensates for the absence of Transfer to Alternate Processing / Storage Site (BCD-01.3) by reducing human-factor risk by equipping personnel to recognize and respond to relevant threats. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "BCD-01.4", "risk_if_not_implemented": "Without Recovery Time / Point Objectives (RTO / RPO), the organization may be unable to recover from disruptions, resulting in data loss and extended downtime.", "compensating_control_1": { "control_id": "BCD-04", "name": "Contingency Plan Testing & Exercises", "description": "Mechanisms exist to conduct tests and/or exercises to evaluate the contingency plan's effectiveness and the organization's readiness to execute the plan.", "justification": "Contingency Plan Testing & Exercises (BCD-04) provides periodic assessment and assurance that compensates for the absence of Recovery Time / Point Objectives (RTO / RPO) (BCD-01.4) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "BCD-05", "name": "Contingency Plan Root Cause Analysis (RCA) & Lessons Learned", "description": "Mechanisms exist to conduct a Root Cause Analysis (RCA) and \"lessons learned\" activity every time the contingency plan is activated.", "justification": "Contingency Plan Root Cause Analysis (RCA) & Lessons Learned (BCD-05) provides overlapping security capability that compensates for the absence of Recovery Time / Point Objectives (RTO / RPO) (BCD-01.4) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "BCD-01.5", "risk_if_not_implemented": "Without Recovery Operations Criteria, the organization may be unable to recover from disruptions, resulting in data loss and extended downtime.", "compensating_control_1": { "control_id": "RSK-01", "name": "Risk Management Program", "description": "Mechanisms exist to facilitate the implementation of strategic, operational and tactical risk management controls.", "justification": "Risk Management Program (RSK-01) provides policy-level governance that compensates for the absence of Recovery Operations Criteria (BCD-01.5) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "BCD-01", "name": "Business Continuity Management System (BCMS)", "description": "Mechanisms exist to facilitate the implementation of contingency planning controls to help ensure resilient Technology Assets, Applications and/or Services (TAAS) (e.g., Continuity of Operations Plan (COOP) or Business Continuity & Disaster Recovery (BC/DR) playbooks).", "justification": "Business Continuity Management System (BCMS) (BCD-01) provides resilience and recovery capability that compensates for the absence of Recovery Operations Criteria (BCD-01.5) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "BCD-01.6", "risk_if_not_implemented": "Without Recovery Operations Communications, the organization may be unable to recover from disruptions, resulting in data loss and extended downtime.", "compensating_control_1": { "control_id": "BCD-11", "name": "Data Backups", "description": "Mechanisms exist to create recurring backups of data, software and/or system images, as well as verify the integrity of these backups, to ensure the availability of the data to satisfy Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).", "justification": "Data Backups (BCD-11) provides resilience and recovery capability that compensates for the absence of Recovery Operations Communications (BCD-01.6) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "RSK-01", "name": "Risk Management Program", "description": "Mechanisms exist to facilitate the implementation of strategic, operational and tactical risk management controls.", "justification": "Risk Management Program (RSK-01) provides policy-level governance that compensates for the absence of Recovery Operations Communications (BCD-01.6) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "BCD-01.7", "risk_if_not_implemented": "Without Business Continuity & Disaster Recovery (BC/DR) Plans, the organization may be unable to recover from disruptions, resulting in data loss and extended downtime.", "compensating_control_1": { "control_id": "BCD-09", "name": "Alternate Processing Site", "description": "Mechanisms exist to establish an alternate processing site that provides security measures equivalent to that of the primary site.", "justification": "Alternate Processing Site (BCD-09) provides resilience and recovery capability that compensates for the absence of Business Continuity & Disaster Recovery (BC/DR) Plans (BCD-01.7) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "RSK-01", "name": "Risk Management Program", "description": "Mechanisms exist to facilitate the implementation of strategic, operational and tactical risk management controls.", "justification": "Risk Management Program (RSK-01) provides policy-level governance that compensates for the absence of Business Continuity & Disaster Recovery (BC/DR) Plans (BCD-01.7) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "BCD-02", "risk_if_not_implemented": "Without Identify Critical Assets, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "AST-02", "name": "Asset Inventories", "description": "Mechanisms exist to perform inventories of Technology Assets, Applications, Services and/or Data (TAASD) that:\n(1) Accurately reflects the current TAASD in use; \n(2) Identifies authorized software products, including business justification details;\n(3) Is at the level of granularity deemed necessary for tracking and reporting;\n(4) Includes organization-defined information deemed necessary to achieve effective property accountability; and\n(5) Is available for review and audit by designated organizational personnel.", "justification": "Asset Inventories (AST-02) provides overlapping security capability that compensates for the absence of Identify Critical Assets (BCD-02) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "DCH-02", "name": "Data & Asset Classification", "description": "Mechanisms exist to ensure data and assets are categorized in accordance with applicable statutory, regulatory and contractual requirements.", "justification": "Data & Asset Classification (DCH-02) provides overlapping security capability that compensates for the absence of Identify Critical Assets (BCD-02) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "BCD-02.1", "risk_if_not_implemented": "Without Resume All Missions & Business Functions, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "AST-31", "name": "Asset Categorization", "description": "Mechanisms exist to categorize Technology Assets, Applications and/or Services (TAAS).", "justification": "Asset Categorization (AST-31) provides overlapping security capability that compensates for the absence of Resume All Missions & Business Functions (BCD-02.1) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "AST-02", "name": "Asset Inventories", "description": "Mechanisms exist to perform inventories of Technology Assets, Applications, Services and/or Data (TAASD) that:\n(1) Accurately reflects the current TAASD in use; \n(2) Identifies authorized software products, including business justification details;\n(3) Is at the level of granularity deemed necessary for tracking and reporting;\n(4) Includes organization-defined information deemed necessary to achieve effective property accountability; and\n(5) Is available for review and audit by designated organizational personnel.", "justification": "Asset Inventories (AST-02) provides overlapping security capability that compensates for the absence of Resume All Missions & Business Functions (BCD-02.1) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "BCD-02.2", "risk_if_not_implemented": "Without Continue Essential Mission & Business Functions, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "DCH-02", "name": "Data & Asset Classification", "description": "Mechanisms exist to ensure data and assets are categorized in accordance with applicable statutory, regulatory and contractual requirements.", "justification": "Data & Asset Classification (DCH-02) provides overlapping security capability that compensates for the absence of Continue Essential Mission & Business Functions (BCD-02.2) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "AST-02", "name": "Asset Inventories", "description": "Mechanisms exist to perform inventories of Technology Assets, Applications, Services and/or Data (TAASD) that:\n(1) Accurately reflects the current TAASD in use; \n(2) Identifies authorized software products, including business justification details;\n(3) Is at the level of granularity deemed necessary for tracking and reporting;\n(4) Includes organization-defined information deemed necessary to achieve effective property accountability; and\n(5) Is available for review and audit by designated organizational personnel.", "justification": "Asset Inventories (AST-02) provides overlapping security capability that compensates for the absence of Continue Essential Mission & Business Functions (BCD-02.2) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "BCD-02.3", "risk_if_not_implemented": "Without Resume Essential Missions & Business Functions, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "AST-02", "name": "Asset Inventories", "description": "Mechanisms exist to perform inventories of Technology Assets, Applications, Services and/or Data (TAASD) that:\n(1) Accurately reflects the current TAASD in use; \n(2) Identifies authorized software products, including business justification details;\n(3) Is at the level of granularity deemed necessary for tracking and reporting;\n(4) Includes organization-defined information deemed necessary to achieve effective property accountability; and\n(5) Is available for review and audit by designated organizational personnel.", "justification": "Asset Inventories (AST-02) provides overlapping security capability that compensates for the absence of Resume Essential Missions & Business Functions (BCD-02.3) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "BCD-02", "name": "Identify Critical Assets", "description": "Mechanisms exist to identify and document the critical Technology Assets, Applications, Services and/or Data (TAASD) that support essential missions and business functions.", "justification": "Identify Critical Assets (BCD-02) provides overlapping security capability that compensates for the absence of Resume Essential Missions & Business Functions (BCD-02.3) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "BCD-02.4", "risk_if_not_implemented": "Without Data Storage Location Reviews, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "RSK-04", "name": "Risk Assessment", "description": "Mechanisms exist to conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Risk Assessment (RSK-04) provides periodic assessment and assurance that compensates for the absence of Data Storage Location Reviews (BCD-02.4) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "BCD-02", "name": "Identify Critical Assets", "description": "Mechanisms exist to identify and document the critical Technology Assets, Applications, Services and/or Data (TAASD) that support essential missions and business functions.", "justification": "Identify Critical Assets (BCD-02) provides overlapping security capability that compensates for the absence of Data Storage Location Reviews (BCD-02.4) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "BCD-03", "risk_if_not_implemented": "Without Contingency Training, personnel may lack knowledge to recognize threats, increasing susceptibility to phishing and social engineering.", "compensating_control_1": { "control_id": "SAT-02", "name": "Security, Compliance & Resilience Awareness Training", "description": "Mechanisms exist to provide all employees and contractors appropriate security, compliance and resilience awareness education and training that is relevant for their job function.", "justification": "Security, Compliance & Resilience Awareness Training (SAT-02) provides personnel training and awareness that compensates for the absence of Contingency Training (BCD-03) by reducing human-factor risk by equipping personnel to recognize and respond to relevant threats. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "SAT-03", "name": "Role-Based Security, Compliance & Resilience Training", "description": "Mechanisms exist to provide role-based security, compliance and resilience-related training: \n(1) Before authorizing access to the system or performing assigned duties; \n(2) When required by system changes; and \n(3) Annually thereafter.", "justification": "Role-Based Security, Compliance & Resilience Training (SAT-03) provides personnel training and awareness that compensates for the absence of Contingency Training (BCD-03) by reducing human-factor risk by equipping personnel to recognize and respond to relevant threats. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "BCD-03.1", "risk_if_not_implemented": "Without Simulated Events, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "SAT-03", "name": "Role-Based Security, Compliance & Resilience Training", "description": "Mechanisms exist to provide role-based security, compliance and resilience-related training: \n(1) Before authorizing access to the system or performing assigned duties; \n(2) When required by system changes; and \n(3) Annually thereafter.", "justification": "Role-Based Security, Compliance & Resilience Training (SAT-03) provides personnel training and awareness that compensates for the absence of Simulated Events (BCD-03.1) by reducing human-factor risk by equipping personnel to recognize and respond to relevant threats. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "SAT-02", "name": "Security, Compliance & Resilience Awareness Training", "description": "Mechanisms exist to provide all employees and contractors appropriate security, compliance and resilience awareness education and training that is relevant for their job function.", "justification": "Security, Compliance & Resilience Awareness Training (SAT-02) provides personnel training and awareness that compensates for the absence of Simulated Events (BCD-03.1) by reducing human-factor risk by equipping personnel to recognize and respond to relevant threats. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "BCD-03.2", "risk_if_not_implemented": "Without Automated Training Environments, personnel may lack knowledge to recognize threats, increasing susceptibility to phishing and social engineering.", "compensating_control_1": { "control_id": "SAT-02", "name": "Security, Compliance & Resilience Awareness Training", "description": "Mechanisms exist to provide all employees and contractors appropriate security, compliance and resilience awareness education and training that is relevant for their job function.", "justification": "Security, Compliance & Resilience Awareness Training (SAT-02) provides personnel training and awareness that compensates for the absence of Automated Training Environments (BCD-03.2) by reducing human-factor risk by equipping personnel to recognize and respond to relevant threats. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "BCD-03", "name": "Contingency Training", "description": "Mechanisms exist to adequately train contingency personnel and applicable stakeholders in their contingency roles and responsibilities.", "justification": "Contingency Training (BCD-03) provides personnel training and awareness that compensates for the absence of Automated Training Environments (BCD-03.2) by reducing human-factor risk by equipping personnel to recognize and respond to relevant threats. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "BCD-04", "risk_if_not_implemented": "Without Contingency Plan Testing & Exercises, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "BCD-05", "name": "Contingency Plan Root Cause Analysis (RCA) & Lessons Learned", "description": "Mechanisms exist to conduct a Root Cause Analysis (RCA) and \"lessons learned\" activity every time the contingency plan is activated.", "justification": "Contingency Plan Root Cause Analysis (RCA) & Lessons Learned (BCD-05) provides overlapping security capability that compensates for the absence of Contingency Plan Testing & Exercises (BCD-04) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "BCD-11", "name": "Data Backups", "description": "Mechanisms exist to create recurring backups of data, software and/or system images, as well as verify the integrity of these backups, to ensure the availability of the data to satisfy Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).", "justification": "Data Backups (BCD-11) provides resilience and recovery capability that compensates for the absence of Contingency Plan Testing & Exercises (BCD-04) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "BCD-04.1", "risk_if_not_implemented": "Without Coordinated Testing with Related Plans, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "BCD-05", "name": "Contingency Plan Root Cause Analysis (RCA) & Lessons Learned", "description": "Mechanisms exist to conduct a Root Cause Analysis (RCA) and \"lessons learned\" activity every time the contingency plan is activated.", "justification": "Contingency Plan Root Cause Analysis (RCA) & Lessons Learned (BCD-05) provides overlapping security capability that compensates for the absence of Coordinated Testing with Related Plans (BCD-04.1) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "BCD-04", "name": "Contingency Plan Testing & Exercises", "description": "Mechanisms exist to conduct tests and/or exercises to evaluate the contingency plan's effectiveness and the organization's readiness to execute the plan.", "justification": "Contingency Plan Testing & Exercises (BCD-04) provides periodic assessment and assurance that compensates for the absence of Coordinated Testing with Related Plans (BCD-04.1) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "BCD-04.2", "risk_if_not_implemented": "Without Alternate Storage & Processing Sites, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "BCD-04", "name": "Contingency Plan Testing & Exercises", "description": "Mechanisms exist to conduct tests and/or exercises to evaluate the contingency plan's effectiveness and the organization's readiness to execute the plan.", "justification": "Contingency Plan Testing & Exercises (BCD-04) provides periodic assessment and assurance that compensates for the absence of Alternate Storage & Processing Sites (BCD-04.2) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IRO-06", "name": "Incident Response Testing", "description": "Mechanisms exist to formally test incident response capabilities through realistic exercises to determine the operational effectiveness of those capabilities.", "justification": "Incident Response Testing (IRO-06) provides periodic assessment and assurance that compensates for the absence of Alternate Storage & Processing Sites (BCD-04.2) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "BCD-05", "risk_if_not_implemented": "Without Contingency Plan Root Cause Analysis (RCA) & Lessons Learned, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IRO-13", "name": "Root Cause Analysis (RCA) & Lessons Learned", "description": "Mechanisms exist to incorporate lessons learned from analyzing and resolving cybersecurity and data protection incidents to reduce the likelihood or impact of future incidents.", "justification": "Root Cause Analysis (RCA) & Lessons Learned (IRO-13) provides overlapping security capability that compensates for the absence of Contingency Plan Root Cause Analysis (RCA) & Lessons Learned (BCD-05) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "BCD-04", "name": "Contingency Plan Testing & Exercises", "description": "Mechanisms exist to conduct tests and/or exercises to evaluate the contingency plan's effectiveness and the organization's readiness to execute the plan.", "justification": "Contingency Plan Testing & Exercises (BCD-04) provides periodic assessment and assurance that compensates for the absence of Contingency Plan Root Cause Analysis (RCA) & Lessons Learned (BCD-05) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "BCD-06", "risk_if_not_implemented": "Without Ongoing Contingency Planning, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "RSK-07", "name": "Risk Assessment Update", "description": "Mechanisms exist to routinely update risk assessments and react accordingly upon identifying new security vulnerabilities, including using outside sources for security vulnerability information.", "justification": "Risk Assessment Update (RSK-07) provides periodic assessment and assurance that compensates for the absence of Ongoing Contingency Planning (BCD-06) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "BCD-01", "name": "Business Continuity Management System (BCMS)", "description": "Mechanisms exist to facilitate the implementation of contingency planning controls to help ensure resilient Technology Assets, Applications and/or Services (TAAS) (e.g., Continuity of Operations Plan (COOP) or Business Continuity & Disaster Recovery (BC/DR) playbooks).", "justification": "Business Continuity Management System (BCMS) (BCD-01) provides resilience and recovery capability that compensates for the absence of Ongoing Contingency Planning (BCD-06) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "BCD-06.1", "risk_if_not_implemented": "Without Contingency Planning Components, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "RSK-04", "name": "Risk Assessment", "description": "Mechanisms exist to conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Risk Assessment (RSK-04) provides periodic assessment and assurance that compensates for the absence of Contingency Planning Components (BCD-06.1) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "BCD-01", "name": "Business Continuity Management System (BCMS)", "description": "Mechanisms exist to facilitate the implementation of contingency planning controls to help ensure resilient Technology Assets, Applications and/or Services (TAAS) (e.g., Continuity of Operations Plan (COOP) or Business Continuity & Disaster Recovery (BC/DR) playbooks).", "justification": "Business Continuity Management System (BCMS) (BCD-01) provides resilience and recovery capability that compensates for the absence of Contingency Planning Components (BCD-06.1) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "BCD-06.2", "risk_if_not_implemented": "Without Contingency Plan Update Notifications, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "BCD-01", "name": "Business Continuity Management System (BCMS)", "description": "Mechanisms exist to facilitate the implementation of contingency planning controls to help ensure resilient Technology Assets, Applications and/or Services (TAAS) (e.g., Continuity of Operations Plan (COOP) or Business Continuity & Disaster Recovery (BC/DR) playbooks).", "justification": "Business Continuity Management System (BCMS) (BCD-01) provides resilience and recovery capability that compensates for the absence of Contingency Plan Update Notifications (BCD-06.2) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "RSK-07", "name": "Risk Assessment Update", "description": "Mechanisms exist to routinely update risk assessments and react accordingly upon identifying new security vulnerabilities, including using outside sources for security vulnerability information.", "justification": "Risk Assessment Update (RSK-07) provides periodic assessment and assurance that compensates for the absence of Contingency Plan Update Notifications (BCD-06.2) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "BCD-07", "risk_if_not_implemented": "Without Alternative Security Measures, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "BCD-01", "name": "Business Continuity Management System (BCMS)", "description": "Mechanisms exist to facilitate the implementation of contingency planning controls to help ensure resilient Technology Assets, Applications and/or Services (TAAS) (e.g., Continuity of Operations Plan (COOP) or Business Continuity & Disaster Recovery (BC/DR) playbooks).", "justification": "Business Continuity Management System (BCMS) (BCD-01) provides resilience and recovery capability that compensates for the absence of Alternative Security Measures (BCD-07) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "RSK-04", "name": "Risk Assessment", "description": "Mechanisms exist to conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Risk Assessment (RSK-04) provides periodic assessment and assurance that compensates for the absence of Alternative Security Measures (BCD-07) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "BCD-08", "risk_if_not_implemented": "Without Alternate Storage Site, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "BCD-11", "name": "Data Backups", "description": "Mechanisms exist to create recurring backups of data, software and/or system images, as well as verify the integrity of these backups, to ensure the availability of the data to satisfy Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).", "justification": "Data Backups (BCD-11) provides resilience and recovery capability that compensates for the absence of Alternate Storage Site (BCD-08) by ensuring the organization can restore operations and data when the primary control is absent. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "BCD-09", "name": "Alternate Processing Site", "description": "Mechanisms exist to establish an alternate processing site that provides security measures equivalent to that of the primary site.", "justification": "Alternate Processing Site (BCD-09) provides resilience and recovery capability that compensates for the absence of Alternate Storage Site (BCD-08) by ensuring the organization can restore operations and data when the primary control is absent. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "BCD-08.1", "risk_if_not_implemented": "Without Separation from Primary Storage Site, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "BCD-09", "name": "Alternate Processing Site", "description": "Mechanisms exist to establish an alternate processing site that provides security measures equivalent to that of the primary site.", "justification": "Alternate Processing Site (BCD-09) provides resilience and recovery capability that compensates for the absence of Separation from Primary Storage Site (BCD-08.1) by ensuring the organization can restore operations and data when the primary control is absent. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "BCD-11", "name": "Data Backups", "description": "Mechanisms exist to create recurring backups of data, software and/or system images, as well as verify the integrity of these backups, to ensure the availability of the data to satisfy Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).", "justification": "Data Backups (BCD-11) provides resilience and recovery capability that compensates for the absence of Separation from Primary Storage Site (BCD-08.1) by ensuring the organization can restore operations and data when the primary control is absent. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "BCD-08.2", "risk_if_not_implemented": "Without Primary Storage Site Accessibility, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "BCD-08", "name": "Alternate Storage Site", "description": "Mechanisms exist to establish an alternate storage site that includes both the assets and necessary agreements to permit the storage and recovery of system backup information.", "justification": "Alternate Storage Site (BCD-08) provides resilience and recovery capability that compensates for the absence of Primary Storage Site Accessibility (BCD-08.2) by ensuring the organization can restore operations and data when the primary control is absent. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "BCD-11", "name": "Data Backups", "description": "Mechanisms exist to create recurring backups of data, software and/or system images, as well as verify the integrity of these backups, to ensure the availability of the data to satisfy Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).", "justification": "Data Backups (BCD-11) provides resilience and recovery capability that compensates for the absence of Primary Storage Site Accessibility (BCD-08.2) by ensuring the organization can restore operations and data when the primary control is absent. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "BCD-09", "risk_if_not_implemented": "Without Alternate Processing Site, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "BCD-08", "name": "Alternate Storage Site", "description": "Mechanisms exist to establish an alternate storage site that includes both the assets and necessary agreements to permit the storage and recovery of system backup information.", "justification": "Alternate Storage Site (BCD-08) provides resilience and recovery capability that compensates for the absence of Alternate Processing Site (BCD-09) by ensuring the organization can restore operations and data when the primary control is absent. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CAP-05", "name": "Elastic Expansion", "description": "Mechanisms exist to automatically scale the resources available for Technology Assets, Applications and/or Services (TAAS), as demand conditions change.", "justification": "Elastic Expansion (CAP-05) provides overlapping security capability that compensates for the absence of Alternate Processing Site (BCD-09) by addressing related risk objectives through an alternative control mechanism aligned with Facility applicability. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "BCD-09.1", "risk_if_not_implemented": "Without Separation from Primary Processing Site, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CAP-05", "name": "Elastic Expansion", "description": "Mechanisms exist to automatically scale the resources available for Technology Assets, Applications and/or Services (TAAS), as demand conditions change.", "justification": "Elastic Expansion (CAP-05) provides overlapping security capability that compensates for the absence of Separation from Primary Processing Site (BCD-09.1) by addressing related risk objectives through an alternative control mechanism aligned with Facility applicability. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "BCD-15", "name": "Reserve Hardware", "description": "Mechanisms exist to purchase and maintain a sufficient reserve of spare hardware to ensure essential missions and business functions can be maintained in the event of a supply chain disruption.", "justification": "Reserve Hardware (BCD-15) provides overlapping security capability that compensates for the absence of Separation from Primary Processing Site (BCD-09.1) by addressing related risk objectives through an alternative control mechanism aligned with Facility applicability. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "BCD-09.2", "risk_if_not_implemented": "Without Alternate Processing Site Accessibility, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "BCD-15", "name": "Reserve Hardware", "description": "Mechanisms exist to purchase and maintain a sufficient reserve of spare hardware to ensure essential missions and business functions can be maintained in the event of a supply chain disruption.", "justification": "Reserve Hardware (BCD-15) provides overlapping security capability that compensates for the absence of Alternate Processing Site Accessibility (BCD-09.2) by addressing related risk objectives through an alternative control mechanism aligned with Facility applicability. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CAP-05", "name": "Elastic Expansion", "description": "Mechanisms exist to automatically scale the resources available for Technology Assets, Applications and/or Services (TAAS), as demand conditions change.", "justification": "Elastic Expansion (CAP-05) provides overlapping security capability that compensates for the absence of Alternate Processing Site Accessibility (BCD-09.2) by addressing related risk objectives through an alternative control mechanism aligned with Facility applicability. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "BCD-09.3", "risk_if_not_implemented": "Without Alternate Site Priority of Service, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "BCD-09", "name": "Alternate Processing Site", "description": "Mechanisms exist to establish an alternate processing site that provides security measures equivalent to that of the primary site.", "justification": "Alternate Processing Site (BCD-09) provides resilience and recovery capability that compensates for the absence of Alternate Site Priority of Service (BCD-09.3) by ensuring the organization can restore operations and data when the primary control is absent. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CAP-05", "name": "Elastic Expansion", "description": "Mechanisms exist to automatically scale the resources available for Technology Assets, Applications and/or Services (TAAS), as demand conditions change.", "justification": "Elastic Expansion (CAP-05) provides overlapping security capability that compensates for the absence of Alternate Site Priority of Service (BCD-09.3) by addressing related risk objectives through an alternative control mechanism aligned with Facility applicability. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "BCD-09.4", "risk_if_not_implemented": "Without Preparation for Use, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CAP-05", "name": "Elastic Expansion", "description": "Mechanisms exist to automatically scale the resources available for Technology Assets, Applications and/or Services (TAAS), as demand conditions change.", "justification": "Elastic Expansion (CAP-05) provides overlapping security capability that compensates for the absence of Preparation for Use (BCD-09.4) by addressing related risk objectives through an alternative control mechanism aligned with Facility applicability. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "BCD-09", "name": "Alternate Processing Site", "description": "Mechanisms exist to establish an alternate processing site that provides security measures equivalent to that of the primary site.", "justification": "Alternate Processing Site (BCD-09) provides resilience and recovery capability that compensates for the absence of Preparation for Use (BCD-09.4) by ensuring the organization can restore operations and data when the primary control is absent. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "BCD-09.5", "risk_if_not_implemented": "Without Inability to Return to Primary Site, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "BCD-08", "name": "Alternate Storage Site", "description": "Mechanisms exist to establish an alternate storage site that includes both the assets and necessary agreements to permit the storage and recovery of system backup information.", "justification": "Alternate Storage Site (BCD-08) provides resilience and recovery capability that compensates for the absence of Inability to Return to Primary Site (BCD-09.5) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "BCD-09", "name": "Alternate Processing Site", "description": "Mechanisms exist to establish an alternate processing site that provides security measures equivalent to that of the primary site.", "justification": "Alternate Processing Site (BCD-09) provides resilience and recovery capability that compensates for the absence of Inability to Return to Primary Site (BCD-09.5) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "BCD-10", "risk_if_not_implemented": "Without Telecommunications Services Availability, AI and autonomous technology risks may go ungoverned, leading to unintended outcomes or exploitation.", "compensating_control_1": { "control_id": "NET-10", "name": "Domain Name Service (DNS) Resolution", "description": "Mechanisms exist to ensure Domain Name Service (DNS) resolution is designed, implemented and managed to protect the security of name / address resolution.", "justification": "Domain Name Service (DNS) Resolution (NET-10) provides overlapping security capability that compensates for the absence of Telecommunications Services Availability (BCD-10) by addressing related risk objectives through an alternative control mechanism aligned with Facility applicability. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "BCD-09", "name": "Alternate Processing Site", "description": "Mechanisms exist to establish an alternate processing site that provides security measures equivalent to that of the primary site.", "justification": "Alternate Processing Site (BCD-09) provides resilience and recovery capability that compensates for the absence of Telecommunications Services Availability (BCD-10) by ensuring the organization can restore operations and data when the primary control is absent. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "BCD-10.1", "risk_if_not_implemented": "Without Telecommunications Priority of Service Provisions, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "NET-11", "name": "Out-of-Band Channels", "description": "Mechanisms exist to utilize out-of-band channels for the electronic transmission of information and/or the physical shipment of system components or devices to authorized individuals.", "justification": "Out-of-Band Channels (NET-11) provides overlapping security capability that compensates for the absence of Telecommunications Priority of Service Provisions (BCD-10.1) by addressing related risk objectives through an alternative control mechanism aligned with Facility applicability. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "BCD-10", "name": "Telecommunications Services Availability", "description": "Mechanisms exist to reduce the likelihood of a single point of failure with primary telecommunications services.", "justification": "Telecommunications Services Availability (BCD-10) provides overlapping security capability that compensates for the absence of Telecommunications Priority of Service Provisions (BCD-10.1) by addressing related risk objectives through an alternative control mechanism aligned with Facility applicability. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "BCD-10.2", "risk_if_not_implemented": "Without Separation of Primary / Alternate Providers, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "BCD-09", "name": "Alternate Processing Site", "description": "Mechanisms exist to establish an alternate processing site that provides security measures equivalent to that of the primary site.", "justification": "Alternate Processing Site (BCD-09) provides resilience and recovery capability that compensates for the absence of Separation of Primary / Alternate Providers (BCD-10.2) by ensuring the organization can restore operations and data when the primary control is absent. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-11", "name": "Out-of-Band Channels", "description": "Mechanisms exist to utilize out-of-band channels for the electronic transmission of information and/or the physical shipment of system components or devices to authorized individuals.", "justification": "Out-of-Band Channels (NET-11) provides overlapping security capability that compensates for the absence of Separation of Primary / Alternate Providers (BCD-10.2) by addressing related risk objectives through an alternative control mechanism aligned with Facility applicability. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "BCD-10.3", "risk_if_not_implemented": "Without Provider Contingency Plan, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "NET-10", "name": "Domain Name Service (DNS) Resolution", "description": "Mechanisms exist to ensure Domain Name Service (DNS) resolution is designed, implemented and managed to protect the security of name / address resolution.", "justification": "Domain Name Service (DNS) Resolution (NET-10) provides overlapping security capability that compensates for the absence of Provider Contingency Plan (BCD-10.3) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-11", "name": "Out-of-Band Channels", "description": "Mechanisms exist to utilize out-of-band channels for the electronic transmission of information and/or the physical shipment of system components or devices to authorized individuals.", "justification": "Out-of-Band Channels (NET-11) provides overlapping security capability that compensates for the absence of Provider Contingency Plan (BCD-10.3) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "BCD-10.4", "risk_if_not_implemented": "Without Alternate Communications Channels, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "BCD-10", "name": "Telecommunications Services Availability", "description": "Mechanisms exist to reduce the likelihood of a single point of failure with primary telecommunications services.", "justification": "Telecommunications Services Availability (BCD-10) provides overlapping security capability that compensates for the absence of Alternate Communications Channels (BCD-10.4) by addressing related risk objectives through an alternative control mechanism aligned with Facility applicability. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-11", "name": "Out-of-Band Channels", "description": "Mechanisms exist to utilize out-of-band channels for the electronic transmission of information and/or the physical shipment of system components or devices to authorized individuals.", "justification": "Out-of-Band Channels (NET-11) provides overlapping security capability that compensates for the absence of Alternate Communications Channels (BCD-10.4) by addressing related risk objectives through an alternative control mechanism aligned with Facility applicability. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "BCD-11.1", "risk_if_not_implemented": "Without Testing for Reliability & Integrity, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "BCD-13", "name": "Backup & Restoration Hardware Protection", "description": "Mechanisms exist to protect backup and restoration hardware and software.", "justification": "Backup & Restoration Hardware Protection (BCD-13) provides resilience and recovery capability that compensates for the absence of Testing for Reliability & Integrity (BCD-11.1) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "BCD-14", "name": "Isolated Recovery Environment", "description": "Mechanisms exist to utilize an isolated, non-production environment to perform data backup and recovery operations through offline, cloud or off-site capabilities.", "justification": "Isolated Recovery Environment (BCD-14) provides resilience and recovery capability that compensates for the absence of Testing for Reliability & Integrity (BCD-11.1) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "BCD-11.2", "risk_if_not_implemented": "Without Separate Storage for Critical Information, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "BCD-14", "name": "Isolated Recovery Environment", "description": "Mechanisms exist to utilize an isolated, non-production environment to perform data backup and recovery operations through offline, cloud or off-site capabilities.", "justification": "Isolated Recovery Environment (BCD-14) provides resilience and recovery capability that compensates for the absence of Separate Storage for Critical Information (BCD-11.2) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "BCD-11", "name": "Data Backups", "description": "Mechanisms exist to create recurring backups of data, software and/or system images, as well as verify the integrity of these backups, to ensure the availability of the data to satisfy Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).", "justification": "Data Backups (BCD-11) provides resilience and recovery capability that compensates for the absence of Separate Storage for Critical Information (BCD-11.2) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "BCD-11.3", "risk_if_not_implemented": "Without Recovery Images, the organization may be unable to recover from disruptions, resulting in data loss and extended downtime.", "compensating_control_1": { "control_id": "CRY-05", "name": "Encrypting Data At Rest", "description": "Cryptographic mechanisms exist to prevent unauthorized disclosure of data at rest.", "justification": "Encrypting Data At Rest (CRY-05) provides cryptographic protection that compensates for the absence of Recovery Images (BCD-11.3) by ensuring data confidentiality and integrity through alternative technical means. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "BCD-13", "name": "Backup & Restoration Hardware Protection", "description": "Mechanisms exist to protect backup and restoration hardware and software.", "justification": "Backup & Restoration Hardware Protection (BCD-13) provides resilience and recovery capability that compensates for the absence of Recovery Images (BCD-11.3) by ensuring the organization can restore operations and data when the primary control is absent. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "BCD-11.4", "risk_if_not_implemented": "Without Cryptographic Protection, sensitive data may be exposed to interception or unauthorized disclosure, resulting in confidentiality breaches.", "compensating_control_1": { "control_id": "BCD-13", "name": "Backup & Restoration Hardware Protection", "description": "Mechanisms exist to protect backup and restoration hardware and software.", "justification": "Backup & Restoration Hardware Protection (BCD-13) provides resilience and recovery capability that compensates for the absence of Cryptographic Protection (BCD-11.4) by ensuring the organization can restore operations and data when the primary control is absent. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CRY-05", "name": "Encrypting Data At Rest", "description": "Cryptographic mechanisms exist to prevent unauthorized disclosure of data at rest.", "justification": "Encrypting Data At Rest (CRY-05) provides cryptographic protection that compensates for the absence of Cryptographic Protection (BCD-11.4) by ensuring data confidentiality and integrity through alternative technical means. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "BCD-11.5", "risk_if_not_implemented": "Without Test Restoration Using Sampling, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CRY-05", "name": "Encrypting Data At Rest", "description": "Cryptographic mechanisms exist to prevent unauthorized disclosure of data at rest.", "justification": "Encrypting Data At Rest (CRY-05) provides cryptographic protection that compensates for the absence of Test Restoration Using Sampling (BCD-11.5) by ensuring data confidentiality and integrity through alternative technical means. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "BCD-11", "name": "Data Backups", "description": "Mechanisms exist to create recurring backups of data, software and/or system images, as well as verify the integrity of these backups, to ensure the availability of the data to satisfy Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).", "justification": "Data Backups (BCD-11) provides resilience and recovery capability that compensates for the absence of Test Restoration Using Sampling (BCD-11.5) by ensuring the organization can restore operations and data when the primary control is absent. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "BCD-11.6", "risk_if_not_implemented": "Without Transfer to Alternate Storage Site, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "BCD-14", "name": "Isolated Recovery Environment", "description": "Mechanisms exist to utilize an isolated, non-production environment to perform data backup and recovery operations through offline, cloud or off-site capabilities.", "justification": "Isolated Recovery Environment (BCD-14) provides resilience and recovery capability that compensates for the absence of Transfer to Alternate Storage Site (BCD-11.6) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CRY-05", "name": "Encrypting Data At Rest", "description": "Cryptographic mechanisms exist to prevent unauthorized disclosure of data at rest.", "justification": "Encrypting Data At Rest (CRY-05) provides cryptographic protection that compensates for the absence of Transfer to Alternate Storage Site (BCD-11.6) by ensuring data confidentiality and integrity through alternative technical means. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "BCD-11.7", "risk_if_not_implemented": "Without Redundant Secondary System, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "BCD-13", "name": "Backup & Restoration Hardware Protection", "description": "Mechanisms exist to protect backup and restoration hardware and software.", "justification": "Backup & Restoration Hardware Protection (BCD-13) provides resilience and recovery capability that compensates for the absence of Redundant Secondary System (BCD-11.7) by ensuring the organization can restore operations and data when the primary control is absent. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "BCD-11", "name": "Data Backups", "description": "Mechanisms exist to create recurring backups of data, software and/or system images, as well as verify the integrity of these backups, to ensure the availability of the data to satisfy Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).", "justification": "Data Backups (BCD-11) provides resilience and recovery capability that compensates for the absence of Redundant Secondary System (BCD-11.7) by ensuring the organization can restore operations and data when the primary control is absent. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "BCD-11.8", "risk_if_not_implemented": "Without Dual Authorization For Backup Media Destruction, the organization may be unable to recover from disruptions, resulting in data loss and extended downtime.", "compensating_control_1": { "control_id": "BCD-11", "name": "Data Backups", "description": "Mechanisms exist to create recurring backups of data, software and/or system images, as well as verify the integrity of these backups, to ensure the availability of the data to satisfy Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).", "justification": "Data Backups (BCD-11) provides resilience and recovery capability that compensates for the absence of Dual Authorization For Backup Media Destruction (BCD-11.8) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "BCD-13", "name": "Backup & Restoration Hardware Protection", "description": "Mechanisms exist to protect backup and restoration hardware and software.", "justification": "Backup & Restoration Hardware Protection (BCD-13) provides resilience and recovery capability that compensates for the absence of Dual Authorization For Backup Media Destruction (BCD-11.8) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "BCD-11.9", "risk_if_not_implemented": "Without Backup Access, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "BCD-08", "name": "Alternate Storage Site", "description": "Mechanisms exist to establish an alternate storage site that includes both the assets and necessary agreements to permit the storage and recovery of system backup information.", "justification": "Alternate Storage Site (BCD-08) provides resilience and recovery capability that compensates for the absence of Backup Access (BCD-11.9) by ensuring the organization can restore operations and data when the primary control is absent. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "BCD-13", "name": "Backup & Restoration Hardware Protection", "description": "Mechanisms exist to protect backup and restoration hardware and software.", "justification": "Backup & Restoration Hardware Protection (BCD-13) provides resilience and recovery capability that compensates for the absence of Backup Access (BCD-11.9) by ensuring the organization can restore operations and data when the primary control is absent. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "BCD-11.10", "risk_if_not_implemented": "Without Backup Modification and/or Destruction, the organization may be unable to recover from disruptions, resulting in data loss and extended downtime.", "compensating_control_1": { "control_id": "BCD-13", "name": "Backup & Restoration Hardware Protection", "description": "Mechanisms exist to protect backup and restoration hardware and software.", "justification": "Backup & Restoration Hardware Protection (BCD-13) provides resilience and recovery capability that compensates for the absence of Backup Modification and/or Destruction (BCD-11.10) by ensuring the organization can restore operations and data when the primary control is absent. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "BCD-08", "name": "Alternate Storage Site", "description": "Mechanisms exist to establish an alternate storage site that includes both the assets and necessary agreements to permit the storage and recovery of system backup information.", "justification": "Alternate Storage Site (BCD-08) provides resilience and recovery capability that compensates for the absence of Backup Modification and/or Destruction (BCD-11.10) by ensuring the organization can restore operations and data when the primary control is absent. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "BCD-12", "risk_if_not_implemented": "Without Technology Assets, Applications and/or Services (TAAS) Recovery & Reconstitution, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "BCD-11", "name": "Data Backups", "description": "Mechanisms exist to create recurring backups of data, software and/or system images, as well as verify the integrity of these backups, to ensure the availability of the data to satisfy Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).", "justification": "Data Backups (BCD-11) provides resilience and recovery capability that compensates for the absence of Technology Assets, Applications and/or Services (TAAS) Recovery & Reconstitution (BCD-12) by ensuring the organization can restore operations and data when the primary control is absent. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "BCD-09", "name": "Alternate Processing Site", "description": "Mechanisms exist to establish an alternate processing site that provides security measures equivalent to that of the primary site.", "justification": "Alternate Processing Site (BCD-09) provides resilience and recovery capability that compensates for the absence of Technology Assets, Applications and/or Services (TAAS) Recovery & Reconstitution (BCD-12) by ensuring the organization can restore operations and data when the primary control is absent. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "BCD-12.1", "risk_if_not_implemented": "Without Transaction Recovery, the organization may be unable to recover from disruptions, resulting in data loss and extended downtime.", "compensating_control_1": { "control_id": "BCD-14", "name": "Isolated Recovery Environment", "description": "Mechanisms exist to utilize an isolated, non-production environment to perform data backup and recovery operations through offline, cloud or off-site capabilities.", "justification": "Isolated Recovery Environment (BCD-14) provides resilience and recovery capability that compensates for the absence of Transaction Recovery (BCD-12.1) by ensuring the organization can restore operations and data when the primary control is absent. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "BCD-11", "name": "Data Backups", "description": "Mechanisms exist to create recurring backups of data, software and/or system images, as well as verify the integrity of these backups, to ensure the availability of the data to satisfy Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).", "justification": "Data Backups (BCD-11) provides resilience and recovery capability that compensates for the absence of Transaction Recovery (BCD-12.1) by ensuring the organization can restore operations and data when the primary control is absent. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "BCD-12.2", "risk_if_not_implemented": "Without Failover Capability, AI and autonomous technology risks may go ungoverned, leading to unintended outcomes or exploitation.", "compensating_control_1": { "control_id": "BCD-09", "name": "Alternate Processing Site", "description": "Mechanisms exist to establish an alternate processing site that provides security measures equivalent to that of the primary site.", "justification": "Alternate Processing Site (BCD-09) provides resilience and recovery capability that compensates for the absence of Failover Capability (BCD-12.2) by ensuring the organization can restore operations and data when the primary control is absent. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "BCD-15", "name": "Reserve Hardware", "description": "Mechanisms exist to purchase and maintain a sufficient reserve of spare hardware to ensure essential missions and business functions can be maintained in the event of a supply chain disruption.", "justification": "Reserve Hardware (BCD-15) provides overlapping security capability that compensates for the absence of Failover Capability (BCD-12.2) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "BCD-12.3", "risk_if_not_implemented": "Without Electronic Discovery (eDiscovery), residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "BCD-11", "name": "Data Backups", "description": "Mechanisms exist to create recurring backups of data, software and/or system images, as well as verify the integrity of these backups, to ensure the availability of the data to satisfy Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).", "justification": "Data Backups (BCD-11) provides resilience and recovery capability that compensates for the absence of Electronic Discovery (eDiscovery) (BCD-12.3) by ensuring the organization can restore operations and data when the primary control is absent. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "BCD-12", "name": "Technology Assets, Applications and/or Services (TAAS) Recovery & Reconstitution", "description": "Mechanisms exist to ensure the secure recovery and reconstitution of Technology Assets, Applications and/or Services (TAAS) to a known state after a disruption, compromise or failure.", "justification": "Technology Assets, Applications and/or Services (TAAS) Recovery & Reconstitution (BCD-12) provides detective monitoring capability that compensates for the absence of Electronic Discovery (eDiscovery) (BCD-12.3) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "BCD-12.4", "risk_if_not_implemented": "Without Restore Within Time Period, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "BCD-09", "name": "Alternate Processing Site", "description": "Mechanisms exist to establish an alternate processing site that provides security measures equivalent to that of the primary site.", "justification": "Alternate Processing Site (BCD-09) provides resilience and recovery capability that compensates for the absence of Restore Within Time Period (BCD-12.4) by ensuring the organization can restore operations and data when the primary control is absent. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "BCD-11", "name": "Data Backups", "description": "Mechanisms exist to create recurring backups of data, software and/or system images, as well as verify the integrity of these backups, to ensure the availability of the data to satisfy Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).", "justification": "Data Backups (BCD-11) provides resilience and recovery capability that compensates for the absence of Restore Within Time Period (BCD-12.4) by ensuring the organization can restore operations and data when the primary control is absent. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "BCD-13", "risk_if_not_implemented": "Without Backup & Restoration Hardware Protection, the organization may be unable to recover from disruptions, resulting in data loss and extended downtime.", "compensating_control_1": { "control_id": "PES-01", "name": "Physical & Environmental Protections", "description": "Mechanisms exist to facilitate the operation of physical and environmental protection controls.", "justification": "Physical & Environmental Protections (PES-01) provides physical access control that compensates for the absence of Backup & Restoration Hardware Protection (BCD-13) by preventing unauthorized physical interaction with systems and infrastructure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "BCD-11", "name": "Data Backups", "description": "Mechanisms exist to create recurring backups of data, software and/or system images, as well as verify the integrity of these backups, to ensure the availability of the data to satisfy Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).", "justification": "Data Backups (BCD-11) provides resilience and recovery capability that compensates for the absence of Backup & Restoration Hardware Protection (BCD-13) by ensuring the organization can restore operations and data when the primary control is absent. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "BCD-13.1", "risk_if_not_implemented": "Without Restoration Integrity Verification, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "BCD-11", "name": "Data Backups", "description": "Mechanisms exist to create recurring backups of data, software and/or system images, as well as verify the integrity of these backups, to ensure the availability of the data to satisfy Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).", "justification": "Data Backups (BCD-11) provides resilience and recovery capability that compensates for the absence of Restoration Integrity Verification (BCD-13.1) by ensuring the organization can restore operations and data when the primary control is absent. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PES-01", "name": "Physical & Environmental Protections", "description": "Mechanisms exist to facilitate the operation of physical and environmental protection controls.", "justification": "Physical & Environmental Protections (PES-01) provides physical access control that compensates for the absence of Restoration Integrity Verification (BCD-13.1) by preventing unauthorized physical interaction with systems and infrastructure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "BCD-14", "risk_if_not_implemented": "Without Isolated Recovery Environment, the organization may be unable to recover from disruptions, resulting in data loss and extended downtime.", "compensating_control_1": { "control_id": "NET-06", "name": "Network Segmentation (macrosegementation)", "description": "Mechanisms exist to ensure network architecture utilizes network segmentation to isolate Technology Assets, Applications and/or Services (TAAS) to protect from other network resources.", "justification": "Network Segmentation (macrosegementation) (NET-06) provides network-level access restriction that compensates for the absence of Isolated Recovery Environment (BCD-14) by limiting attacker reach and lateral movement opportunities across the environment. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "BCD-11", "name": "Data Backups", "description": "Mechanisms exist to create recurring backups of data, software and/or system images, as well as verify the integrity of these backups, to ensure the availability of the data to satisfy Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).", "justification": "Data Backups (BCD-11) provides resilience and recovery capability that compensates for the absence of Isolated Recovery Environment (BCD-14) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "BCD-15", "risk_if_not_implemented": "Without Reserve Hardware, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "BCD-09", "name": "Alternate Processing Site", "description": "Mechanisms exist to establish an alternate processing site that provides security measures equivalent to that of the primary site.", "justification": "Alternate Processing Site (BCD-09) provides resilience and recovery capability that compensates for the absence of Reserve Hardware (BCD-15) by ensuring the organization can restore operations and data when the primary control is absent. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CAP-05", "name": "Elastic Expansion", "description": "Mechanisms exist to automatically scale the resources available for Technology Assets, Applications and/or Services (TAAS), as demand conditions change.", "justification": "Elastic Expansion (CAP-05) provides overlapping security capability that compensates for the absence of Reserve Hardware (BCD-15) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CAP-01", "risk_if_not_implemented": "Without Capacity & Performance Management, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Capacity & Performance Management (CAP-01) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "BCD-01", "name": "Business Continuity Management System (BCMS)", "description": "Mechanisms exist to facilitate the implementation of contingency planning controls to help ensure resilient Technology Assets, Applications and/or Services (TAAS) (e.g., Continuity of Operations Plan (COOP) or Business Continuity & Disaster Recovery (BC/DR) playbooks).", "justification": "Business Continuity Management System (BCMS) (BCD-01) provides resilience and recovery capability that compensates for the absence of Capacity & Performance Management (CAP-01) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CAP-02", "risk_if_not_implemented": "Without Resource Priority, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "BCD-09", "name": "Alternate Processing Site", "description": "Mechanisms exist to establish an alternate processing site that provides security measures equivalent to that of the primary site.", "justification": "Alternate Processing Site (BCD-09) provides resilience and recovery capability that compensates for the absence of Resource Priority (CAP-02) by ensuring the organization can restore operations and data when the primary control is absent. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Resource Priority (CAP-02) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CAP-03", "risk_if_not_implemented": "Without Capacity Planning, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "RSK-04", "name": "Risk Assessment", "description": "Mechanisms exist to conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Risk Assessment (RSK-04) provides periodic assessment and assurance that compensates for the absence of Capacity Planning (CAP-03) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "BCD-01", "name": "Business Continuity Management System (BCMS)", "description": "Mechanisms exist to facilitate the implementation of contingency planning controls to help ensure resilient Technology Assets, Applications and/or Services (TAAS) (e.g., Continuity of Operations Plan (COOP) or Business Continuity & Disaster Recovery (BC/DR) playbooks).", "justification": "Business Continuity Management System (BCMS) (BCD-01) provides resilience and recovery capability that compensates for the absence of Capacity Planning (CAP-03) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CAP-04", "risk_if_not_implemented": "Without Performance Monitoring, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Performance Monitoring (CAP-04) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-06", "name": "Monitoring Reporting", "description": "Mechanisms exist to provide an event log report generation capability to aid in detecting and assessing anomalous activities.", "justification": "Monitoring Reporting (MON-06) provides detective monitoring capability that compensates for the absence of Performance Monitoring (CAP-04) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CAP-05", "risk_if_not_implemented": "Without Elastic Expansion, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "BCD-09", "name": "Alternate Processing Site", "description": "Mechanisms exist to establish an alternate processing site that provides security measures equivalent to that of the primary site.", "justification": "Alternate Processing Site (BCD-09) provides resilience and recovery capability that compensates for the absence of Elastic Expansion (CAP-05) by ensuring the organization can restore operations and data when the primary control is absent. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CAP-03", "name": "Capacity Planning", "description": "Mechanisms exist to conduct capacity planning so that necessary capacity for information processing, telecommunications and environmental support will exist during contingency operations.", "justification": "Capacity Planning (CAP-03) provides overlapping security capability that compensates for the absence of Elastic Expansion (CAP-05) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CAP-06", "risk_if_not_implemented": "Without Regional Delivery, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "NET-01", "name": "Network Security Controls (NSC)", "description": "Mechanisms exist to develop, govern & update procedures to facilitate the implementation of Network Security Controls (NSC).", "justification": "Network Security Controls (NSC) (NET-01) provides network-level access restriction that compensates for the absence of Regional Delivery (CAP-06) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "BCD-10", "name": "Telecommunications Services Availability", "description": "Mechanisms exist to reduce the likelihood of a single point of failure with primary telecommunications services.", "justification": "Telecommunications Services Availability (BCD-10) provides overlapping security capability that compensates for the absence of Regional Delivery (CAP-06) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CHG-02", "risk_if_not_implemented": "Without Configuration Change Control, systems may operate with insecure settings or unauthorized changes, expanding the attack surface.", "compensating_control_1": { "control_id": "CFG-06", "name": "Configuration Enforcement", "description": "Automated mechanisms exist to monitor, enforce and report on configurations for endpoint devices.", "justification": "Configuration Enforcement (CFG-06) provides configuration hardening that compensates for the absence of Configuration Change Control (CHG-02) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Configuration Change Control (CHG-02) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CHG-02.2", "risk_if_not_implemented": "Without Test, Validate & Document Changes, unauthorized or unreviewed changes may introduce instability or security vulnerabilities into the environment.", "compensating_control_1": { "control_id": "CHG-06", "name": "Control Functionality Verification", "description": "Mechanisms exist to verify the functionality of security, compliance and resilience controls following implemented changes to ensure applicable controls operate as designed.", "justification": "Control Functionality Verification (CHG-06) provides overlapping security capability that compensates for the absence of Test, Validate & Document Changes (CHG-02.2) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Test, Validate & Document Changes (CHG-02.2) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CHG-02.3", "risk_if_not_implemented": "Without Security, Compliance & Resilience Representative for Asset Lifecycle Changes, the organization may be unable to recover from disruptions, resulting in data loss and extended downtime.", "compensating_control_1": { "control_id": "CHG-07", "name": "Emergency Changes", "description": "Mechanisms exist to govern change management procedures for \"emergency\" changes.", "justification": "Emergency Changes (CHG-07) provides change management discipline that compensates for the absence of Security, Compliance & Resilience Representative for Asset Lifecycle Changes (CHG-02.3) by ensuring changes to systems and configurations are controlled and reviewed to prevent unintended security impacts. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CHG-08", "name": "Dual Approval For High-Impact Environments", "description": "Mechanisms exist to require dual approval for any changes that might result in a serious, but adverse impact to:\n(1) Business processes; and/or\n(2) Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Dual Approval For High-Impact Environments (CHG-08) provides overlapping security capability that compensates for the absence of Security, Compliance & Resilience Representative for Asset Lifecycle Changes (CHG-02.3) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CHG-02.4", "risk_if_not_implemented": "Without Automated Security Response, the organization may lack capability to detect, contain, or recover from security incidents effectively.", "compensating_control_1": { "control_id": "CFG-06", "name": "Configuration Enforcement", "description": "Automated mechanisms exist to monitor, enforce and report on configurations for endpoint devices.", "justification": "Configuration Enforcement (CFG-06) provides configuration hardening that compensates for the absence of Automated Security Response (CHG-02.4) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CHG-02", "name": "Configuration Change Control", "description": "Mechanisms exist to govern the technical configuration change control processes.", "justification": "Configuration Change Control (CHG-02) provides configuration hardening that compensates for the absence of Automated Security Response (CHG-02.4) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CHG-02.5", "risk_if_not_implemented": "Without Cryptographic Management, sensitive data may be exposed to interception or unauthorized disclosure, resulting in confidentiality breaches.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Cryptographic Management (CHG-02.5) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CHG-02", "name": "Configuration Change Control", "description": "Mechanisms exist to govern the technical configuration change control processes.", "justification": "Configuration Change Control (CHG-02) provides configuration hardening that compensates for the absence of Cryptographic Management (CHG-02.5) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CHG-03", "risk_if_not_implemented": "Without Security Impact Analysis for Changes, unauthorized or unreviewed changes may introduce instability or security vulnerabilities into the environment.", "compensating_control_1": { "control_id": "RSK-04", "name": "Risk Assessment", "description": "Mechanisms exist to conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Risk Assessment (RSK-04) provides periodic assessment and assurance that compensates for the absence of Security Impact Analysis for Changes (CHG-03) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of Security Impact Analysis for Changes (CHG-03) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CHG-04", "risk_if_not_implemented": "Without Access Restriction For Change, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "IAC-21", "name": "Least Privilege", "description": "Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.", "justification": "Least Privilege (IAC-21) provides access control enforcement that compensates for the absence of Access Restriction For Change (CHG-04) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-16", "name": "Privileged Account Management (PAM)", "description": "Mechanisms exist to restrict and control privileged access rights for users and Technology Assets, Applications and/or Services (TAAS).", "justification": "Privileged Account Management (PAM) (IAC-16) provides access control enforcement that compensates for the absence of Access Restriction For Change (CHG-04) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CHG-04.1", "risk_if_not_implemented": "Without Automated Access Enforcement / Auditing, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "HRS-11", "name": "Separation of Duties (SoD)", "description": "Mechanisms exist to implement and maintain Separation of Duties (SoD) to prevent potential inappropriate activity without collusion.", "justification": "Separation of Duties (SoD) (HRS-11) provides overlapping security capability that compensates for the absence of Automated Access Enforcement / Auditing (CHG-04.1) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-21", "name": "Least Privilege", "description": "Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.", "justification": "Least Privilege (IAC-21) provides access control enforcement that compensates for the absence of Automated Access Enforcement / Auditing (CHG-04.1) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CHG-04.2", "risk_if_not_implemented": "Without Signed Components, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IAC-16", "name": "Privileged Account Management (PAM)", "description": "Mechanisms exist to restrict and control privileged access rights for users and Technology Assets, Applications and/or Services (TAAS).", "justification": "Privileged Account Management (PAM) (IAC-16) provides access control enforcement that compensates for the absence of Signed Components (CHG-04.2) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-21", "name": "Least Privilege", "description": "Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.", "justification": "Least Privilege (IAC-21) provides access control enforcement that compensates for the absence of Signed Components (CHG-04.2) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CHG-04.3", "risk_if_not_implemented": "Without Dual Authorization for Change, unauthorized or unreviewed changes may introduce instability or security vulnerabilities into the environment.", "compensating_control_1": { "control_id": "IAC-21", "name": "Least Privilege", "description": "Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.", "justification": "Least Privilege (IAC-21) provides access control enforcement that compensates for the absence of Dual Authorization for Change (CHG-04.3) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CHG-04", "name": "Access Restriction For Change", "description": "Mechanisms exist to enforce configuration restrictions in an effort to restrict the ability of users to conduct unauthorized changes.", "justification": "Access Restriction For Change (CHG-04) provides access control enforcement that compensates for the absence of Dual Authorization for Change (CHG-04.3) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CHG-04.4", "risk_if_not_implemented": "Without Permissions To Implement Changes, unauthorized or unreviewed changes may introduce instability or security vulnerabilities into the environment.", "compensating_control_1": { "control_id": "HRS-11", "name": "Separation of Duties (SoD)", "description": "Mechanisms exist to implement and maintain Separation of Duties (SoD) to prevent potential inappropriate activity without collusion.", "justification": "Separation of Duties (SoD) (HRS-11) provides overlapping security capability that compensates for the absence of Permissions To Implement Changes (CHG-04.4) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CHG-04", "name": "Access Restriction For Change", "description": "Mechanisms exist to enforce configuration restrictions in an effort to restrict the ability of users to conduct unauthorized changes.", "justification": "Access Restriction For Change (CHG-04) provides access control enforcement that compensates for the absence of Permissions To Implement Changes (CHG-04.4) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CHG-04.5", "risk_if_not_implemented": "Without Library Privileges, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "IAC-21", "name": "Least Privilege", "description": "Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.", "justification": "Least Privilege (IAC-21) provides access control enforcement that compensates for the absence of Library Privileges (CHG-04.5) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "HRS-11", "name": "Separation of Duties (SoD)", "description": "Mechanisms exist to implement and maintain Separation of Duties (SoD) to prevent potential inappropriate activity without collusion.", "justification": "Separation of Duties (SoD) (HRS-11) provides overlapping security capability that compensates for the absence of Library Privileges (CHG-04.5) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CHG-05", "risk_if_not_implemented": "Without Stakeholder Notification of Changes, unauthorized or unreviewed changes may introduce instability or security vulnerabilities into the environment.", "compensating_control_1": { "control_id": "MON-06", "name": "Monitoring Reporting", "description": "Mechanisms exist to provide an event log report generation capability to aid in detecting and assessing anomalous activities.", "justification": "Monitoring Reporting (MON-06) provides detective monitoring capability that compensates for the absence of Stakeholder Notification of Changes (CHG-05) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "GOV-02", "name": "Publishing Security, Compliance & Resilience Documentation", "description": "Mechanisms exist to establish, maintain and disseminate policies, standards and procedures necessary for secure, compliant and resilient capabilities.", "justification": "Publishing Security, Compliance & Resilience Documentation (GOV-02) provides resilience and recovery capability that compensates for the absence of Stakeholder Notification of Changes (CHG-05) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CHG-06", "risk_if_not_implemented": "Without Control Functionality Verification, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of Control Functionality Verification (CHG-06) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Control Functionality Verification (CHG-06) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CHG-06.1", "risk_if_not_implemented": "Without Report Verification Results, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Report Verification Results (CHG-06.1) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of Report Verification Results (CHG-06.1) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CHG-07", "risk_if_not_implemented": "Without Emergency Changes, unauthorized or unreviewed changes may introduce instability or security vulnerabilities into the environment.", "compensating_control_1": { "control_id": "RSK-04", "name": "Risk Assessment", "description": "Mechanisms exist to conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Risk Assessment (RSK-04) provides periodic assessment and assurance that compensates for the absence of Emergency Changes (CHG-07) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CHG-03", "name": "Security Impact Analysis for Changes", "description": "Mechanisms exist to analyze proposed changes for potential security impacts, prior to the implementation of the change.", "justification": "Security Impact Analysis for Changes (CHG-03) provides risk identification and prioritization that compensates for the absence of Emergency Changes (CHG-07) by enabling informed decisions about where to focus resources to manage residual exposure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CHG-07.1", "risk_if_not_implemented": "Without Documenting Emergency Changes, unauthorized or unreviewed changes may introduce instability or security vulnerabilities into the environment.", "compensating_control_1": { "control_id": "CHG-03", "name": "Security Impact Analysis for Changes", "description": "Mechanisms exist to analyze proposed changes for potential security impacts, prior to the implementation of the change.", "justification": "Security Impact Analysis for Changes (CHG-03) provides risk identification and prioritization that compensates for the absence of Documenting Emergency Changes (CHG-07.1) by enabling informed decisions about where to focus resources to manage residual exposure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "RSK-04", "name": "Risk Assessment", "description": "Mechanisms exist to conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Risk Assessment (RSK-04) provides periodic assessment and assurance that compensates for the absence of Documenting Emergency Changes (CHG-07.1) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CHG-08", "risk_if_not_implemented": "Without Dual Approval For High-Impact Environments, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "HRS-11", "name": "Separation of Duties (SoD)", "description": "Mechanisms exist to implement and maintain Separation of Duties (SoD) to prevent potential inappropriate activity without collusion.", "justification": "Separation of Duties (SoD) (HRS-11) provides overlapping security capability that compensates for the absence of Dual Approval For High-Impact Environments (CHG-08) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-21", "name": "Least Privilege", "description": "Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.", "justification": "Least Privilege (IAC-21) provides access control enforcement that compensates for the absence of Dual Approval For High-Impact Environments (CHG-08) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CLD-01.1", "risk_if_not_implemented": "Without Cloud Infrastructure Onboarding, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "TPM-05", "name": "Third-Party Contract Requirements", "description": "Mechanisms exist to require contractual requirements for applicable security, compliance and resilience requirements with third-parties, reflecting the organization's needs to protect its Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Third-Party Contract Requirements (TPM-05) provides third-party oversight that compensates for the absence of Cloud Infrastructure Onboarding (CLD-01.1) by extending security obligations contractually and monitoring third-party risk in lieu of direct control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "RSK-04", "name": "Risk Assessment", "description": "Mechanisms exist to conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Risk Assessment (RSK-04) provides periodic assessment and assurance that compensates for the absence of Cloud Infrastructure Onboarding (CLD-01.1) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CLD-01.2", "risk_if_not_implemented": "Without Cloud Infrastructure Offboarding, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "TPM-03", "name": "Supply Chain Risk Management (SCRM)", "description": "Mechanisms exist to:\n(1) Evaluate security risks and threats associated with Technology Assets, Applications and/or Services (TAAS) supply chains; and\n(2) Take appropriate remediation actions to minimize the organization's exposure to those risks and threats, as necessary.", "justification": "Supply Chain Risk Management (SCRM) (TPM-03) provides risk identification and prioritization that compensates for the absence of Cloud Infrastructure Offboarding (CLD-01.2) by enabling informed decisions about where to focus resources to manage residual exposure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "RSK-09", "name": "Supply Chain Risk Management (SCRM) Plan", "description": "Mechanisms exist to develop a plan for Supply Chain Risk Management (SCRM) associated with the development, acquisition, maintenance and disposal of Technology Assets, Applications and/or Services (TAAS), including documenting selected mitigating actions and monitoring performance against those plans.", "justification": "Supply Chain Risk Management (SCRM) Plan (RSK-09) provides risk identification and prioritization that compensates for the absence of Cloud Infrastructure Offboarding (CLD-01.2) by enabling informed decisions about where to focus resources to manage residual exposure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CLD-02", "risk_if_not_implemented": "Without Cloud Security Architecture, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "SEA-01", "name": "Secure Engineering Principles", "description": "Mechanisms exist to facilitate the implementation of industry-recognized security, compliance and resilience practices in the specification, design, development, implementation and modification of Technology Assets, Applications and/or Services (TAAS).", "justification": "Secure Engineering Principles (SEA-01) provides overlapping security capability that compensates for the absence of Cloud Security Architecture (CLD-02) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-06", "name": "Network Segmentation (macrosegementation)", "description": "Mechanisms exist to ensure network architecture utilizes network segmentation to isolate Technology Assets, Applications and/or Services (TAAS) to protect from other network resources.", "justification": "Network Segmentation (macrosegementation) (NET-06) provides network-level access restriction that compensates for the absence of Cloud Security Architecture (CLD-02) by limiting attacker reach and lateral movement opportunities across the environment. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CLD-03", "risk_if_not_implemented": "Without Cloud Infrastructure Security Subnet, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "NET-06", "name": "Network Segmentation (macrosegementation)", "description": "Mechanisms exist to ensure network architecture utilizes network segmentation to isolate Technology Assets, Applications and/or Services (TAAS) to protect from other network resources.", "justification": "Network Segmentation (macrosegementation) (NET-06) provides network-level access restriction that compensates for the absence of Cloud Infrastructure Security Subnet (CLD-03) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-03", "name": "Boundary Protection", "description": "Mechanisms exist to monitor and control communications at the external network boundary and at key internal boundaries within the network.", "justification": "Boundary Protection (NET-03) provides network-level access restriction that compensates for the absence of Cloud Infrastructure Security Subnet (CLD-03) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CLD-04", "risk_if_not_implemented": "Without Application Programming Interface (API) Security, security risks may go unmanaged, resulting in uncontrolled exposures and misaligned security investments.", "compensating_control_1": { "control_id": "IAC-20", "name": "Access Enforcement", "description": "Mechanisms exist to enforce Logical Access Control (LAC) permissions that conform to the principle of \"least privilege.\"", "justification": "Access Enforcement (IAC-20) provides access control enforcement that compensates for the absence of Application Programming Interface (API) Security (CLD-04) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Application Programming Interface (API) Security (CLD-04) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CLD-04.1", "risk_if_not_implemented": "Without API Gateway, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IAC-21", "name": "Least Privilege", "description": "Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.", "justification": "Least Privilege (IAC-21) provides access control enforcement that compensates for the absence of API Gateway (CLD-04.1) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CRY-03", "name": "Transmission Confidentiality", "description": "Cryptographic mechanisms exist to protect the confidentiality of data being transmitted.", "justification": "Transmission Confidentiality (CRY-03) provides cryptographic protection that compensates for the absence of API Gateway (CLD-04.1) by ensuring data confidentiality and integrity through alternative technical means. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CLD-05", "risk_if_not_implemented": "Without Virtual Machine Images, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CFG-02", "name": "Secure Baseline Configurations", "description": "Mechanisms exist to develop, document and maintain secure baseline configurations for Technology Assets, Applications and/or Services (TAAS) that are consistent with industry-accepted system hardening standards.", "justification": "Secure Baseline Configurations (CFG-02) provides configuration hardening that compensates for the absence of Virtual Machine Images (CLD-05) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CHG-02", "name": "Configuration Change Control", "description": "Mechanisms exist to govern the technical configuration change control processes.", "justification": "Configuration Change Control (CHG-02) provides configuration hardening that compensates for the absence of Virtual Machine Images (CLD-05) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CLD-06", "risk_if_not_implemented": "Without Multi-Tenant Environments, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "NET-06", "name": "Network Segmentation (macrosegementation)", "description": "Mechanisms exist to ensure network architecture utilizes network segmentation to isolate Technology Assets, Applications and/or Services (TAAS) to protect from other network resources.", "justification": "Network Segmentation (macrosegementation) (NET-06) provides network-level access restriction that compensates for the absence of Multi-Tenant Environments (CLD-06) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-20", "name": "Access Enforcement", "description": "Mechanisms exist to enforce Logical Access Control (LAC) permissions that conform to the principle of \"least privilege.\"", "justification": "Access Enforcement (IAC-20) provides access control enforcement that compensates for the absence of Multi-Tenant Environments (CLD-06) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CLD-06.1", "risk_if_not_implemented": "Without Customer Responsibility Matrix (CRM), residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IAC-20", "name": "Access Enforcement", "description": "Mechanisms exist to enforce Logical Access Control (LAC) permissions that conform to the principle of \"least privilege.\"", "justification": "Access Enforcement (IAC-20) provides access control enforcement that compensates for the absence of Customer Responsibility Matrix (CRM) (CLD-06.1) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-06", "name": "Network Segmentation (macrosegementation)", "description": "Mechanisms exist to ensure network architecture utilizes network segmentation to isolate Technology Assets, Applications and/or Services (TAAS) to protect from other network resources.", "justification": "Network Segmentation (macrosegementation) (NET-06) provides network-level access restriction that compensates for the absence of Customer Responsibility Matrix (CRM) (CLD-06.1) by limiting attacker reach and lateral movement opportunities across the environment. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CLD-06.2", "risk_if_not_implemented": "Without Multi-Tenant Event Logging Capabilities, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "NET-06", "name": "Network Segmentation (macrosegementation)", "description": "Mechanisms exist to ensure network architecture utilizes network segmentation to isolate Technology Assets, Applications and/or Services (TAAS) to protect from other network resources.", "justification": "Network Segmentation (macrosegementation) (NET-06) provides network-level access restriction that compensates for the absence of Multi-Tenant Event Logging Capabilities (CLD-06.2) by limiting attacker reach and lateral movement opportunities across the environment. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CLD-06", "name": "Multi-Tenant Environments", "description": "Mechanisms exist to ensure multi-tenant owned or managed assets (physical and virtual) are designed and governed such that provider and customer (tenant) user access is appropriately segmented from other tenant users.", "justification": "Multi-Tenant Environments (CLD-06) provides overlapping security capability that compensates for the absence of Multi-Tenant Event Logging Capabilities (CLD-06.2) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CLD-06.3", "risk_if_not_implemented": "Without Multi-Tenant Forensics Capabilities, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IAC-20", "name": "Access Enforcement", "description": "Mechanisms exist to enforce Logical Access Control (LAC) permissions that conform to the principle of \"least privilege.\"", "justification": "Access Enforcement (IAC-20) provides access control enforcement that compensates for the absence of Multi-Tenant Forensics Capabilities (CLD-06.3) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CLD-06", "name": "Multi-Tenant Environments", "description": "Mechanisms exist to ensure multi-tenant owned or managed assets (physical and virtual) are designed and governed such that provider and customer (tenant) user access is appropriately segmented from other tenant users.", "justification": "Multi-Tenant Environments (CLD-06) provides overlapping security capability that compensates for the absence of Multi-Tenant Forensics Capabilities (CLD-06.3) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CLD-06.4", "risk_if_not_implemented": "Without Multi-Tenant Incident Response Capabilities, the organization may lack capability to detect, contain, or recover from security incidents effectively.", "compensating_control_1": { "control_id": "NET-06", "name": "Network Segmentation (macrosegementation)", "description": "Mechanisms exist to ensure network architecture utilizes network segmentation to isolate Technology Assets, Applications and/or Services (TAAS) to protect from other network resources.", "justification": "Network Segmentation (macrosegementation) (NET-06) provides network-level access restriction that compensates for the absence of Multi-Tenant Incident Response Capabilities (CLD-06.4) by limiting attacker reach and lateral movement opportunities across the environment. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-21", "name": "Least Privilege", "description": "Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.", "justification": "Least Privilege (IAC-21) provides access control enforcement that compensates for the absence of Multi-Tenant Incident Response Capabilities (CLD-06.4) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CLD-07", "risk_if_not_implemented": "Without Data Handling & Portability, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "DCH-01", "name": "Data Protection", "description": "Mechanisms exist to facilitate the implementation of data protection controls.", "justification": "Data Protection (DCH-01) provides overlapping security capability that compensates for the absence of Data Handling & Portability (CLD-07) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PRI-01", "name": "Data Privacy Program", "description": "Mechanisms exist to facilitate the implementation and operation of data protection controls throughout the data lifecycle to ensure all forms of Personal Data (PD) are processed lawfully, fairly and transparently.", "justification": "Data Privacy Program (PRI-01) provides policy-level governance that compensates for the absence of Data Handling & Portability (CLD-07) by establishing documented expectations, accountability structures, and organizational guardrails. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CLD-08", "risk_if_not_implemented": "Without Standardized Virtualization Formats, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CFG-01", "name": "Configuration Management Program", "description": "Mechanisms exist to facilitate the implementation of configuration management controls.", "justification": "Configuration Management Program (CFG-01) provides policy-level governance that compensates for the absence of Standardized Virtualization Formats (CLD-08) by establishing documented expectations, accountability structures, and organizational guardrails. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "TPM-01", "name": "Third-Party Management", "description": "Mechanisms exist to facilitate the implementation of third-party management controls.", "justification": "Third-Party Management (TPM-01) provides third-party oversight that compensates for the absence of Standardized Virtualization Formats (CLD-08) by extending security obligations contractually and monitoring third-party risk in lieu of direct control. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CLD-10", "risk_if_not_implemented": "Without Sensitive Data In Public Cloud Providers, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CRY-05", "name": "Encrypting Data At Rest", "description": "Cryptographic mechanisms exist to prevent unauthorized disclosure of data at rest.", "justification": "Encrypting Data At Rest (CRY-05) provides cryptographic protection that compensates for the absence of Sensitive Data In Public Cloud Providers (CLD-10) by ensuring data confidentiality and integrity through alternative technical means. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-21", "name": "Least Privilege", "description": "Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.", "justification": "Least Privilege (IAC-21) provides access control enforcement that compensates for the absence of Sensitive Data In Public Cloud Providers (CLD-10) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CLD-11", "risk_if_not_implemented": "Without Cloud Access Security Broker (CASB), unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Cloud Access Security Broker (CASB) (CLD-11) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-17", "name": "Data Loss Prevention (DLP)", "description": "Automated mechanisms exist to implement Data Loss Prevention (DLP) to protect sensitive information as it is stored, transmitted and processed.", "justification": "Data Loss Prevention (DLP) (NET-17) provides detective monitoring capability that compensates for the absence of Cloud Access Security Broker (CASB) (CLD-11) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CLD-12", "risk_if_not_implemented": "Without Side Channel Attack Prevention, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "NET-06", "name": "Network Segmentation (macrosegementation)", "description": "Mechanisms exist to ensure network architecture utilizes network segmentation to isolate Technology Assets, Applications and/or Services (TAAS) to protect from other network resources.", "justification": "Network Segmentation (macrosegementation) (NET-06) provides network-level access restriction that compensates for the absence of Side Channel Attack Prevention (CLD-12) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "SEA-01", "name": "Secure Engineering Principles", "description": "Mechanisms exist to facilitate the implementation of industry-recognized security, compliance and resilience practices in the specification, design, development, implementation and modification of Technology Assets, Applications and/or Services (TAAS).", "justification": "Secure Engineering Principles (SEA-01) provides overlapping security capability that compensates for the absence of Side Channel Attack Prevention (CLD-12) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CLD-13", "risk_if_not_implemented": "Without Hosted Assets, Applications & Services, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "TPM-01", "name": "Third-Party Management", "description": "Mechanisms exist to facilitate the implementation of third-party management controls.", "justification": "Third-Party Management (TPM-01) provides third-party oversight that compensates for the absence of Hosted Assets, Applications & Services (CLD-13) by extending security obligations contractually and monitoring third-party risk in lieu of direct control. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-09", "name": "Control Reciprocity", "description": "Mechanisms exist to define instances of control reciprocity within assessment boundaries.", "justification": "Control Reciprocity (CPL-09) provides overlapping security capability that compensates for the absence of Hosted Assets, Applications & Services (CLD-13) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CLD-13.1", "risk_if_not_implemented": "Without Authorized Individuals For Hosted Assets, Applications & Services, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CPL-09", "name": "Control Reciprocity", "description": "Mechanisms exist to define instances of control reciprocity within assessment boundaries.", "justification": "Control Reciprocity (CPL-09) provides overlapping security capability that compensates for the absence of Authorized Individuals For Hosted Assets, Applications & Services (CLD-13.1) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "TPM-01", "name": "Third-Party Management", "description": "Mechanisms exist to facilitate the implementation of third-party management controls.", "justification": "Third-Party Management (TPM-01) provides third-party oversight that compensates for the absence of Authorized Individuals For Hosted Assets, Applications & Services (CLD-13.1) by extending security obligations contractually and monitoring third-party risk in lieu of direct control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CLD-13.2", "risk_if_not_implemented": "Without Sensitive / Regulated Data On Hosted Assets, Applications & Services, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "TPM-01", "name": "Third-Party Management", "description": "Mechanisms exist to facilitate the implementation of third-party management controls.", "justification": "Third-Party Management (TPM-01) provides third-party oversight that compensates for the absence of Sensitive / Regulated Data On Hosted Assets, Applications & Services (CLD-13.2) by extending security obligations contractually and monitoring third-party risk in lieu of direct control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CLD-13", "name": "Hosted Assets, Applications & Services", "description": "Mechanisms exist to specify applicable security, compliance and resilience that must be implemented on external Technology Assets, Applications and/or Services (TAAS), consistent with the contractual obligations established with the External Service Providers (ESP) owning, operating and/or maintaining external TAAS.", "justification": "Hosted Assets, Applications & Services (CLD-13) provides overlapping security capability that compensates for the absence of Sensitive / Regulated Data On Hosted Assets, Applications & Services (CLD-13.2) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CLD-14", "risk_if_not_implemented": "Without Prohibition On Unverified Hosted Assets, Applications & Services, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CFG-04", "name": "Software Usage Restrictions", "description": "Mechanisms exist to enforce software usage restrictions to comply with applicable contract agreements and copyright laws.", "justification": "Software Usage Restrictions (CFG-04) provides overlapping security capability that compensates for the absence of Prohibition On Unverified Hosted Assets, Applications & Services (CLD-14) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "TPM-01", "name": "Third-Party Management", "description": "Mechanisms exist to facilitate the implementation of third-party management controls.", "justification": "Third-Party Management (TPM-01) provides third-party oversight that compensates for the absence of Prohibition On Unverified Hosted Assets, Applications & Services (CLD-14) by extending security obligations contractually and monitoring third-party risk in lieu of direct control. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CLD-15", "risk_if_not_implemented": "Without Software Defined Storage (SDS), residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CFG-01", "name": "Configuration Management Program", "description": "Mechanisms exist to facilitate the implementation of configuration management controls.", "justification": "Configuration Management Program (CFG-01) provides policy-level governance that compensates for the absence of Software Defined Storage (SDS) (CLD-15) by establishing documented expectations, accountability structures, and organizational guardrails. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CLD-01", "name": "Cloud Services", "description": "Mechanisms exist to facilitate the implementation of cloud management controls to ensure cloud instances are secure and in-line with industry practices.", "justification": "Cloud Services (CLD-01) provides overlapping security capability that compensates for the absence of Software Defined Storage (SDS) (CLD-15) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CPL-01.1", "risk_if_not_implemented": "Without Non-Compliance Oversight, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of Non-Compliance Oversight (CPL-01.1) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Non-Compliance Oversight (CPL-01.1) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CPL-01.3", "risk_if_not_implemented": "Without Ability To Demonstrate Conformity, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "GOV-02", "name": "Publishing Security, Compliance & Resilience Documentation", "description": "Mechanisms exist to establish, maintain and disseminate policies, standards and procedures necessary for secure, compliant and resilient capabilities.", "justification": "Publishing Security, Compliance & Resilience Documentation (GOV-02) provides resilience and recovery capability that compensates for the absence of Ability To Demonstrate Conformity (CPL-01.3) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Ability To Demonstrate Conformity (CPL-01.3) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CPL-01.4", "risk_if_not_implemented": "Without Conformity Assessment, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "TPM-05", "name": "Third-Party Contract Requirements", "description": "Mechanisms exist to require contractual requirements for applicable security, compliance and resilience requirements with third-parties, reflecting the organization's needs to protect its Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Third-Party Contract Requirements (TPM-05) provides third-party oversight that compensates for the absence of Conformity Assessment (CPL-01.4) by extending security obligations contractually and monitoring third-party risk in lieu of direct control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Conformity Assessment (CPL-01.4) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CPL-01.5", "risk_if_not_implemented": "Without Declaration of Conformity, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "GOV-06", "name": "Contacts With Authorities", "description": "Mechanisms exist to identify and document appropriate contacts with relevant law enforcement and regulatory bodies.", "justification": "Contacts With Authorities (GOV-06) provides overlapping security capability that compensates for the absence of Declaration of Conformity (CPL-01.5) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Declaration of Conformity (CPL-01.5) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CPL-01.6", "risk_if_not_implemented": "Without Assessment Team Subject Matter Expertise, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "RSK-01", "name": "Risk Management Program", "description": "Mechanisms exist to facilitate the implementation of strategic, operational and tactical risk management controls.", "justification": "Risk Management Program (RSK-01) provides policy-level governance that compensates for the absence of Assessment Team Subject Matter Expertise (CPL-01.6) by establishing documented expectations, accountability structures, and organizational guardrails. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Assessment Team Subject Matter Expertise (CPL-01.6) by addressing related risk objectives through an alternative control mechanism aligned with People applicability. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CPL-01.7", "risk_if_not_implemented": "Without Designated Certifying Official, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "GOV-01", "name": "Security, Compliance & Resilience Program (SCRP)", "description": "Mechanisms exist to facilitate the implementation of security, compliance and resilience governance controls.", "justification": "Security, Compliance & Resilience Program (SCRP) (GOV-01) provides resilience and recovery capability that compensates for the absence of Designated Certifying Official (CPL-01.7) by ensuring the organization can restore operations and data when the primary control is absent. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Designated Certifying Official (CPL-01.7) by addressing related risk objectives through an alternative control mechanism aligned with People applicability. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CPL-01.8", "risk_if_not_implemented": "Without Conformity Attestations, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of Conformity Attestations (CPL-01.8) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "RSK-01", "name": "Risk Management Program", "description": "Mechanisms exist to facilitate the implementation of strategic, operational and tactical risk management controls.", "justification": "Risk Management Program (RSK-01) provides policy-level governance that compensates for the absence of Conformity Attestations (CPL-01.8) by establishing documented expectations, accountability structures, and organizational guardrails. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CPL-02.1", "risk_if_not_implemented": "Without Internal Audit Function, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Internal Audit Function (CPL-02.1) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of Internal Audit Function (CPL-02.1) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CPL-02.2", "risk_if_not_implemented": "Without Periodic Audits, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "CPL-04", "name": "Audit Activities", "description": "Mechanisms exist to thoughtfully plan audits by including input from operational risk and compliance partners to minimize the impact of audit-related activities on business operations.", "justification": "Audit Activities (CPL-04) provides detective monitoring capability that compensates for the absence of Periodic Audits (CPL-02.2) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Periodic Audits (CPL-02.2) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CPL-02.3", "risk_if_not_implemented": "Without Corrective Action, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of Corrective Action (CPL-02.3) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-02", "name": "Security, Compliance & Resilience Controls Oversight", "description": "Mechanisms exist to provide a security, compliance and resilience controls oversight function that reports to the organization's executive leadership.", "justification": "Security, Compliance & Resilience Controls Oversight (CPL-02) provides resilience and recovery capability that compensates for the absence of Corrective Action (CPL-02.3) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CPL-03.1", "risk_if_not_implemented": "Without Independent Assessors, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IAO-02", "name": "Assessments", "description": "Mechanisms exist to formally assess the security, compliance and resilience controls in Technology Assets, Applications and/or Services (TAAS) through Information Assurance Program (IAP) activities to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting expected requirements.", "justification": "Assessments (IAO-02) provides periodic assessment and assurance that compensates for the absence of Independent Assessors (CPL-03.1) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "VPM-07", "name": "Penetration Testing", "description": "Mechanisms exist to conduct penetration testing on Technology Assets, Applications and/or Services (TAAS).", "justification": "Penetration Testing (VPM-07) provides periodic assessment and assurance that compensates for the absence of Independent Assessors (CPL-03.1) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CPL-03.2", "risk_if_not_implemented": "Without Functional Review Of Security, Compliance & Resilience Controls, the organization may be unable to recover from disruptions, resulting in data loss and extended downtime.", "compensating_control_1": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of Functional Review Of Security, Compliance & Resilience Controls (CPL-03.2) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Functional Review Of Security, Compliance & Resilience Controls (CPL-03.2) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CPL-03.3", "risk_if_not_implemented": "Without Assessor Access, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of Assessor Access (CPL-03.3) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "RSK-07", "name": "Risk Assessment Update", "description": "Mechanisms exist to routinely update risk assessments and react accordingly upon identifying new security vulnerabilities, including using outside sources for security vulnerability information.", "justification": "Risk Assessment Update (RSK-07) provides periodic assessment and assurance that compensates for the absence of Assessor Access (CPL-03.3) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CPL-03.4", "risk_if_not_implemented": "Without Assessment Methods, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IAO-02", "name": "Assessments", "description": "Mechanisms exist to formally assess the security, compliance and resilience controls in Technology Assets, Applications and/or Services (TAAS) through Information Assurance Program (IAP) activities to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting expected requirements.", "justification": "Assessments (IAO-02) provides periodic assessment and assurance that compensates for the absence of Assessment Methods (CPL-03.4) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of Assessment Methods (CPL-03.4) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CPL-03.5", "risk_if_not_implemented": "Without Assessment Rigor, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "VPM-07", "name": "Penetration Testing", "description": "Mechanisms exist to conduct penetration testing on Technology Assets, Applications and/or Services (TAAS).", "justification": "Penetration Testing (VPM-07) provides periodic assessment and assurance that compensates for the absence of Assessment Rigor (CPL-03.5) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of Assessment Rigor (CPL-03.5) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CPL-03.6", "risk_if_not_implemented": "Without Evidence Request List (ERL), residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CPL-04", "name": "Audit Activities", "description": "Mechanisms exist to thoughtfully plan audits by including input from operational risk and compliance partners to minimize the impact of audit-related activities on business operations.", "justification": "Audit Activities (CPL-04) provides detective monitoring capability that compensates for the absence of Evidence Request List (ERL) (CPL-03.6) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of Evidence Request List (ERL) (CPL-03.6) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CPL-03.7", "risk_if_not_implemented": "Without Evidence Sampling, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Evidence Sampling (CPL-03.7) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of Evidence Sampling (CPL-03.7) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CPL-04", "risk_if_not_implemented": "Without Audit Activities, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of Audit Activities (CPL-04) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Audit Activities (CPL-04) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CPL-05", "risk_if_not_implemented": "Without Legal Assessment of Investigative Inquires, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Legal Assessment of Investigative Inquires (CPL-05) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "GOV-06", "name": "Contacts With Authorities", "description": "Mechanisms exist to identify and document appropriate contacts with relevant law enforcement and regulatory bodies.", "justification": "Contacts With Authorities (GOV-06) provides overlapping security capability that compensates for the absence of Legal Assessment of Investigative Inquires (CPL-05) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CPL-05.1", "risk_if_not_implemented": "Without Investigation Request Notifications, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "GOV-06", "name": "Contacts With Authorities", "description": "Mechanisms exist to identify and document appropriate contacts with relevant law enforcement and regulatory bodies.", "justification": "Contacts With Authorities (GOV-06) provides overlapping security capability that compensates for the absence of Investigation Request Notifications (CPL-05.1) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Investigation Request Notifications (CPL-05.1) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CPL-05.2", "risk_if_not_implemented": "Without Investigation Access Restrictions, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Investigation Access Restrictions (CPL-05.2) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-05", "name": "Legal Assessment of Investigative Inquires", "description": "Mechanisms exist to determine whether a government agency has an applicable and valid legal basis to request data from the organization and what further steps need to be taken, if necessary.", "justification": "Legal Assessment of Investigative Inquires (CPL-05) provides periodic assessment and assurance that compensates for the absence of Investigation Access Restrictions (CPL-05.2) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CPL-07", "risk_if_not_implemented": "Without Grievances, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "PRI-06", "name": "Data Subject Empowerment", "description": "Mechanisms exist to provide authenticated data subjects the ability to:\n(1) Access their Personal Data (PD) that is being processed, stored and shared, except where the burden, risk or expense of providing access would be disproportionate to the benefit offered to the data subject through granting access;\n(2) Obtain answers on the specifics of how their PD is collected, received, processed, stored, transmitted, shared, updated and/or disposed; \n(3) Obtain the source(s) of their PD; \n(4) Obtain the categories of their PD being collected, received, processed, stored and shared; \n(5) Request correction to their PD due to inaccuracies;\n(6) Request erasure of their PD; and\n(7) Restrict the further collecting, receiving, processing, storing, transmitting, updated and/or sharing of their PD.", "justification": "Data Subject Empowerment (PRI-06) provides privacy protection that compensates for the absence of Grievances (CPL-07) by applying alternative privacy safeguards to protect personal data and honor data subject rights. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Grievances (CPL-07) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CPL-07.1", "risk_if_not_implemented": "Without Grievance Response, the organization may lack capability to detect, contain, or recover from security incidents effectively.", "compensating_control_1": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Grievance Response (CPL-07.1) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PRI-06", "name": "Data Subject Empowerment", "description": "Mechanisms exist to provide authenticated data subjects the ability to:\n(1) Access their Personal Data (PD) that is being processed, stored and shared, except where the burden, risk or expense of providing access would be disproportionate to the benefit offered to the data subject through granting access;\n(2) Obtain answers on the specifics of how their PD is collected, received, processed, stored, transmitted, shared, updated and/or disposed; \n(3) Obtain the source(s) of their PD; \n(4) Obtain the categories of their PD being collected, received, processed, stored and shared; \n(5) Request correction to their PD due to inaccuracies;\n(6) Request erasure of their PD; and\n(7) Restrict the further collecting, receiving, processing, storing, transmitting, updated and/or sharing of their PD.", "justification": "Data Subject Empowerment (PRI-06) provides privacy protection that compensates for the absence of Grievance Response (CPL-07.1) by applying alternative privacy safeguards to protect personal data and honor data subject rights. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CPL-08", "risk_if_not_implemented": "Without Localized Representation, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Localized Representation (CPL-08) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "GOV-04", "name": "Assigned Security, Compliance & Resilience Responsibilities", "description": "Mechanisms exist to assign one or more qualified individuals with the mission and resources to centrally-manage, coordinate, develop, implement and maintain an enterprise-wide Security, Compliance & Resilience Program (SCRP).", "justification": "Assigned Security, Compliance & Resilience Responsibilities (GOV-04) provides resilience and recovery capability that compensates for the absence of Localized Representation (CPL-08) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CPL-08.1", "risk_if_not_implemented": "Without Representative Powers, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "GOV-04", "name": "Assigned Security, Compliance & Resilience Responsibilities", "description": "Mechanisms exist to assign one or more qualified individuals with the mission and resources to centrally-manage, coordinate, develop, implement and maintain an enterprise-wide Security, Compliance & Resilience Program (SCRP).", "justification": "Assigned Security, Compliance & Resilience Responsibilities (GOV-04) provides resilience and recovery capability that compensates for the absence of Representative Powers (CPL-08.1) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Representative Powers (CPL-08.1) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CPL-09", "risk_if_not_implemented": "Without Control Reciprocity, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CPL-10", "name": "Control Inheritance", "description": "Mechanisms exist to define instances of control inheritance within assessment boundaries.", "justification": "Control Inheritance (CPL-10) provides overlapping security capability that compensates for the absence of Control Reciprocity (CPL-09) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Control Reciprocity (CPL-09) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CPL-10", "risk_if_not_implemented": "Without Control Inheritance, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CPL-09", "name": "Control Reciprocity", "description": "Mechanisms exist to define instances of control reciprocity within assessment boundaries.", "justification": "Control Reciprocity (CPL-09) provides overlapping security capability that compensates for the absence of Control Inheritance (CPL-10) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Control Inheritance (CPL-10) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CPL-11", "risk_if_not_implemented": "Without Dual Use Technology, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Dual Use Technology (CPL-11) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "TPM-12", "name": "Foreign Ownership, Control or Influence (FOCI)", "description": "Mechanisms exist to minimize risk associate with Foreign Ownership, Control or Influence (FOCI) through Supply Chain Risk Management (SCRM) practices.", "justification": "Foreign Ownership, Control or Influence (FOCI) (TPM-12) provides overlapping security capability that compensates for the absence of Dual Use Technology (CPL-11) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CPL-11.1", "risk_if_not_implemented": "Without USML or CCL Identification, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "TPM-12", "name": "Foreign Ownership, Control or Influence (FOCI)", "description": "Mechanisms exist to minimize risk associate with Foreign Ownership, Control or Influence (FOCI) through Supply Chain Risk Management (SCRM) practices.", "justification": "Foreign Ownership, Control or Influence (FOCI) (TPM-12) provides overlapping security capability that compensates for the absence of USML or CCL Identification (CPL-11.1) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of USML or CCL Identification (CPL-11.1) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CPL-11.2", "risk_if_not_implemented": "Without Export-Controlled Access Restrictions, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Export-Controlled Access Restrictions (CPL-11.2) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-11", "name": "Dual Use Technology", "description": "Mechanisms exist to govern technologies and/or data that have potential:\n(1) \"Dual-use” capabilities for civil and military;\n(2) Use by terrorists; and/or \n(3) Weapons of Mass Destruction (WMD) applications.", "justification": "Dual Use Technology (CPL-11) provides detective monitoring capability that compensates for the absence of Export-Controlled Access Restrictions (CPL-11.2) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CPL-11.3", "risk_if_not_implemented": "Without Export Activities Documentation, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "TPM-12", "name": "Foreign Ownership, Control or Influence (FOCI)", "description": "Mechanisms exist to minimize risk associate with Foreign Ownership, Control or Influence (FOCI) through Supply Chain Risk Management (SCRM) practices.", "justification": "Foreign Ownership, Control or Influence (FOCI) (TPM-12) provides overlapping security capability that compensates for the absence of Export Activities Documentation (CPL-11.3) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-11", "name": "Dual Use Technology", "description": "Mechanisms exist to govern technologies and/or data that have potential:\n(1) \"Dual-use” capabilities for civil and military;\n(2) Use by terrorists; and/or \n(3) Weapons of Mass Destruction (WMD) applications.", "justification": "Dual Use Technology (CPL-11) provides detective monitoring capability that compensates for the absence of Export Activities Documentation (CPL-11.3) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CPL-12", "risk_if_not_implemented": "Without Statement of Applicability (SOA), residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "RSK-01", "name": "Risk Management Program", "description": "Mechanisms exist to facilitate the implementation of strategic, operational and tactical risk management controls.", "justification": "Risk Management Program (RSK-01) provides policy-level governance that compensates for the absence of Statement of Applicability (SOA) (CPL-12) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-02", "name": "Security, Compliance & Resilience Controls Oversight", "description": "Mechanisms exist to provide a security, compliance and resilience controls oversight function that reports to the organization's executive leadership.", "justification": "Security, Compliance & Resilience Controls Oversight (CPL-02) provides resilience and recovery capability that compensates for the absence of Statement of Applicability (SOA) (CPL-12) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CPL-13", "risk_if_not_implemented": "Without Work Products, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of Work Products (CPL-13) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAO-03", "name": "Applied Security, Compliance and Resilience Controls Documentation", "description": "Mechanisms exist to generate authoritative documentation (e.g., System Security Plan (SSP)) that:\n(1) Identifies key architectural and implementation information on in-scope Technology Assets, Applications and/or Services (TAAS);\n(2) Reflects the current state of applied security, compliance and resilience controls on applicable People, Processes, Technologies, Data and/or Facilities (PPTDF) that are contained within the system boundary; and\n(3) Provides a historical record of applied security controls, including changes.", "justification": "Applied Security, Compliance and Resilience Controls Documentation (IAO-03) provides resilience and recovery capability that compensates for the absence of Work Products (CPL-13) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CPL-13.1", "risk_if_not_implemented": "Without Defensible Evidence of Due Diligence, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IAO-03", "name": "Applied Security, Compliance and Resilience Controls Documentation", "description": "Mechanisms exist to generate authoritative documentation (e.g., System Security Plan (SSP)) that:\n(1) Identifies key architectural and implementation information on in-scope Technology Assets, Applications and/or Services (TAAS);\n(2) Reflects the current state of applied security, compliance and resilience controls on applicable People, Processes, Technologies, Data and/or Facilities (PPTDF) that are contained within the system boundary; and\n(3) Provides a historical record of applied security controls, including changes.", "justification": "Applied Security, Compliance and Resilience Controls Documentation (IAO-03) provides resilience and recovery capability that compensates for the absence of Defensible Evidence of Due Diligence (CPL-13.1) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of Defensible Evidence of Due Diligence (CPL-13.1) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CPL-13.2", "risk_if_not_implemented": "Without Defensible Evidence of Due Care, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of Defensible Evidence of Due Care (CPL-13.2) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-13", "name": "Work Products", "description": "Mechanisms exist to produce work products (e.g., process artifacts) that demonstrate the ability to comply with applicable requirements.", "justification": "Work Products (CPL-13) provides overlapping security capability that compensates for the absence of Defensible Evidence of Due Care (CPL-13.2) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CFG-01", "risk_if_not_implemented": "Without Configuration Management Program, systems may operate with insecure settings or unauthorized changes, expanding the attack surface.", "compensating_control_1": { "control_id": "CHG-01", "name": "Change Management Program", "description": "Mechanisms exist to facilitate the implementation of a change management program.", "justification": "Change Management Program (CHG-01) provides policy-level governance that compensates for the absence of Configuration Management Program (CFG-01) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "VPM-01", "name": "Vulnerability & Patch Management Program (VPMP)", "description": "Mechanisms exist to facilitate the implementation and monitoring of vulnerability management controls.", "justification": "Vulnerability & Patch Management Program (VPMP) (VPM-01) provides policy-level governance that compensates for the absence of Configuration Management Program (CFG-01) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CFG-01.1", "risk_if_not_implemented": "Without Assignment of Responsibility, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CFG-02", "name": "Secure Baseline Configurations", "description": "Mechanisms exist to develop, document and maintain secure baseline configurations for Technology Assets, Applications and/or Services (TAAS) that are consistent with industry-accepted system hardening standards.", "justification": "Secure Baseline Configurations (CFG-02) provides configuration hardening that compensates for the absence of Assignment of Responsibility (CFG-01.1) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CHG-02", "name": "Configuration Change Control", "description": "Mechanisms exist to govern the technical configuration change control processes.", "justification": "Configuration Change Control (CHG-02) provides configuration hardening that compensates for the absence of Assignment of Responsibility (CFG-01.1) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CFG-02.1", "risk_if_not_implemented": "Without Reviews & Updates, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "VPM-05", "name": "Software & Firmware Patching", "description": "Mechanisms exist to conduct software patching for all deployed Technology Assets, Applications and/or Services (TAAS), including firmware.", "justification": "Software & Firmware Patching (VPM-05) provides vulnerability management that compensates for the absence of Reviews & Updates (CFG-02.1) by reducing the exploitable attack surface by addressing known weaknesses before they are leveraged. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "END-02", "name": "Endpoint Protection Measures", "description": "Mechanisms exist to protect the confidentiality, integrity, availability and safety of endpoint devices.", "justification": "Endpoint Protection Measures (END-02) provides overlapping security capability that compensates for the absence of Reviews & Updates (CFG-02.1) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CFG-02.2", "risk_if_not_implemented": "Without Automated Central Management & Verification, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CFG-06", "name": "Configuration Enforcement", "description": "Automated mechanisms exist to monitor, enforce and report on configurations for endpoint devices.", "justification": "Configuration Enforcement (CFG-06) provides configuration hardening that compensates for the absence of Automated Central Management & Verification (CFG-02.2) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Automated Central Management & Verification (CFG-02.2) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CFG-02.3", "risk_if_not_implemented": "Without Retention Of Previous Configurations, systems may operate with insecure settings or unauthorized changes, expanding the attack surface.", "compensating_control_1": { "control_id": "CFG-07", "name": "Zero-Touch Provisioning (ZTP)", "description": "Mechanisms exist to implement Zero-Touch Provisioning (ZTP), or similar technology, to automatically and securely configure devices upon being added to a network.", "justification": "Zero-Touch Provisioning (ZTP) (CFG-07) provides access control enforcement that compensates for the absence of Retention Of Previous Configurations (CFG-02.3) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CFG-06", "name": "Configuration Enforcement", "description": "Automated mechanisms exist to monitor, enforce and report on configurations for endpoint devices.", "justification": "Configuration Enforcement (CFG-06) provides configuration hardening that compensates for the absence of Retention Of Previous Configurations (CFG-02.3) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CFG-02.4", "risk_if_not_implemented": "Without Development & Test Environment Configurations, systems may operate with insecure settings or unauthorized changes, expanding the attack surface.", "compensating_control_1": { "control_id": "CFG-06", "name": "Configuration Enforcement", "description": "Automated mechanisms exist to monitor, enforce and report on configurations for endpoint devices.", "justification": "Configuration Enforcement (CFG-06) provides configuration hardening that compensates for the absence of Development & Test Environment Configurations (CFG-02.4) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CFG-02", "name": "Secure Baseline Configurations", "description": "Mechanisms exist to develop, document and maintain secure baseline configurations for Technology Assets, Applications and/or Services (TAAS) that are consistent with industry-accepted system hardening standards.", "justification": "Secure Baseline Configurations (CFG-02) provides configuration hardening that compensates for the absence of Development & Test Environment Configurations (CFG-02.4) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CFG-02.5", "risk_if_not_implemented": "Without Configure Technology Assets, Applications and/or Services (TAAS) for High-Risk Areas, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "VPM-01", "name": "Vulnerability & Patch Management Program (VPMP)", "description": "Mechanisms exist to facilitate the implementation and monitoring of vulnerability management controls.", "justification": "Vulnerability & Patch Management Program (VPMP) (VPM-01) provides policy-level governance that compensates for the absence of Configure Technology Assets, Applications and/or Services (TAAS) for High-Risk Areas (CFG-02.5) by establishing documented expectations, accountability structures, and organizational guardrails. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CFG-06", "name": "Configuration Enforcement", "description": "Automated mechanisms exist to monitor, enforce and report on configurations for endpoint devices.", "justification": "Configuration Enforcement (CFG-06) provides configuration hardening that compensates for the absence of Configure Technology Assets, Applications and/or Services (TAAS) for High-Risk Areas (CFG-02.5) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CFG-02.6", "risk_if_not_implemented": "Without Network Device Configuration File Synchronization, systems may operate with insecure settings or unauthorized changes, expanding the attack surface.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Network Device Configuration File Synchronization (CFG-02.6) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CFG-06", "name": "Configuration Enforcement", "description": "Automated mechanisms exist to monitor, enforce and report on configurations for endpoint devices.", "justification": "Configuration Enforcement (CFG-06) provides configuration hardening that compensates for the absence of Network Device Configuration File Synchronization (CFG-02.6) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CFG-02.7", "risk_if_not_implemented": "Without Approved Configuration Deviations, systems may operate with insecure settings or unauthorized changes, expanding the attack surface.", "compensating_control_1": { "control_id": "CFG-06", "name": "Configuration Enforcement", "description": "Automated mechanisms exist to monitor, enforce and report on configurations for endpoint devices.", "justification": "Configuration Enforcement (CFG-06) provides configuration hardening that compensates for the absence of Approved Configuration Deviations (CFG-02.7) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "VPM-05", "name": "Software & Firmware Patching", "description": "Mechanisms exist to conduct software patching for all deployed Technology Assets, Applications and/or Services (TAAS), including firmware.", "justification": "Software & Firmware Patching (VPM-05) provides vulnerability management that compensates for the absence of Approved Configuration Deviations (CFG-02.7) by reducing the exploitable attack surface by addressing known weaknesses before they are leveraged. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CFG-02.8", "risk_if_not_implemented": "Without Respond To Unauthorized Changes, unauthorized or unreviewed changes may introduce instability or security vulnerabilities into the environment.", "compensating_control_1": { "control_id": "VPM-05", "name": "Software & Firmware Patching", "description": "Mechanisms exist to conduct software patching for all deployed Technology Assets, Applications and/or Services (TAAS), including firmware.", "justification": "Software & Firmware Patching (VPM-05) provides vulnerability management that compensates for the absence of Respond To Unauthorized Changes (CFG-02.8) by reducing the exploitable attack surface by addressing known weaknesses before they are leveraged. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CFG-06", "name": "Configuration Enforcement", "description": "Automated mechanisms exist to monitor, enforce and report on configurations for endpoint devices.", "justification": "Configuration Enforcement (CFG-06) provides configuration hardening that compensates for the absence of Respond To Unauthorized Changes (CFG-02.8) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CFG-02.9", "risk_if_not_implemented": "Without Baseline Tailoring, systems may operate with insecure settings or unauthorized changes, expanding the attack surface.", "compensating_control_1": { "control_id": "CFG-07", "name": "Zero-Touch Provisioning (ZTP)", "description": "Mechanisms exist to implement Zero-Touch Provisioning (ZTP), or similar technology, to automatically and securely configure devices upon being added to a network.", "justification": "Zero-Touch Provisioning (ZTP) (CFG-07) provides access control enforcement that compensates for the absence of Baseline Tailoring (CFG-02.9) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "VPM-01", "name": "Vulnerability & Patch Management Program (VPMP)", "description": "Mechanisms exist to facilitate the implementation and monitoring of vulnerability management controls.", "justification": "Vulnerability & Patch Management Program (VPMP) (VPM-01) provides policy-level governance that compensates for the absence of Baseline Tailoring (CFG-02.9) by establishing documented expectations, accountability structures, and organizational guardrails. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CFG-03.1", "risk_if_not_implemented": "Without Periodic Review, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CFG-02", "name": "Secure Baseline Configurations", "description": "Mechanisms exist to develop, document and maintain secure baseline configurations for Technology Assets, Applications and/or Services (TAAS) that are consistent with industry-accepted system hardening standards.", "justification": "Secure Baseline Configurations (CFG-02) provides configuration hardening that compensates for the absence of Periodic Review (CFG-03.1) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "END-03", "name": "Prohibit Installation Without Privileged Status", "description": "Automated mechanisms exist to prohibit software installations without explicitly assigned privileged status.", "justification": "Prohibit Installation Without Privileged Status (END-03) provides access control enforcement that compensates for the absence of Periodic Review (CFG-03.1) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CFG-03.2", "risk_if_not_implemented": "Without Prevent Unauthorized Software Execution, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "NET-03", "name": "Boundary Protection", "description": "Mechanisms exist to monitor and control communications at the external network boundary and at key internal boundaries within the network.", "justification": "Boundary Protection (NET-03) provides network-level access restriction that compensates for the absence of Prevent Unauthorized Software Execution (CFG-03.2) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CFG-03", "name": "Least Functionality", "description": "Mechanisms exist to configure systems to provide only essential capabilities by specifically prohibiting or restricting the use of ports, protocols, and/or services.", "justification": "Least Functionality (CFG-03) provides configuration hardening that compensates for the absence of Prevent Unauthorized Software Execution (CFG-03.2) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CFG-03.3", "risk_if_not_implemented": "Without Explicitly Allow / Deny Applications, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "END-03", "name": "Prohibit Installation Without Privileged Status", "description": "Automated mechanisms exist to prohibit software installations without explicitly assigned privileged status.", "justification": "Prohibit Installation Without Privileged Status (END-03) provides access control enforcement that compensates for the absence of Explicitly Allow / Deny Applications (CFG-03.3) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CFG-03", "name": "Least Functionality", "description": "Mechanisms exist to configure systems to provide only essential capabilities by specifically prohibiting or restricting the use of ports, protocols, and/or services.", "justification": "Least Functionality (CFG-03) provides configuration hardening that compensates for the absence of Explicitly Allow / Deny Applications (CFG-03.3) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CFG-03.4", "risk_if_not_implemented": "Without Split Tunneling, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CFG-02", "name": "Secure Baseline Configurations", "description": "Mechanisms exist to develop, document and maintain secure baseline configurations for Technology Assets, Applications and/or Services (TAAS) that are consistent with industry-accepted system hardening standards.", "justification": "Secure Baseline Configurations (CFG-02) provides configuration hardening that compensates for the absence of Split Tunneling (CFG-03.4) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CFG-03", "name": "Least Functionality", "description": "Mechanisms exist to configure systems to provide only essential capabilities by specifically prohibiting or restricting the use of ports, protocols, and/or services.", "justification": "Least Functionality (CFG-03) provides configuration hardening that compensates for the absence of Split Tunneling (CFG-03.4) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CFG-04", "risk_if_not_implemented": "Without Software Usage Restrictions, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CFG-03", "name": "Least Functionality", "description": "Mechanisms exist to configure systems to provide only essential capabilities by specifically prohibiting or restricting the use of ports, protocols, and/or services.", "justification": "Least Functionality (CFG-03) provides configuration hardening that compensates for the absence of Software Usage Restrictions (CFG-04) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CFG-06", "name": "Configuration Enforcement", "description": "Automated mechanisms exist to monitor, enforce and report on configurations for endpoint devices.", "justification": "Configuration Enforcement (CFG-06) provides configuration hardening that compensates for the absence of Software Usage Restrictions (CFG-04) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CFG-04.1", "risk_if_not_implemented": "Without Open Source Software, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IAC-21", "name": "Least Privilege", "description": "Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.", "justification": "Least Privilege (IAC-21) provides access control enforcement that compensates for the absence of Open Source Software (CFG-04.1) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CFG-03", "name": "Least Functionality", "description": "Mechanisms exist to configure systems to provide only essential capabilities by specifically prohibiting or restricting the use of ports, protocols, and/or services.", "justification": "Least Functionality (CFG-03) provides configuration hardening that compensates for the absence of Open Source Software (CFG-04.1) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CFG-04.2", "risk_if_not_implemented": "Without Unsupported Internet Browsers & Email Clients, AI and autonomous technology risks may go ungoverned, leading to unintended outcomes or exploitation.", "compensating_control_1": { "control_id": "CFG-03", "name": "Least Functionality", "description": "Mechanisms exist to configure systems to provide only essential capabilities by specifically prohibiting or restricting the use of ports, protocols, and/or services.", "justification": "Least Functionality (CFG-03) provides configuration hardening that compensates for the absence of Unsupported Internet Browsers & Email Clients (CFG-04.2) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-21", "name": "Least Privilege", "description": "Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.", "justification": "Least Privilege (IAC-21) provides access control enforcement that compensates for the absence of Unsupported Internet Browsers & Email Clients (CFG-04.2) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CFG-05.1", "risk_if_not_implemented": "Without Unauthorized Installation Alerts, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IAC-21", "name": "Least Privilege", "description": "Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.", "justification": "Least Privilege (IAC-21) provides access control enforcement that compensates for the absence of Unauthorized Installation Alerts (CFG-05.1) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CFG-04", "name": "Software Usage Restrictions", "description": "Mechanisms exist to enforce software usage restrictions to comply with applicable contract agreements and copyright laws.", "justification": "Software Usage Restrictions (CFG-04) provides overlapping security capability that compensates for the absence of Unauthorized Installation Alerts (CFG-05.1) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CFG-05.2", "risk_if_not_implemented": "Without Restrict Roles Permitted To Install Software, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CFG-04", "name": "Software Usage Restrictions", "description": "Mechanisms exist to enforce software usage restrictions to comply with applicable contract agreements and copyright laws.", "justification": "Software Usage Restrictions (CFG-04) provides overlapping security capability that compensates for the absence of Restrict Roles Permitted To Install Software (CFG-05.2) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CFG-05", "name": "User-Installed Software", "description": "Mechanisms exist to restrict the ability of non-privileged users to install unauthorized software.", "justification": "User-Installed Software (CFG-05) provides overlapping security capability that compensates for the absence of Restrict Roles Permitted To Install Software (CFG-05.2) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CFG-06", "risk_if_not_implemented": "Without Configuration Enforcement, systems may operate with insecure settings or unauthorized changes, expanding the attack surface.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Configuration Enforcement (CFG-06) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CHG-06", "name": "Control Functionality Verification", "description": "Mechanisms exist to verify the functionality of security, compliance and resilience controls following implemented changes to ensure applicable controls operate as designed.", "justification": "Control Functionality Verification (CHG-06) provides overlapping security capability that compensates for the absence of Configuration Enforcement (CFG-06) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CFG-06.1", "risk_if_not_implemented": "Without Integrity Assurance & Enforcement (IAE), residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CHG-06", "name": "Control Functionality Verification", "description": "Mechanisms exist to verify the functionality of security, compliance and resilience controls following implemented changes to ensure applicable controls operate as designed.", "justification": "Control Functionality Verification (CHG-06) provides overlapping security capability that compensates for the absence of Integrity Assurance & Enforcement (IAE) (CFG-06.1) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Integrity Assurance & Enforcement (IAE) (CFG-06.1) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CFG-07", "risk_if_not_implemented": "Without Zero-Touch Provisioning (ZTP), residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CFG-02", "name": "Secure Baseline Configurations", "description": "Mechanisms exist to develop, document and maintain secure baseline configurations for Technology Assets, Applications and/or Services (TAAS) that are consistent with industry-accepted system hardening standards.", "justification": "Secure Baseline Configurations (CFG-02) provides configuration hardening that compensates for the absence of Zero-Touch Provisioning (ZTP) (CFG-07) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CHG-02", "name": "Configuration Change Control", "description": "Mechanisms exist to govern the technical configuration change control processes.", "justification": "Configuration Change Control (CHG-02) provides configuration hardening that compensates for the absence of Zero-Touch Provisioning (ZTP) (CFG-07) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CFG-08", "risk_if_not_implemented": "Without Sensitive / Regulated Data Access Enforcement, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "IAC-20", "name": "Access Enforcement", "description": "Mechanisms exist to enforce Logical Access Control (LAC) permissions that conform to the principle of \"least privilege.\"", "justification": "Access Enforcement (IAC-20) provides access control enforcement that compensates for the absence of Sensitive / Regulated Data Access Enforcement (CFG-08) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "DCH-01", "name": "Data Protection", "description": "Mechanisms exist to facilitate the implementation of data protection controls.", "justification": "Data Protection (DCH-01) provides overlapping security capability that compensates for the absence of Sensitive / Regulated Data Access Enforcement (CFG-08) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CFG-08.1", "risk_if_not_implemented": "Without Sensitive / Regulated Data Actions, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "DCH-01", "name": "Data Protection", "description": "Mechanisms exist to facilitate the implementation of data protection controls.", "justification": "Data Protection (DCH-01) provides overlapping security capability that compensates for the absence of Sensitive / Regulated Data Actions (CFG-08.1) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-20", "name": "Access Enforcement", "description": "Mechanisms exist to enforce Logical Access Control (LAC) permissions that conform to the principle of \"least privilege.\"", "justification": "Access Enforcement (IAC-20) provides access control enforcement that compensates for the absence of Sensitive / Regulated Data Actions (CFG-08.1) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MON-01.1", "risk_if_not_implemented": "Without Intrusion Detection & Prevention Systems (IDS & IPS), security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "MON-02", "name": "Centralized Collection of Security Event Logs", "description": "Mechanisms exist to utilize a Security Incident Event Manager (SIEM), or similar automated tool, to support the centralized collection of security-related event logs.", "justification": "Centralized Collection of Security Event Logs (MON-02) provides detective monitoring capability that compensates for the absence of Intrusion Detection & Prevention Systems (IDS & IPS) (MON-01.1) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-17", "name": "Event Log Analysis & Triage", "description": "Mechanisms exist to ensure event log reviews include analysis and triage practices that integrate with the organization's established incident response processes.", "justification": "Event Log Analysis & Triage (MON-17) provides detective monitoring capability that compensates for the absence of Intrusion Detection & Prevention Systems (IDS & IPS) (MON-01.1) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MON-01.2", "risk_if_not_implemented": "Without Automated Tools for Real-Time Analysis, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CPL-04", "name": "Audit Activities", "description": "Mechanisms exist to thoughtfully plan audits by including input from operational risk and compliance partners to minimize the impact of audit-related activities on business operations.", "justification": "Audit Activities (CPL-04) provides detective monitoring capability that compensates for the absence of Automated Tools for Real-Time Analysis (MON-01.2) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-02", "name": "Centralized Collection of Security Event Logs", "description": "Mechanisms exist to utilize a Security Incident Event Manager (SIEM), or similar automated tool, to support the centralized collection of security-related event logs.", "justification": "Centralized Collection of Security Event Logs (MON-02) provides detective monitoring capability that compensates for the absence of Automated Tools for Real-Time Analysis (MON-01.2) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MON-01.3", "risk_if_not_implemented": "Without Inbound & Outbound Communications Traffic, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "MON-02", "name": "Centralized Collection of Security Event Logs", "description": "Mechanisms exist to utilize a Security Incident Event Manager (SIEM), or similar automated tool, to support the centralized collection of security-related event logs.", "justification": "Centralized Collection of Security Event Logs (MON-02) provides detective monitoring capability that compensates for the absence of Inbound & Outbound Communications Traffic (MON-01.3) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-17", "name": "Event Log Analysis & Triage", "description": "Mechanisms exist to ensure event log reviews include analysis and triage practices that integrate with the organization's established incident response processes.", "justification": "Event Log Analysis & Triage (MON-17) provides detective monitoring capability that compensates for the absence of Inbound & Outbound Communications Traffic (MON-01.3) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MON-01.4", "risk_if_not_implemented": "Without System Generated Alerts, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "MON-06", "name": "Monitoring Reporting", "description": "Mechanisms exist to provide an event log report generation capability to aid in detecting and assessing anomalous activities.", "justification": "Monitoring Reporting (MON-06) provides detective monitoring capability that compensates for the absence of System Generated Alerts (MON-01.4) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-17", "name": "Event Log Analysis & Triage", "description": "Mechanisms exist to ensure event log reviews include analysis and triage practices that integrate with the organization's established incident response processes.", "justification": "Event Log Analysis & Triage (MON-17) provides detective monitoring capability that compensates for the absence of System Generated Alerts (MON-01.4) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MON-01.5", "risk_if_not_implemented": "Without Wireless Network Monitoring, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "MON-17", "name": "Event Log Analysis & Triage", "description": "Mechanisms exist to ensure event log reviews include analysis and triage practices that integrate with the organization's established incident response processes.", "justification": "Event Log Analysis & Triage (MON-17) provides detective monitoring capability that compensates for the absence of Wireless Network Monitoring (MON-01.5) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-02", "name": "Centralized Collection of Security Event Logs", "description": "Mechanisms exist to utilize a Security Incident Event Manager (SIEM), or similar automated tool, to support the centralized collection of security-related event logs.", "justification": "Centralized Collection of Security Event Logs (MON-02) provides detective monitoring capability that compensates for the absence of Wireless Network Monitoring (MON-01.5) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MON-01.6", "risk_if_not_implemented": "Without Host-Based Devices, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "MON-02", "name": "Centralized Collection of Security Event Logs", "description": "Mechanisms exist to utilize a Security Incident Event Manager (SIEM), or similar automated tool, to support the centralized collection of security-related event logs.", "justification": "Centralized Collection of Security Event Logs (MON-02) provides detective monitoring capability that compensates for the absence of Host-Based Devices (MON-01.6) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-04", "name": "Audit Activities", "description": "Mechanisms exist to thoughtfully plan audits by including input from operational risk and compliance partners to minimize the impact of audit-related activities on business operations.", "justification": "Audit Activities (CPL-04) provides detective monitoring capability that compensates for the absence of Host-Based Devices (MON-01.6) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MON-01.7", "risk_if_not_implemented": "Without File Integrity Monitoring (FIM), security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "MON-17", "name": "Event Log Analysis & Triage", "description": "Mechanisms exist to ensure event log reviews include analysis and triage practices that integrate with the organization's established incident response processes.", "justification": "Event Log Analysis & Triage (MON-17) provides detective monitoring capability that compensates for the absence of File Integrity Monitoring (FIM) (MON-01.7) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of File Integrity Monitoring (FIM) (MON-01.7) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MON-01.9", "risk_if_not_implemented": "Without Proxy Logging, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "MON-06", "name": "Monitoring Reporting", "description": "Mechanisms exist to provide an event log report generation capability to aid in detecting and assessing anomalous activities.", "justification": "Monitoring Reporting (MON-06) provides detective monitoring capability that compensates for the absence of Proxy Logging (MON-01.9) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-02", "name": "Centralized Collection of Security Event Logs", "description": "Mechanisms exist to utilize a Security Incident Event Manager (SIEM), or similar automated tool, to support the centralized collection of security-related event logs.", "justification": "Centralized Collection of Security Event Logs (MON-02) provides detective monitoring capability that compensates for the absence of Proxy Logging (MON-01.9) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MON-01.10", "risk_if_not_implemented": "Without Deactivated Account Activity, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "MON-02", "name": "Centralized Collection of Security Event Logs", "description": "Mechanisms exist to utilize a Security Incident Event Manager (SIEM), or similar automated tool, to support the centralized collection of security-related event logs.", "justification": "Centralized Collection of Security Event Logs (MON-02) provides detective monitoring capability that compensates for the absence of Deactivated Account Activity (MON-01.10) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-06", "name": "Monitoring Reporting", "description": "Mechanisms exist to provide an event log report generation capability to aid in detecting and assessing anomalous activities.", "justification": "Monitoring Reporting (MON-06) provides detective monitoring capability that compensates for the absence of Deactivated Account Activity (MON-01.10) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MON-01.11", "risk_if_not_implemented": "Without Automated Response to Suspicious Events, the organization may lack capability to detect, contain, or recover from security incidents effectively.", "compensating_control_1": { "control_id": "MON-17", "name": "Event Log Analysis & Triage", "description": "Mechanisms exist to ensure event log reviews include analysis and triage practices that integrate with the organization's established incident response processes.", "justification": "Event Log Analysis & Triage (MON-17) provides detective monitoring capability that compensates for the absence of Automated Response to Suspicious Events (MON-01.11) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-06", "name": "Monitoring Reporting", "description": "Mechanisms exist to provide an event log report generation capability to aid in detecting and assessing anomalous activities.", "justification": "Monitoring Reporting (MON-06) provides detective monitoring capability that compensates for the absence of Automated Response to Suspicious Events (MON-01.11) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MON-01.12", "risk_if_not_implemented": "Without Automated Alerts, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "MON-06", "name": "Monitoring Reporting", "description": "Mechanisms exist to provide an event log report generation capability to aid in detecting and assessing anomalous activities.", "justification": "Monitoring Reporting (MON-06) provides detective monitoring capability that compensates for the absence of Automated Alerts (MON-01.12) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of Automated Alerts (MON-01.12) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MON-01.13", "risk_if_not_implemented": "Without Alert Threshold Tuning, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CPL-04", "name": "Audit Activities", "description": "Mechanisms exist to thoughtfully plan audits by including input from operational risk and compliance partners to minimize the impact of audit-related activities on business operations.", "justification": "Audit Activities (CPL-04) provides detective monitoring capability that compensates for the absence of Alert Threshold Tuning (MON-01.13) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-17", "name": "Event Log Analysis & Triage", "description": "Mechanisms exist to ensure event log reviews include analysis and triage practices that integrate with the organization's established incident response processes.", "justification": "Event Log Analysis & Triage (MON-17) provides detective monitoring capability that compensates for the absence of Alert Threshold Tuning (MON-01.13) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MON-01.14", "risk_if_not_implemented": "Without Individuals Posing Greater Risk, security risks may go unmanaged, resulting in uncontrolled exposures and misaligned security investments.", "compensating_control_1": { "control_id": "MON-02", "name": "Centralized Collection of Security Event Logs", "description": "Mechanisms exist to utilize a Security Incident Event Manager (SIEM), or similar automated tool, to support the centralized collection of security-related event logs.", "justification": "Centralized Collection of Security Event Logs (MON-02) provides detective monitoring capability that compensates for the absence of Individuals Posing Greater Risk (MON-01.14) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of Individuals Posing Greater Risk (MON-01.14) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MON-01.15", "risk_if_not_implemented": "Without Privileged User Oversight, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of Privileged User Oversight (MON-01.15) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-06", "name": "Monitoring Reporting", "description": "Mechanisms exist to provide an event log report generation capability to aid in detecting and assessing anomalous activities.", "justification": "Monitoring Reporting (MON-06) provides detective monitoring capability that compensates for the absence of Privileged User Oversight (MON-01.15) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MON-01.16", "risk_if_not_implemented": "Without Analyze and Prioritize Monitoring Requirements, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "MON-17", "name": "Event Log Analysis & Triage", "description": "Mechanisms exist to ensure event log reviews include analysis and triage practices that integrate with the organization's established incident response processes.", "justification": "Event Log Analysis & Triage (MON-17) provides detective monitoring capability that compensates for the absence of Analyze and Prioritize Monitoring Requirements (MON-01.16) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Analyze and Prioritize Monitoring Requirements (MON-01.16) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MON-01.17", "risk_if_not_implemented": "Without Real-Time Session Monitoring, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "MON-02", "name": "Centralized Collection of Security Event Logs", "description": "Mechanisms exist to utilize a Security Incident Event Manager (SIEM), or similar automated tool, to support the centralized collection of security-related event logs.", "justification": "Centralized Collection of Security Event Logs (MON-02) provides detective monitoring capability that compensates for the absence of Real-Time Session Monitoring (MON-01.17) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Real-Time Session Monitoring (MON-01.17) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MON-02.1", "risk_if_not_implemented": "Without Correlate Monitoring Information, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "MON-08", "name": "Protection of Event Logs", "description": "Mechanisms exist to protect event logs and audit tools from unauthorized access, modification and deletion.", "justification": "Protection of Event Logs (MON-08) provides detective monitoring capability that compensates for the absence of Correlate Monitoring Information (MON-02.1) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-02", "name": "Centralized Collection of Security Event Logs", "description": "Mechanisms exist to utilize a Security Incident Event Manager (SIEM), or similar automated tool, to support the centralized collection of security-related event logs.", "justification": "Centralized Collection of Security Event Logs (MON-02) provides detective monitoring capability that compensates for the absence of Correlate Monitoring Information (MON-02.1) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MON-02.2", "risk_if_not_implemented": "Without Central Review & Analysis, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "MON-03", "name": "Content of Event Logs", "description": "Mechanisms exist to configure Technology Assets, Applications and/or Services (TAAS) to produce event logs that contain sufficient information to, at a minimum:\n(1) Establish what type of event occurred;\n(2) When (date and time) the event occurred;\n(3) Where the event occurred;\n(4) The source of the event;\n(5) The outcome (success or failure) of the event; and \n(6) The identity of any user/subject associated with the event.", "justification": "Content of Event Logs (MON-03) provides detective monitoring capability that compensates for the absence of Central Review & Analysis (MON-02.2) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-02", "name": "Centralized Collection of Security Event Logs", "description": "Mechanisms exist to utilize a Security Incident Event Manager (SIEM), or similar automated tool, to support the centralized collection of security-related event logs.", "justification": "Centralized Collection of Security Event Logs (MON-02) provides detective monitoring capability that compensates for the absence of Central Review & Analysis (MON-02.2) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MON-02.3", "risk_if_not_implemented": "Without Integration of Scanning & Other Monitoring Information, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "MON-08", "name": "Protection of Event Logs", "description": "Mechanisms exist to protect event logs and audit tools from unauthorized access, modification and deletion.", "justification": "Protection of Event Logs (MON-08) provides detective monitoring capability that compensates for the absence of Integration of Scanning & Other Monitoring Information (MON-02.3) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-03", "name": "Content of Event Logs", "description": "Mechanisms exist to configure Technology Assets, Applications and/or Services (TAAS) to produce event logs that contain sufficient information to, at a minimum:\n(1) Establish what type of event occurred;\n(2) When (date and time) the event occurred;\n(3) Where the event occurred;\n(4) The source of the event;\n(5) The outcome (success or failure) of the event; and \n(6) The identity of any user/subject associated with the event.", "justification": "Content of Event Logs (MON-03) provides detective monitoring capability that compensates for the absence of Integration of Scanning & Other Monitoring Information (MON-02.3) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MON-02.4", "risk_if_not_implemented": "Without Correlation with Physical Monitoring, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "MON-02", "name": "Centralized Collection of Security Event Logs", "description": "Mechanisms exist to utilize a Security Incident Event Manager (SIEM), or similar automated tool, to support the centralized collection of security-related event logs.", "justification": "Centralized Collection of Security Event Logs (MON-02) provides detective monitoring capability that compensates for the absence of Correlation with Physical Monitoring (MON-02.4) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-08", "name": "Protection of Event Logs", "description": "Mechanisms exist to protect event logs and audit tools from unauthorized access, modification and deletion.", "justification": "Protection of Event Logs (MON-08) provides detective monitoring capability that compensates for the absence of Correlation with Physical Monitoring (MON-02.4) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MON-02.5", "risk_if_not_implemented": "Without Permitted Actions, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "MON-03", "name": "Content of Event Logs", "description": "Mechanisms exist to configure Technology Assets, Applications and/or Services (TAAS) to produce event logs that contain sufficient information to, at a minimum:\n(1) Establish what type of event occurred;\n(2) When (date and time) the event occurred;\n(3) Where the event occurred;\n(4) The source of the event;\n(5) The outcome (success or failure) of the event; and \n(6) The identity of any user/subject associated with the event.", "justification": "Content of Event Logs (MON-03) provides detective monitoring capability that compensates for the absence of Permitted Actions (MON-02.5) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-08", "name": "Protection of Event Logs", "description": "Mechanisms exist to protect event logs and audit tools from unauthorized access, modification and deletion.", "justification": "Protection of Event Logs (MON-08) provides detective monitoring capability that compensates for the absence of Permitted Actions (MON-02.5) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MON-02.6", "risk_if_not_implemented": "Without Audit Level Adjustments, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "MON-08", "name": "Protection of Event Logs", "description": "Mechanisms exist to protect event logs and audit tools from unauthorized access, modification and deletion.", "justification": "Protection of Event Logs (MON-08) provides detective monitoring capability that compensates for the absence of Audit Level Adjustments (MON-02.6) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-02", "name": "Centralized Collection of Security Event Logs", "description": "Mechanisms exist to utilize a Security Incident Event Manager (SIEM), or similar automated tool, to support the centralized collection of security-related event logs.", "justification": "Centralized Collection of Security Event Logs (MON-02) provides detective monitoring capability that compensates for the absence of Audit Level Adjustments (MON-02.6) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MON-02.7", "risk_if_not_implemented": "Without System-Wide / Time-Correlated Audit Trail, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "MON-02", "name": "Centralized Collection of Security Event Logs", "description": "Mechanisms exist to utilize a Security Incident Event Manager (SIEM), or similar automated tool, to support the centralized collection of security-related event logs.", "justification": "Centralized Collection of Security Event Logs (MON-02) provides detective monitoring capability that compensates for the absence of System-Wide / Time-Correlated Audit Trail (MON-02.7) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-03", "name": "Content of Event Logs", "description": "Mechanisms exist to configure Technology Assets, Applications and/or Services (TAAS) to produce event logs that contain sufficient information to, at a minimum:\n(1) Establish what type of event occurred;\n(2) When (date and time) the event occurred;\n(3) Where the event occurred;\n(4) The source of the event;\n(5) The outcome (success or failure) of the event; and \n(6) The identity of any user/subject associated with the event.", "justification": "Content of Event Logs (MON-03) provides detective monitoring capability that compensates for the absence of System-Wide / Time-Correlated Audit Trail (MON-02.7) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MON-02.8", "risk_if_not_implemented": "Without Changes by Authorized Individuals, unauthorized or unreviewed changes may introduce instability or security vulnerabilities into the environment.", "compensating_control_1": { "control_id": "MON-03", "name": "Content of Event Logs", "description": "Mechanisms exist to configure Technology Assets, Applications and/or Services (TAAS) to produce event logs that contain sufficient information to, at a minimum:\n(1) Establish what type of event occurred;\n(2) When (date and time) the event occurred;\n(3) Where the event occurred;\n(4) The source of the event;\n(5) The outcome (success or failure) of the event; and \n(6) The identity of any user/subject associated with the event.", "justification": "Content of Event Logs (MON-03) provides detective monitoring capability that compensates for the absence of Changes by Authorized Individuals (MON-02.8) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-02", "name": "Centralized Collection of Security Event Logs", "description": "Mechanisms exist to utilize a Security Incident Event Manager (SIEM), or similar automated tool, to support the centralized collection of security-related event logs.", "justification": "Centralized Collection of Security Event Logs (MON-02) provides detective monitoring capability that compensates for the absence of Changes by Authorized Individuals (MON-02.8) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MON-02.9", "risk_if_not_implemented": "Without Inventory of Technology Asset Event Logging, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "MON-08", "name": "Protection of Event Logs", "description": "Mechanisms exist to protect event logs and audit tools from unauthorized access, modification and deletion.", "justification": "Protection of Event Logs (MON-08) provides detective monitoring capability that compensates for the absence of Inventory of Technology Asset Event Logging (MON-02.9) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-02", "name": "Centralized Collection of Security Event Logs", "description": "Mechanisms exist to utilize a Security Incident Event Manager (SIEM), or similar automated tool, to support the centralized collection of security-related event logs.", "justification": "Centralized Collection of Security Event Logs (MON-02) provides detective monitoring capability that compensates for the absence of Inventory of Technology Asset Event Logging (MON-02.9) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MON-03.1", "risk_if_not_implemented": "Without Sensitive Event Log Information, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "MON-04", "name": "Event Log Storage Capacity", "description": "Mechanisms exist to allocate and proactively manage sufficient event log storage capacity to reduce the likelihood of such capacity being exceeded.", "justification": "Event Log Storage Capacity (MON-04) provides detective monitoring capability that compensates for the absence of Sensitive Event Log Information (MON-03.1) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-02", "name": "Centralized Collection of Security Event Logs", "description": "Mechanisms exist to utilize a Security Incident Event Manager (SIEM), or similar automated tool, to support the centralized collection of security-related event logs.", "justification": "Centralized Collection of Security Event Logs (MON-02) provides detective monitoring capability that compensates for the absence of Sensitive Event Log Information (MON-03.1) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MON-03.3", "risk_if_not_implemented": "Without Privileged Functions Logging, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "MON-03", "name": "Content of Event Logs", "description": "Mechanisms exist to configure Technology Assets, Applications and/or Services (TAAS) to produce event logs that contain sufficient information to, at a minimum:\n(1) Establish what type of event occurred;\n(2) When (date and time) the event occurred;\n(3) Where the event occurred;\n(4) The source of the event;\n(5) The outcome (success or failure) of the event; and \n(6) The identity of any user/subject associated with the event.", "justification": "Content of Event Logs (MON-03) provides detective monitoring capability that compensates for the absence of Privileged Functions Logging (MON-03.3) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-04", "name": "Event Log Storage Capacity", "description": "Mechanisms exist to allocate and proactively manage sufficient event log storage capacity to reduce the likelihood of such capacity being exceeded.", "justification": "Event Log Storage Capacity (MON-04) provides detective monitoring capability that compensates for the absence of Privileged Functions Logging (MON-03.3) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MON-03.4", "risk_if_not_implemented": "Without Verbosity Logging for Boundary Devices, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "MON-04", "name": "Event Log Storage Capacity", "description": "Mechanisms exist to allocate and proactively manage sufficient event log storage capacity to reduce the likelihood of such capacity being exceeded.", "justification": "Event Log Storage Capacity (MON-04) provides detective monitoring capability that compensates for the absence of Verbosity Logging for Boundary Devices (MON-03.4) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-03", "name": "Content of Event Logs", "description": "Mechanisms exist to configure Technology Assets, Applications and/or Services (TAAS) to produce event logs that contain sufficient information to, at a minimum:\n(1) Establish what type of event occurred;\n(2) When (date and time) the event occurred;\n(3) Where the event occurred;\n(4) The source of the event;\n(5) The outcome (success or failure) of the event; and \n(6) The identity of any user/subject associated with the event.", "justification": "Content of Event Logs (MON-03) provides detective monitoring capability that compensates for the absence of Verbosity Logging for Boundary Devices (MON-03.4) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MON-03.5", "risk_if_not_implemented": "Without Limit Personal Data (PD) In Audit Records, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "MON-02", "name": "Centralized Collection of Security Event Logs", "description": "Mechanisms exist to utilize a Security Incident Event Manager (SIEM), or similar automated tool, to support the centralized collection of security-related event logs.", "justification": "Centralized Collection of Security Event Logs (MON-02) provides detective monitoring capability that compensates for the absence of Limit Personal Data (PD) In Audit Records (MON-03.5) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-04", "name": "Event Log Storage Capacity", "description": "Mechanisms exist to allocate and proactively manage sufficient event log storage capacity to reduce the likelihood of such capacity being exceeded.", "justification": "Event Log Storage Capacity (MON-04) provides detective monitoring capability that compensates for the absence of Limit Personal Data (PD) In Audit Records (MON-03.5) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MON-03.6", "risk_if_not_implemented": "Without Centralized Management of Event Log Content, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "MON-04", "name": "Event Log Storage Capacity", "description": "Mechanisms exist to allocate and proactively manage sufficient event log storage capacity to reduce the likelihood of such capacity being exceeded.", "justification": "Event Log Storage Capacity (MON-04) provides detective monitoring capability that compensates for the absence of Centralized Management of Event Log Content (MON-03.6) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-02", "name": "Centralized Collection of Security Event Logs", "description": "Mechanisms exist to utilize a Security Incident Event Manager (SIEM), or similar automated tool, to support the centralized collection of security-related event logs.", "justification": "Centralized Collection of Security Event Logs (MON-02) provides detective monitoring capability that compensates for the absence of Centralized Management of Event Log Content (MON-03.6) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MON-03.7", "risk_if_not_implemented": "Without Database Logging, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "MON-03", "name": "Content of Event Logs", "description": "Mechanisms exist to configure Technology Assets, Applications and/or Services (TAAS) to produce event logs that contain sufficient information to, at a minimum:\n(1) Establish what type of event occurred;\n(2) When (date and time) the event occurred;\n(3) Where the event occurred;\n(4) The source of the event;\n(5) The outcome (success or failure) of the event; and \n(6) The identity of any user/subject associated with the event.", "justification": "Content of Event Logs (MON-03) provides detective monitoring capability that compensates for the absence of Database Logging (MON-03.7) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-02", "name": "Centralized Collection of Security Event Logs", "description": "Mechanisms exist to utilize a Security Incident Event Manager (SIEM), or similar automated tool, to support the centralized collection of security-related event logs.", "justification": "Centralized Collection of Security Event Logs (MON-02) provides detective monitoring capability that compensates for the absence of Database Logging (MON-03.7) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MON-04", "risk_if_not_implemented": "Without Event Log Storage Capacity, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "MON-13", "name": "Alternate Event Logging Capability", "description": "Mechanisms exist to provide an alternate event logging capability in the event of a failure in primary audit capability.", "justification": "Alternate Event Logging Capability (MON-13) provides detective monitoring capability that compensates for the absence of Event Log Storage Capacity (MON-04) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-02", "name": "Centralized Collection of Security Event Logs", "description": "Mechanisms exist to utilize a Security Incident Event Manager (SIEM), or similar automated tool, to support the centralized collection of security-related event logs.", "justification": "Centralized Collection of Security Event Logs (MON-02) provides detective monitoring capability that compensates for the absence of Event Log Storage Capacity (MON-04) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MON-05", "risk_if_not_implemented": "Without Response To Event Log Processing Failures, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "MON-13", "name": "Alternate Event Logging Capability", "description": "Mechanisms exist to provide an alternate event logging capability in the event of a failure in primary audit capability.", "justification": "Alternate Event Logging Capability (MON-13) provides detective monitoring capability that compensates for the absence of Response To Event Log Processing Failures (MON-05) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-02", "name": "Centralized Collection of Security Event Logs", "description": "Mechanisms exist to utilize a Security Incident Event Manager (SIEM), or similar automated tool, to support the centralized collection of security-related event logs.", "justification": "Centralized Collection of Security Event Logs (MON-02) provides detective monitoring capability that compensates for the absence of Response To Event Log Processing Failures (MON-05) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MON-05.1", "risk_if_not_implemented": "Without Real-Time Alerts of Event Logging Failure, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "MON-02", "name": "Centralized Collection of Security Event Logs", "description": "Mechanisms exist to utilize a Security Incident Event Manager (SIEM), or similar automated tool, to support the centralized collection of security-related event logs.", "justification": "Centralized Collection of Security Event Logs (MON-02) provides detective monitoring capability that compensates for the absence of Real-Time Alerts of Event Logging Failure (MON-05.1) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-13", "name": "Alternate Event Logging Capability", "description": "Mechanisms exist to provide an alternate event logging capability in the event of a failure in primary audit capability.", "justification": "Alternate Event Logging Capability (MON-13) provides detective monitoring capability that compensates for the absence of Real-Time Alerts of Event Logging Failure (MON-05.1) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MON-05.2", "risk_if_not_implemented": "Without Event Log Storage Capacity Alerting, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "MON-13", "name": "Alternate Event Logging Capability", "description": "Mechanisms exist to provide an alternate event logging capability in the event of a failure in primary audit capability.", "justification": "Alternate Event Logging Capability (MON-13) provides detective monitoring capability that compensates for the absence of Event Log Storage Capacity Alerting (MON-05.2) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-05", "name": "Response To Event Log Processing Failures", "description": "Mechanisms exist to alert appropriate personnel in the event of a log processing failure and take actions to remedy the disruption.", "justification": "Response To Event Log Processing Failures (MON-05) provides detective monitoring capability that compensates for the absence of Event Log Storage Capacity Alerting (MON-05.2) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MON-06", "risk_if_not_implemented": "Without Monitoring Reporting, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "CPL-02", "name": "Security, Compliance & Resilience Controls Oversight", "description": "Mechanisms exist to provide a security, compliance and resilience controls oversight function that reports to the organization's executive leadership.", "justification": "Security, Compliance & Resilience Controls Oversight (CPL-02) provides resilience and recovery capability that compensates for the absence of Monitoring Reporting (MON-06) by ensuring the organization can restore operations and data when the primary control is absent. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Monitoring Reporting (MON-06) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MON-06.1", "risk_if_not_implemented": "Without Query Parameter Audits of Personal Data (PD), security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Query Parameter Audits of Personal Data (PD) (MON-06.1) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-02", "name": "Security, Compliance & Resilience Controls Oversight", "description": "Mechanisms exist to provide a security, compliance and resilience controls oversight function that reports to the organization's executive leadership.", "justification": "Security, Compliance & Resilience Controls Oversight (CPL-02) provides resilience and recovery capability that compensates for the absence of Query Parameter Audits of Personal Data (PD) (MON-06.1) by ensuring the organization can restore operations and data when the primary control is absent. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MON-06.2", "risk_if_not_implemented": "Without Trend Analysis Reporting, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CPL-02", "name": "Security, Compliance & Resilience Controls Oversight", "description": "Mechanisms exist to provide a security, compliance and resilience controls oversight function that reports to the organization's executive leadership.", "justification": "Security, Compliance & Resilience Controls Oversight (CPL-02) provides resilience and recovery capability that compensates for the absence of Trend Analysis Reporting (MON-06.2) by ensuring the organization can restore operations and data when the primary control is absent. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-06", "name": "Monitoring Reporting", "description": "Mechanisms exist to provide an event log report generation capability to aid in detecting and assessing anomalous activities.", "justification": "Monitoring Reporting (MON-06) provides detective monitoring capability that compensates for the absence of Trend Analysis Reporting (MON-06.2) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MON-07.1", "risk_if_not_implemented": "Without Synchronization With Authoritative Time Source, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "MON-02", "name": "Centralized Collection of Security Event Logs", "description": "Mechanisms exist to utilize a Security Incident Event Manager (SIEM), or similar automated tool, to support the centralized collection of security-related event logs.", "justification": "Centralized Collection of Security Event Logs (MON-02) provides detective monitoring capability that compensates for the absence of Synchronization With Authoritative Time Source (MON-07.1) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "SEA-20", "name": "Clock Synchronization", "description": "Mechanisms exist to utilize time-synchronization technology to synchronize all critical system clocks.", "justification": "Clock Synchronization (SEA-20) provides overlapping security capability that compensates for the absence of Synchronization With Authoritative Time Source (MON-07.1) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MON-08.1", "risk_if_not_implemented": "Without Event Log Backup on Separate Physical Systems / Components, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "CRY-13", "name": "Cryptographic Hash", "description": "Mechanisms exist to utilize hash algorithms to generate a hash value that can be used to validate the integrity of data and/or software.", "justification": "Cryptographic Hash (CRY-13) provides cryptographic protection that compensates for the absence of Event Log Backup on Separate Physical Systems / Components (MON-08.1) by ensuring data confidentiality and integrity through alternative technical means. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-10", "name": "Event Log Retention", "description": "Mechanisms exist to retain event logs for a time period consistent with records retention requirements to provide support for after-the-fact investigations of security incidents and to meet statutory, regulatory and contractual retention requirements.", "justification": "Event Log Retention (MON-10) provides detective monitoring capability that compensates for the absence of Event Log Backup on Separate Physical Systems / Components (MON-08.1) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MON-08.2", "risk_if_not_implemented": "Without Access by Subset of Privileged Users, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "MON-10", "name": "Event Log Retention", "description": "Mechanisms exist to retain event logs for a time period consistent with records retention requirements to provide support for after-the-fact investigations of security incidents and to meet statutory, regulatory and contractual retention requirements.", "justification": "Event Log Retention (MON-10) provides detective monitoring capability that compensates for the absence of Access by Subset of Privileged Users (MON-08.2) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-08", "name": "Protection of Event Logs", "description": "Mechanisms exist to protect event logs and audit tools from unauthorized access, modification and deletion.", "justification": "Protection of Event Logs (MON-08) provides detective monitoring capability that compensates for the absence of Access by Subset of Privileged Users (MON-08.2) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MON-08.3", "risk_if_not_implemented": "Without Cryptographic Protection of Event Log Information, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "CRY-13", "name": "Cryptographic Hash", "description": "Mechanisms exist to utilize hash algorithms to generate a hash value that can be used to validate the integrity of data and/or software.", "justification": "Cryptographic Hash (CRY-13) provides cryptographic protection that compensates for the absence of Cryptographic Protection of Event Log Information (MON-08.3) by ensuring data confidentiality and integrity through alternative technical means. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-08", "name": "Protection of Event Logs", "description": "Mechanisms exist to protect event logs and audit tools from unauthorized access, modification and deletion.", "justification": "Protection of Event Logs (MON-08) provides detective monitoring capability that compensates for the absence of Cryptographic Protection of Event Log Information (MON-08.3) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MON-08.4", "risk_if_not_implemented": "Without Dual Authorization for Event Log Movement, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "MON-08", "name": "Protection of Event Logs", "description": "Mechanisms exist to protect event logs and audit tools from unauthorized access, modification and deletion.", "justification": "Protection of Event Logs (MON-08) provides detective monitoring capability that compensates for the absence of Dual Authorization for Event Log Movement (MON-08.4) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CRY-13", "name": "Cryptographic Hash", "description": "Mechanisms exist to utilize hash algorithms to generate a hash value that can be used to validate the integrity of data and/or software.", "justification": "Cryptographic Hash (CRY-13) provides cryptographic protection that compensates for the absence of Dual Authorization for Event Log Movement (MON-08.4) by ensuring data confidentiality and integrity through alternative technical means. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MON-09", "risk_if_not_implemented": "Without Non-Repudiation, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CRY-13", "name": "Cryptographic Hash", "description": "Mechanisms exist to utilize hash algorithms to generate a hash value that can be used to validate the integrity of data and/or software.", "justification": "Cryptographic Hash (CRY-13) provides cryptographic protection that compensates for the absence of Non-Repudiation (MON-09) by ensuring data confidentiality and integrity through alternative technical means. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-08", "name": "Protection of Event Logs", "description": "Mechanisms exist to protect event logs and audit tools from unauthorized access, modification and deletion.", "justification": "Protection of Event Logs (MON-08) provides detective monitoring capability that compensates for the absence of Non-Repudiation (MON-09) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MON-09.1", "risk_if_not_implemented": "Without Identity Binding, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "MON-08", "name": "Protection of Event Logs", "description": "Mechanisms exist to protect event logs and audit tools from unauthorized access, modification and deletion.", "justification": "Protection of Event Logs (MON-08) provides detective monitoring capability that compensates for the absence of Identity Binding (MON-09.1) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CRY-13", "name": "Cryptographic Hash", "description": "Mechanisms exist to utilize hash algorithms to generate a hash value that can be used to validate the integrity of data and/or software.", "justification": "Cryptographic Hash (CRY-13) provides cryptographic protection that compensates for the absence of Identity Binding (MON-09.1) by ensuring data confidentiality and integrity through alternative technical means. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MON-11", "risk_if_not_implemented": "Without Monitoring For Information Disclosure, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "NET-17", "name": "Data Loss Prevention (DLP)", "description": "Automated mechanisms exist to implement Data Loss Prevention (DLP) to protect sensitive information as it is stored, transmitted and processed.", "justification": "Data Loss Prevention (DLP) (NET-17) provides detective monitoring capability that compensates for the absence of Monitoring For Information Disclosure (MON-11) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Monitoring For Information Disclosure (MON-11) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MON-11.1", "risk_if_not_implemented": "Without Analyze Traffic for Covert Exfiltration, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Analyze Traffic for Covert Exfiltration (MON-11.1) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-17", "name": "Data Loss Prevention (DLP)", "description": "Automated mechanisms exist to implement Data Loss Prevention (DLP) to protect sensitive information as it is stored, transmitted and processed.", "justification": "Data Loss Prevention (DLP) (NET-17) provides detective monitoring capability that compensates for the absence of Analyze Traffic for Covert Exfiltration (MON-11.1) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MON-11.2", "risk_if_not_implemented": "Without Unauthorized Network Services, network defenses are weakened, enabling lateral movement and exploitation of unprotected pathways.", "compensating_control_1": { "control_id": "NET-17", "name": "Data Loss Prevention (DLP)", "description": "Automated mechanisms exist to implement Data Loss Prevention (DLP) to protect sensitive information as it is stored, transmitted and processed.", "justification": "Data Loss Prevention (DLP) (NET-17) provides detective monitoring capability that compensates for the absence of Unauthorized Network Services (MON-11.2) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-11", "name": "Monitoring For Information Disclosure", "description": "Mechanisms exist to monitor for evidence of unauthorized exfiltration or disclosure of non-public information.", "justification": "Monitoring For Information Disclosure (MON-11) provides detective monitoring capability that compensates for the absence of Unauthorized Network Services (MON-11.2) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MON-11.3", "risk_if_not_implemented": "Without Monitoring for Indicators of Compromise (IOC), security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "MON-11", "name": "Monitoring For Information Disclosure", "description": "Mechanisms exist to monitor for evidence of unauthorized exfiltration or disclosure of non-public information.", "justification": "Monitoring For Information Disclosure (MON-11) provides detective monitoring capability that compensates for the absence of Monitoring for Indicators of Compromise (IOC) (MON-11.3) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-17", "name": "Data Loss Prevention (DLP)", "description": "Automated mechanisms exist to implement Data Loss Prevention (DLP) to protect sensitive information as it is stored, transmitted and processed.", "justification": "Data Loss Prevention (DLP) (NET-17) provides detective monitoring capability that compensates for the absence of Monitoring for Indicators of Compromise (IOC) (MON-11.3) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MON-12", "risk_if_not_implemented": "Without Session Audit, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "MON-02", "name": "Centralized Collection of Security Event Logs", "description": "Mechanisms exist to utilize a Security Incident Event Manager (SIEM), or similar automated tool, to support the centralized collection of security-related event logs.", "justification": "Centralized Collection of Security Event Logs (MON-02) provides detective monitoring capability that compensates for the absence of Session Audit (MON-12) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-17", "name": "Event Log Analysis & Triage", "description": "Mechanisms exist to ensure event log reviews include analysis and triage practices that integrate with the organization's established incident response processes.", "justification": "Event Log Analysis & Triage (MON-17) provides detective monitoring capability that compensates for the absence of Session Audit (MON-12) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MON-13", "risk_if_not_implemented": "Without Alternate Event Logging Capability, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "MON-02", "name": "Centralized Collection of Security Event Logs", "description": "Mechanisms exist to utilize a Security Incident Event Manager (SIEM), or similar automated tool, to support the centralized collection of security-related event logs.", "justification": "Centralized Collection of Security Event Logs (MON-02) provides detective monitoring capability that compensates for the absence of Alternate Event Logging Capability (MON-13) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-04", "name": "Event Log Storage Capacity", "description": "Mechanisms exist to allocate and proactively manage sufficient event log storage capacity to reduce the likelihood of such capacity being exceeded.", "justification": "Event Log Storage Capacity (MON-04) provides detective monitoring capability that compensates for the absence of Alternate Event Logging Capability (MON-13) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MON-14", "risk_if_not_implemented": "Without Cross-Organizational Monitoring, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "NET-05", "name": "Interconnection Security Agreements (ISAs)", "description": "Mechanisms exist to authorize connections from systems to other systems using Interconnection Security Agreements (ISAs), or similar methods, that document, for each interconnection:\n(1) Interface characteristics;\n(2) Security, compliance and resilience requirements; and;\n(3) The nature of the information communicated.", "justification": "Interconnection Security Agreements (ISAs) (NET-05) provides overlapping security capability that compensates for the absence of Cross-Organizational Monitoring (MON-14) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "TPM-01", "name": "Third-Party Management", "description": "Mechanisms exist to facilitate the implementation of third-party management controls.", "justification": "Third-Party Management (TPM-01) provides third-party oversight that compensates for the absence of Cross-Organizational Monitoring (MON-14) by extending security obligations contractually and monitoring third-party risk in lieu of direct control. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MON-14.1", "risk_if_not_implemented": "Without Sharing of Event Logs, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "TPM-01", "name": "Third-Party Management", "description": "Mechanisms exist to facilitate the implementation of third-party management controls.", "justification": "Third-Party Management (TPM-01) provides third-party oversight that compensates for the absence of Sharing of Event Logs (MON-14.1) by extending security obligations contractually and monitoring third-party risk in lieu of direct control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-05", "name": "Interconnection Security Agreements (ISAs)", "description": "Mechanisms exist to authorize connections from systems to other systems using Interconnection Security Agreements (ISAs), or similar methods, that document, for each interconnection:\n(1) Interface characteristics;\n(2) Security, compliance and resilience requirements; and;\n(3) The nature of the information communicated.", "justification": "Interconnection Security Agreements (ISAs) (NET-05) provides overlapping security capability that compensates for the absence of Sharing of Event Logs (MON-14.1) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MON-15", "risk_if_not_implemented": "Without Covert Channel Analysis, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "NET-06", "name": "Network Segmentation (macrosegementation)", "description": "Mechanisms exist to ensure network architecture utilizes network segmentation to isolate Technology Assets, Applications and/or Services (TAAS) to protect from other network resources.", "justification": "Network Segmentation (macrosegementation) (NET-06) provides network-level access restriction that compensates for the absence of Covert Channel Analysis (MON-15) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Covert Channel Analysis (MON-15) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MON-16.1", "risk_if_not_implemented": "Without Insider Threats, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Insider Threats (MON-16.1) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "THR-11", "name": "Behavioral Baselining", "description": "Automated mechanisms exist to establish behavioral baselines that capture information about user and entity behavior to enable dynamic threat discovery.", "justification": "Behavioral Baselining (THR-11) provides overlapping security capability that compensates for the absence of Insider Threats (MON-16.1) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MON-16.2", "risk_if_not_implemented": "Without Third-Party Threats, third-party risks may go unmanaged, creating supply-chain exposure that compromises the organization.", "compensating_control_1": { "control_id": "THR-11", "name": "Behavioral Baselining", "description": "Automated mechanisms exist to establish behavioral baselines that capture information about user and entity behavior to enable dynamic threat discovery.", "justification": "Behavioral Baselining (THR-11) provides overlapping security capability that compensates for the absence of Third-Party Threats (MON-16.2) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-16", "name": "Anomalous Behavior", "description": "Mechanisms exist to utilize User & Entity Behavior Analytics (UEBA) and/or User Activity Monitoring (UAM) solutions to detect and respond to anomalous behavior that could indicate account compromise or other malicious activities.", "justification": "Anomalous Behavior (MON-16) provides detective monitoring capability that compensates for the absence of Third-Party Threats (MON-16.2) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MON-16.3", "risk_if_not_implemented": "Without Unauthorized Activities, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "MON-16", "name": "Anomalous Behavior", "description": "Mechanisms exist to utilize User & Entity Behavior Analytics (UEBA) and/or User Activity Monitoring (UAM) solutions to detect and respond to anomalous behavior that could indicate account compromise or other malicious activities.", "justification": "Anomalous Behavior (MON-16) provides detective monitoring capability that compensates for the absence of Unauthorized Activities (MON-16.3) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "THR-11", "name": "Behavioral Baselining", "description": "Automated mechanisms exist to establish behavioral baselines that capture information about user and entity behavior to enable dynamic threat discovery.", "justification": "Behavioral Baselining (THR-11) provides overlapping security capability that compensates for the absence of Unauthorized Activities (MON-16.3) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MON-16.4", "risk_if_not_implemented": "Without Account Creation and Modification Logging, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Account Creation and Modification Logging (MON-16.4) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-16", "name": "Anomalous Behavior", "description": "Mechanisms exist to utilize User & Entity Behavior Analytics (UEBA) and/or User Activity Monitoring (UAM) solutions to detect and respond to anomalous behavior that could indicate account compromise or other malicious activities.", "justification": "Anomalous Behavior (MON-16) provides detective monitoring capability that compensates for the absence of Account Creation and Modification Logging (MON-16.4) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MON-17", "risk_if_not_implemented": "Without Event Log Analysis & Triage, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "MON-02", "name": "Centralized Collection of Security Event Logs", "description": "Mechanisms exist to utilize a Security Incident Event Manager (SIEM), or similar automated tool, to support the centralized collection of security-related event logs.", "justification": "Centralized Collection of Security Event Logs (MON-02) provides detective monitoring capability that compensates for the absence of Event Log Analysis & Triage (MON-17) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Event Log Analysis & Triage (MON-17) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MON-17.1", "risk_if_not_implemented": "Without Event Log Review Escalation Matrix, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Event Log Review Escalation Matrix (MON-17.1) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-02", "name": "Centralized Collection of Security Event Logs", "description": "Mechanisms exist to utilize a Security Incident Event Manager (SIEM), or similar automated tool, to support the centralized collection of security-related event logs.", "justification": "Centralized Collection of Security Event Logs (MON-02) provides detective monitoring capability that compensates for the absence of Event Log Review Escalation Matrix (MON-17.1) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MON-18", "risk_if_not_implemented": "Without File Activity Monitoring (FAM), security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of File Activity Monitoring (FAM) (MON-18) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-08", "name": "Protection of Event Logs", "description": "Mechanisms exist to protect event logs and audit tools from unauthorized access, modification and deletion.", "justification": "Protection of Event Logs (MON-08) provides detective monitoring capability that compensates for the absence of File Activity Monitoring (FAM) (MON-18) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MON-19", "risk_if_not_implemented": "Without Write Once Read Many (WORM) Event Log Generation, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "MON-08", "name": "Protection of Event Logs", "description": "Mechanisms exist to protect event logs and audit tools from unauthorized access, modification and deletion.", "justification": "Protection of Event Logs (MON-08) provides detective monitoring capability that compensates for the absence of Write Once Read Many (WORM) Event Log Generation (MON-19) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CRY-13", "name": "Cryptographic Hash", "description": "Mechanisms exist to utilize hash algorithms to generate a hash value that can be used to validate the integrity of data and/or software.", "justification": "Cryptographic Hash (CRY-13) provides cryptographic protection that compensates for the absence of Write Once Read Many (WORM) Event Log Generation (MON-19) by ensuring data confidentiality and integrity through alternative technical means. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CRY-01.1", "risk_if_not_implemented": "Without Alternate Physical Protection, unauthorized physical access to facilities may enable theft, tampering, or direct attacks on infrastructure.", "compensating_control_1": { "control_id": "CRY-09", "name": "Cryptographic Key Management", "description": "Mechanisms exist to facilitate cryptographic key management controls to protect the confidentiality, integrity and availability of keys.", "justification": "Cryptographic Key Management (CRY-09) provides cryptographic protection that compensates for the absence of Alternate Physical Protection (CRY-01.1) by ensuring data confidentiality and integrity through alternative technical means. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CRY-01", "name": "Use of Cryptographic Controls", "description": "Mechanisms exist to facilitate the implementation of cryptographic protections controls using known public standards and trusted cryptographic technologies.", "justification": "Use of Cryptographic Controls (CRY-01) provides cryptographic protection that compensates for the absence of Alternate Physical Protection (CRY-01.1) by ensuring data confidentiality and integrity through alternative technical means. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CRY-01.2", "risk_if_not_implemented": "Without Export-Controlled Cryptography, sensitive data may be exposed to interception or unauthorized disclosure, resulting in confidentiality breaches.", "compensating_control_1": { "control_id": "CRY-01", "name": "Use of Cryptographic Controls", "description": "Mechanisms exist to facilitate the implementation of cryptographic protections controls using known public standards and trusted cryptographic technologies.", "justification": "Use of Cryptographic Controls (CRY-01) provides cryptographic protection that compensates for the absence of Export-Controlled Cryptography (CRY-01.2) by ensuring data confidentiality and integrity through alternative technical means. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CFG-02", "name": "Secure Baseline Configurations", "description": "Mechanisms exist to develop, document and maintain secure baseline configurations for Technology Assets, Applications and/or Services (TAAS) that are consistent with industry-accepted system hardening standards.", "justification": "Secure Baseline Configurations (CFG-02) provides configuration hardening that compensates for the absence of Export-Controlled Cryptography (CRY-01.2) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CRY-01.3", "risk_if_not_implemented": "Without Pre/Post Transmission Handling, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CFG-02", "name": "Secure Baseline Configurations", "description": "Mechanisms exist to develop, document and maintain secure baseline configurations for Technology Assets, Applications and/or Services (TAAS) that are consistent with industry-accepted system hardening standards.", "justification": "Secure Baseline Configurations (CFG-02) provides configuration hardening that compensates for the absence of Pre/Post Transmission Handling (CRY-01.3) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CRY-01", "name": "Use of Cryptographic Controls", "description": "Mechanisms exist to facilitate the implementation of cryptographic protections controls using known public standards and trusted cryptographic technologies.", "justification": "Use of Cryptographic Controls (CRY-01) provides cryptographic protection that compensates for the absence of Pre/Post Transmission Handling (CRY-01.3) by ensuring data confidentiality and integrity through alternative technical means. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CRY-01.4", "risk_if_not_implemented": "Without Conceal / Randomize Communications, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CRY-09", "name": "Cryptographic Key Management", "description": "Mechanisms exist to facilitate cryptographic key management controls to protect the confidentiality, integrity and availability of keys.", "justification": "Cryptographic Key Management (CRY-09) provides cryptographic protection that compensates for the absence of Conceal / Randomize Communications (CRY-01.4) by ensuring data confidentiality and integrity through alternative technical means. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CFG-02", "name": "Secure Baseline Configurations", "description": "Mechanisms exist to develop, document and maintain secure baseline configurations for Technology Assets, Applications and/or Services (TAAS) that are consistent with industry-accepted system hardening standards.", "justification": "Secure Baseline Configurations (CFG-02) provides configuration hardening that compensates for the absence of Conceal / Randomize Communications (CRY-01.4) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CRY-01.5", "risk_if_not_implemented": "Without Cryptographic Cipher Suites and Protocols Inventory, sensitive data may be exposed to interception or unauthorized disclosure, resulting in confidentiality breaches.", "compensating_control_1": { "control_id": "CRY-01", "name": "Use of Cryptographic Controls", "description": "Mechanisms exist to facilitate the implementation of cryptographic protections controls using known public standards and trusted cryptographic technologies.", "justification": "Use of Cryptographic Controls (CRY-01) provides cryptographic protection that compensates for the absence of Cryptographic Cipher Suites and Protocols Inventory (CRY-01.5) by ensuring data confidentiality and integrity through alternative technical means. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CRY-09", "name": "Cryptographic Key Management", "description": "Mechanisms exist to facilitate cryptographic key management controls to protect the confidentiality, integrity and availability of keys.", "justification": "Cryptographic Key Management (CRY-09) provides cryptographic protection that compensates for the absence of Cryptographic Cipher Suites and Protocols Inventory (CRY-01.5) by ensuring data confidentiality and integrity through alternative technical means. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CRY-02", "risk_if_not_implemented": "Without Automated Authentication Through Cryptographic Modules, sensitive data may be exposed to interception or unauthorized disclosure, resulting in confidentiality breaches.", "compensating_control_1": { "control_id": "IAC-06", "name": "Multi-Factor Authentication (MFA)", "description": "Automated mechanisms exist to enforce Multi-Factor Authentication (MFA) for:\n(1) Remote network access; \n(2) Third-party Technology Assets, Applications and/or Services (TAAS); and/ or\n(3) Non-console access to critical TAAS that store, transmit and/or process sensitive/regulated data.", "justification": "Multi-Factor Authentication (MFA) (IAC-06) provides access control enforcement that compensates for the absence of Automated Authentication Through Cryptographic Modules (CRY-02) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-02", "name": "Identification & Authentication for Organizational Users", "description": "Mechanisms exist to uniquely identify and centrally Authenticate, Authorize and Audit (AAA) organizational users and processes acting on behalf of organizational users.", "justification": "Identification & Authentication for Organizational Users (IAC-02) provides access control enforcement that compensates for the absence of Automated Authentication Through Cryptographic Modules (CRY-02) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CRY-05.1", "risk_if_not_implemented": "Without Storage Media, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IAC-21", "name": "Least Privilege", "description": "Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.", "justification": "Least Privilege (IAC-21) provides access control enforcement that compensates for the absence of Storage Media (CRY-05.1) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CRY-09", "name": "Cryptographic Key Management", "description": "Mechanisms exist to facilitate cryptographic key management controls to protect the confidentiality, integrity and availability of keys.", "justification": "Cryptographic Key Management (CRY-09) provides cryptographic protection that compensates for the absence of Storage Media (CRY-05.1) by ensuring data confidentiality and integrity through alternative technical means. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CRY-05.2", "risk_if_not_implemented": "Without Offline Storage, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "DCH-01", "name": "Data Protection", "description": "Mechanisms exist to facilitate the implementation of data protection controls.", "justification": "Data Protection (DCH-01) provides overlapping security capability that compensates for the absence of Offline Storage (CRY-05.2) by addressing related risk objectives through an alternative control mechanism aligned with Data applicability. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CRY-09", "name": "Cryptographic Key Management", "description": "Mechanisms exist to facilitate cryptographic key management controls to protect the confidentiality, integrity and availability of keys.", "justification": "Cryptographic Key Management (CRY-09) provides cryptographic protection that compensates for the absence of Offline Storage (CRY-05.2) by ensuring data confidentiality and integrity through alternative technical means. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CRY-05.3", "risk_if_not_implemented": "Without Database Encryption, sensitive data may be exposed to interception or unauthorized disclosure, resulting in confidentiality breaches.", "compensating_control_1": { "control_id": "CRY-09", "name": "Cryptographic Key Management", "description": "Mechanisms exist to facilitate cryptographic key management controls to protect the confidentiality, integrity and availability of keys.", "justification": "Cryptographic Key Management (CRY-09) provides cryptographic protection that compensates for the absence of Database Encryption (CRY-05.3) by ensuring data confidentiality and integrity through alternative technical means. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-21", "name": "Least Privilege", "description": "Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.", "justification": "Least Privilege (IAC-21) provides access control enforcement that compensates for the absence of Database Encryption (CRY-05.3) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CRY-06", "risk_if_not_implemented": "Without Non-Console Administrative Access, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "NET-03", "name": "Boundary Protection", "description": "Mechanisms exist to monitor and control communications at the external network boundary and at key internal boundaries within the network.", "justification": "Boundary Protection (NET-03) provides network-level access restriction that compensates for the absence of Non-Console Administrative Access (CRY-06) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-06", "name": "Multi-Factor Authentication (MFA)", "description": "Automated mechanisms exist to enforce Multi-Factor Authentication (MFA) for:\n(1) Remote network access; \n(2) Third-party Technology Assets, Applications and/or Services (TAAS); and/ or\n(3) Non-console access to critical TAAS that store, transmit and/or process sensitive/regulated data.", "justification": "Multi-Factor Authentication (MFA) (IAC-06) provides access control enforcement that compensates for the absence of Non-Console Administrative Access (CRY-06) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CRY-07", "risk_if_not_implemented": "Without Wireless Access Authentication & Encryption, sensitive data may be exposed to interception or unauthorized disclosure, resulting in confidentiality breaches.", "compensating_control_1": { "control_id": "NET-15", "name": "Wireless Networking", "description": "Mechanisms exist to control authorized wireless usage and monitor for unauthorized wireless access.", "justification": "Wireless Networking (NET-15) provides network-level access restriction that compensates for the absence of Wireless Access Authentication & Encryption (CRY-07) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-06", "name": "Multi-Factor Authentication (MFA)", "description": "Automated mechanisms exist to enforce Multi-Factor Authentication (MFA) for:\n(1) Remote network access; \n(2) Third-party Technology Assets, Applications and/or Services (TAAS); and/ or\n(3) Non-console access to critical TAAS that store, transmit and/or process sensitive/regulated data.", "justification": "Multi-Factor Authentication (MFA) (IAC-06) provides access control enforcement that compensates for the absence of Wireless Access Authentication & Encryption (CRY-07) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CRY-08", "risk_if_not_implemented": "Without Public Key Infrastructure (PKI), residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CRY-09", "name": "Cryptographic Key Management", "description": "Mechanisms exist to facilitate cryptographic key management controls to protect the confidentiality, integrity and availability of keys.", "justification": "Cryptographic Key Management (CRY-09) provides cryptographic protection that compensates for the absence of Public Key Infrastructure (PKI) (CRY-08) by ensuring data confidentiality and integrity through alternative technical means. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CRY-01", "name": "Use of Cryptographic Controls", "description": "Mechanisms exist to facilitate the implementation of cryptographic protections controls using known public standards and trusted cryptographic technologies.", "justification": "Use of Cryptographic Controls (CRY-01) provides cryptographic protection that compensates for the absence of Public Key Infrastructure (PKI) (CRY-08) by ensuring data confidentiality and integrity through alternative technical means. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CRY-08.1", "risk_if_not_implemented": "Without Availability, AI and autonomous technology risks may go ungoverned, leading to unintended outcomes or exploitation.", "compensating_control_1": { "control_id": "CRY-01", "name": "Use of Cryptographic Controls", "description": "Mechanisms exist to facilitate the implementation of cryptographic protections controls using known public standards and trusted cryptographic technologies.", "justification": "Use of Cryptographic Controls (CRY-01) provides cryptographic protection that compensates for the absence of Availability (CRY-08.1) by ensuring data confidentiality and integrity through alternative technical means. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CRY-09", "name": "Cryptographic Key Management", "description": "Mechanisms exist to facilitate cryptographic key management controls to protect the confidentiality, integrity and availability of keys.", "justification": "Cryptographic Key Management (CRY-09) provides cryptographic protection that compensates for the absence of Availability (CRY-08.1) by ensuring data confidentiality and integrity through alternative technical means. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CRY-09.1", "risk_if_not_implemented": "Without Symmetric Keys, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IAC-10", "name": "Authenticator Management", "description": "Mechanisms exist to:\n(1) Securely manage authenticators for users and devices; and\n(2) Ensure the strength of authentication is appropriate to the classification of the data being accessed.", "justification": "Authenticator Management (IAC-10) provides access control enforcement that compensates for the absence of Symmetric Keys (CRY-09.1) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CRY-09", "name": "Cryptographic Key Management", "description": "Mechanisms exist to facilitate cryptographic key management controls to protect the confidentiality, integrity and availability of keys.", "justification": "Cryptographic Key Management (CRY-09) provides cryptographic protection that compensates for the absence of Symmetric Keys (CRY-09.1) by ensuring data confidentiality and integrity through alternative technical means. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CRY-09.2", "risk_if_not_implemented": "Without Asymmetric Keys, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CRY-09", "name": "Cryptographic Key Management", "description": "Mechanisms exist to facilitate cryptographic key management controls to protect the confidentiality, integrity and availability of keys.", "justification": "Cryptographic Key Management (CRY-09) provides cryptographic protection that compensates for the absence of Asymmetric Keys (CRY-09.2) by ensuring data confidentiality and integrity through alternative technical means. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CFG-01", "name": "Configuration Management Program", "description": "Mechanisms exist to facilitate the implementation of configuration management controls.", "justification": "Configuration Management Program (CFG-01) provides policy-level governance that compensates for the absence of Asymmetric Keys (CRY-09.2) by establishing documented expectations, accountability structures, and organizational guardrails. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CRY-09.3", "risk_if_not_implemented": "Without Cryptographic Key Loss or Change, sensitive data may be exposed to interception or unauthorized disclosure, resulting in confidentiality breaches.", "compensating_control_1": { "control_id": "CRY-01", "name": "Use of Cryptographic Controls", "description": "Mechanisms exist to facilitate the implementation of cryptographic protections controls using known public standards and trusted cryptographic technologies.", "justification": "Use of Cryptographic Controls (CRY-01) provides cryptographic protection that compensates for the absence of Cryptographic Key Loss or Change (CRY-09.3) by ensuring data confidentiality and integrity through alternative technical means. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CRY-09", "name": "Cryptographic Key Management", "description": "Mechanisms exist to facilitate cryptographic key management controls to protect the confidentiality, integrity and availability of keys.", "justification": "Cryptographic Key Management (CRY-09) provides cryptographic protection that compensates for the absence of Cryptographic Key Loss or Change (CRY-09.3) by ensuring data confidentiality and integrity through alternative technical means. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CRY-09.4", "risk_if_not_implemented": "Without Control & Distribution of Cryptographic Keys, sensitive data may be exposed to interception or unauthorized disclosure, resulting in confidentiality breaches.", "compensating_control_1": { "control_id": "IAC-10", "name": "Authenticator Management", "description": "Mechanisms exist to:\n(1) Securely manage authenticators for users and devices; and\n(2) Ensure the strength of authentication is appropriate to the classification of the data being accessed.", "justification": "Authenticator Management (IAC-10) provides access control enforcement that compensates for the absence of Control & Distribution of Cryptographic Keys (CRY-09.4) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CRY-01", "name": "Use of Cryptographic Controls", "description": "Mechanisms exist to facilitate the implementation of cryptographic protections controls using known public standards and trusted cryptographic technologies.", "justification": "Use of Cryptographic Controls (CRY-01) provides cryptographic protection that compensates for the absence of Control & Distribution of Cryptographic Keys (CRY-09.4) by ensuring data confidentiality and integrity through alternative technical means. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CRY-09.5", "risk_if_not_implemented": "Without Assigned Owners, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CRY-09", "name": "Cryptographic Key Management", "description": "Mechanisms exist to facilitate cryptographic key management controls to protect the confidentiality, integrity and availability of keys.", "justification": "Cryptographic Key Management (CRY-09) provides cryptographic protection that compensates for the absence of Assigned Owners (CRY-09.5) by ensuring data confidentiality and integrity through alternative technical means. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-10", "name": "Authenticator Management", "description": "Mechanisms exist to:\n(1) Securely manage authenticators for users and devices; and\n(2) Ensure the strength of authentication is appropriate to the classification of the data being accessed.", "justification": "Authenticator Management (IAC-10) provides access control enforcement that compensates for the absence of Assigned Owners (CRY-09.5) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CRY-09.6", "risk_if_not_implemented": "Without Third-Party Cryptographic Keys, sensitive data may be exposed to interception or unauthorized disclosure, resulting in confidentiality breaches.", "compensating_control_1": { "control_id": "CRY-01", "name": "Use of Cryptographic Controls", "description": "Mechanisms exist to facilitate the implementation of cryptographic protections controls using known public standards and trusted cryptographic technologies.", "justification": "Use of Cryptographic Controls (CRY-01) provides cryptographic protection that compensates for the absence of Third-Party Cryptographic Keys (CRY-09.6) by ensuring data confidentiality and integrity through alternative technical means. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-10", "name": "Authenticator Management", "description": "Mechanisms exist to:\n(1) Securely manage authenticators for users and devices; and\n(2) Ensure the strength of authentication is appropriate to the classification of the data being accessed.", "justification": "Authenticator Management (IAC-10) provides access control enforcement that compensates for the absence of Third-Party Cryptographic Keys (CRY-09.6) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CRY-09.7", "risk_if_not_implemented": "Without External System Cryptographic Key Control, sensitive data may be exposed to interception or unauthorized disclosure, resulting in confidentiality breaches.", "compensating_control_1": { "control_id": "IAC-10", "name": "Authenticator Management", "description": "Mechanisms exist to:\n(1) Securely manage authenticators for users and devices; and\n(2) Ensure the strength of authentication is appropriate to the classification of the data being accessed.", "justification": "Authenticator Management (IAC-10) provides access control enforcement that compensates for the absence of External System Cryptographic Key Control (CRY-09.7) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CFG-01", "name": "Configuration Management Program", "description": "Mechanisms exist to facilitate the implementation of configuration management controls.", "justification": "Configuration Management Program (CFG-01) provides policy-level governance that compensates for the absence of External System Cryptographic Key Control (CRY-09.7) by establishing documented expectations, accountability structures, and organizational guardrails. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CRY-10", "risk_if_not_implemented": "Without Transmission of Cybersecurity & Data Protection Attributes, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Transmission of Cybersecurity & Data Protection Attributes (CRY-10) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CRY-03", "name": "Transmission Confidentiality", "description": "Cryptographic mechanisms exist to protect the confidentiality of data being transmitted.", "justification": "Transmission Confidentiality (CRY-03) provides cryptographic protection that compensates for the absence of Transmission of Cybersecurity & Data Protection Attributes (CRY-10) by ensuring data confidentiality and integrity through alternative technical means. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CRY-11", "risk_if_not_implemented": "Without Certificate Authorities, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CRY-09", "name": "Cryptographic Key Management", "description": "Mechanisms exist to facilitate cryptographic key management controls to protect the confidentiality, integrity and availability of keys.", "justification": "Cryptographic Key Management (CRY-09) provides cryptographic protection that compensates for the absence of Certificate Authorities (CRY-11) by ensuring data confidentiality and integrity through alternative technical means. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CRY-08", "name": "Public Key Infrastructure (PKI)", "description": "Mechanisms exist to securely implement an internal Public Key Infrastructure (PKI) infrastructure or obtain PKI services from a reputable PKI service provider.", "justification": "Public Key Infrastructure (PKI) (CRY-08) provides overlapping security capability that compensates for the absence of Certificate Authorities (CRY-11) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CRY-12", "risk_if_not_implemented": "Without Certificate Monitoring, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Certificate Monitoring (CRY-12) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CRY-11", "name": "Certificate Authorities", "description": "Automated mechanisms exist to enable the use of organization-defined Certificate Authorities (CAs) to facilitate the establishment of protected sessions.", "justification": "Certificate Authorities (CRY-11) provides overlapping security capability that compensates for the absence of Certificate Monitoring (CRY-12) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "CRY-13", "risk_if_not_implemented": "Without Cryptographic Hash, sensitive data may be exposed to interception or unauthorized disclosure, resulting in confidentiality breaches.", "compensating_control_1": { "control_id": "CRY-04", "name": "Transmission Integrity", "description": "Cryptographic mechanisms exist to protect the integrity of data being transmitted.", "justification": "Transmission Integrity (CRY-04) provides cryptographic protection that compensates for the absence of Cryptographic Hash (CRY-13) by ensuring data confidentiality and integrity through alternative technical means. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-09", "name": "Non-Repudiation", "description": "Mechanisms exist to utilize a non-repudiation capability to protect against an individual falsely denying having performed a particular action.", "justification": "Non-Repudiation (MON-09) provides overlapping security capability that compensates for the absence of Cryptographic Hash (CRY-13) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "DCH-01.2", "risk_if_not_implemented": "Without Sensitive / Regulated Data Protection, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IAC-21", "name": "Least Privilege", "description": "Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.", "justification": "Least Privilege (IAC-21) provides access control enforcement that compensates for the absence of Sensitive / Regulated Data Protection (DCH-01.2) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CRY-03", "name": "Transmission Confidentiality", "description": "Cryptographic mechanisms exist to protect the confidentiality of data being transmitted.", "justification": "Transmission Confidentiality (CRY-03) provides cryptographic protection that compensates for the absence of Sensitive / Regulated Data Protection (DCH-01.2) by ensuring data confidentiality and integrity through alternative technical means. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "DCH-01.3", "risk_if_not_implemented": "Without Sensitive / Regulated Media Records, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IAC-20", "name": "Access Enforcement", "description": "Mechanisms exist to enforce Logical Access Control (LAC) permissions that conform to the principle of \"least privilege.\"", "justification": "Access Enforcement (IAC-20) provides access control enforcement that compensates for the absence of Sensitive / Regulated Media Records (DCH-01.3) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CRY-05", "name": "Encrypting Data At Rest", "description": "Cryptographic mechanisms exist to prevent unauthorized disclosure of data at rest.", "justification": "Encrypting Data At Rest (CRY-05) provides cryptographic protection that compensates for the absence of Sensitive / Regulated Media Records (DCH-01.3) by ensuring data confidentiality and integrity through alternative technical means. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "DCH-01.4", "risk_if_not_implemented": "Without Defining Access Authorizations for Sensitive / Regulated Data, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "CRY-03", "name": "Transmission Confidentiality", "description": "Cryptographic mechanisms exist to protect the confidentiality of data being transmitted.", "justification": "Transmission Confidentiality (CRY-03) provides cryptographic protection that compensates for the absence of Defining Access Authorizations for Sensitive / Regulated Data (DCH-01.4) by ensuring data confidentiality and integrity through alternative technical means. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CRY-05", "name": "Encrypting Data At Rest", "description": "Cryptographic mechanisms exist to prevent unauthorized disclosure of data at rest.", "justification": "Encrypting Data At Rest (CRY-05) provides cryptographic protection that compensates for the absence of Defining Access Authorizations for Sensitive / Regulated Data (DCH-01.4) by ensuring data confidentiality and integrity through alternative technical means. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "DCH-02.1", "risk_if_not_implemented": "Without Highest Classification Level, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "AST-31", "name": "Asset Categorization", "description": "Mechanisms exist to categorize Technology Assets, Applications and/or Services (TAAS).", "justification": "Asset Categorization (AST-31) provides overlapping security capability that compensates for the absence of Highest Classification Level (DCH-02.1) by addressing related risk objectives through an alternative control mechanism aligned with Data applicability. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "DCH-02", "name": "Data & Asset Classification", "description": "Mechanisms exist to ensure data and assets are categorized in accordance with applicable statutory, regulatory and contractual requirements.", "justification": "Data & Asset Classification (DCH-02) provides overlapping security capability that compensates for the absence of Highest Classification Level (DCH-02.1) by addressing related risk objectives through an alternative control mechanism aligned with Data applicability. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "DCH-03", "risk_if_not_implemented": "Without Media Access, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "IAC-20", "name": "Access Enforcement", "description": "Mechanisms exist to enforce Logical Access Control (LAC) permissions that conform to the principle of \"least privilege.\"", "justification": "Access Enforcement (IAC-20) provides access control enforcement that compensates for the absence of Media Access (DCH-03) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PES-03", "name": "Physical Access Control", "description": "Physical access control mechanisms exist to enforce physical access authorizations for all physical access points (including designated entry/exit points) to facilities (excluding those areas within the facility officially designated as publicly accessible).", "justification": "Physical Access Control (PES-03) provides access control enforcement that compensates for the absence of Media Access (DCH-03) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "DCH-03.2", "risk_if_not_implemented": "Without Masking Displayed Data, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "PES-03", "name": "Physical Access Control", "description": "Physical access control mechanisms exist to enforce physical access authorizations for all physical access points (including designated entry/exit points) to facilities (excluding those areas within the facility officially designated as publicly accessible).", "justification": "Physical Access Control (PES-03) provides access control enforcement that compensates for the absence of Masking Displayed Data (DCH-03.2) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-20", "name": "Access Enforcement", "description": "Mechanisms exist to enforce Logical Access Control (LAC) permissions that conform to the principle of \"least privilege.\"", "justification": "Access Enforcement (IAC-20) provides access control enforcement that compensates for the absence of Masking Displayed Data (DCH-03.2) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "DCH-03.3", "risk_if_not_implemented": "Without Controlled Release, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IAC-20", "name": "Access Enforcement", "description": "Mechanisms exist to enforce Logical Access Control (LAC) permissions that conform to the principle of \"least privilege.\"", "justification": "Access Enforcement (IAC-20) provides access control enforcement that compensates for the absence of Controlled Release (DCH-03.3) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "DCH-03", "name": "Media Access", "description": "Mechanisms exist to control and restrict access to digital and non-digital media to authorized individuals.", "justification": "Media Access (DCH-03) provides access control enforcement that compensates for the absence of Controlled Release (DCH-03.3) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "DCH-04", "risk_if_not_implemented": "Without Media Marking, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "DCH-02", "name": "Data & Asset Classification", "description": "Mechanisms exist to ensure data and assets are categorized in accordance with applicable statutory, regulatory and contractual requirements.", "justification": "Data & Asset Classification (DCH-02) provides overlapping security capability that compensates for the absence of Media Marking (DCH-04) by addressing related risk objectives through an alternative control mechanism aligned with Data applicability. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "DCH-05", "name": "Cybersecurity & Data Protection Attributes", "description": "Mechanisms exist to bind cybersecurity and data protection attributes to information as it is stored, transmitted and processed.", "justification": "Cybersecurity & Data Protection Attributes (DCH-05) provides overlapping security capability that compensates for the absence of Media Marking (DCH-04) by addressing related risk objectives through an alternative control mechanism aligned with Data applicability. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "DCH-04.1", "risk_if_not_implemented": "Without Automated Marking, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "DCH-02", "name": "Data & Asset Classification", "description": "Mechanisms exist to ensure data and assets are categorized in accordance with applicable statutory, regulatory and contractual requirements.", "justification": "Data & Asset Classification (DCH-02) provides overlapping security capability that compensates for the absence of Automated Marking (DCH-04.1) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "AST-31", "name": "Asset Categorization", "description": "Mechanisms exist to categorize Technology Assets, Applications and/or Services (TAAS).", "justification": "Asset Categorization (AST-31) provides overlapping security capability that compensates for the absence of Automated Marking (DCH-04.1) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "DCH-05", "risk_if_not_implemented": "Without Cybersecurity & Data Protection Attributes, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "DCH-02", "name": "Data & Asset Classification", "description": "Mechanisms exist to ensure data and assets are categorized in accordance with applicable statutory, regulatory and contractual requirements.", "justification": "Data & Asset Classification (DCH-02) provides overlapping security capability that compensates for the absence of Cybersecurity & Data Protection Attributes (DCH-05) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "DCH-04", "name": "Media Marking", "description": "Mechanisms exist to mark media in accordance with data protection requirements so that personnel are alerted to distribution limitations, handling caveats and applicable security requirements.", "justification": "Media Marking (DCH-04) provides overlapping security capability that compensates for the absence of Cybersecurity & Data Protection Attributes (DCH-05) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "DCH-05.1", "risk_if_not_implemented": "Without Dynamic Attribute Association, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "DCH-04", "name": "Media Marking", "description": "Mechanisms exist to mark media in accordance with data protection requirements so that personnel are alerted to distribution limitations, handling caveats and applicable security requirements.", "justification": "Media Marking (DCH-04) provides overlapping security capability that compensates for the absence of Dynamic Attribute Association (DCH-05.1) by addressing related risk objectives through an alternative control mechanism aligned with Data applicability. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "DCH-02", "name": "Data & Asset Classification", "description": "Mechanisms exist to ensure data and assets are categorized in accordance with applicable statutory, regulatory and contractual requirements.", "justification": "Data & Asset Classification (DCH-02) provides overlapping security capability that compensates for the absence of Dynamic Attribute Association (DCH-05.1) by addressing related risk objectives through an alternative control mechanism aligned with Data applicability. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "DCH-05.2", "risk_if_not_implemented": "Without Attribute Value Changes By Authorized Individuals, unauthorized or unreviewed changes may introduce instability or security vulnerabilities into the environment.", "compensating_control_1": { "control_id": "DCH-02", "name": "Data & Asset Classification", "description": "Mechanisms exist to ensure data and assets are categorized in accordance with applicable statutory, regulatory and contractual requirements.", "justification": "Data & Asset Classification (DCH-02) provides overlapping security capability that compensates for the absence of Attribute Value Changes By Authorized Individuals (DCH-05.2) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "DCH-05", "name": "Cybersecurity & Data Protection Attributes", "description": "Mechanisms exist to bind cybersecurity and data protection attributes to information as it is stored, transmitted and processed.", "justification": "Cybersecurity & Data Protection Attributes (DCH-05) provides overlapping security capability that compensates for the absence of Attribute Value Changes By Authorized Individuals (DCH-05.2) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "DCH-05.3", "risk_if_not_implemented": "Without Maintenance of Attribute Associations By System, AI and autonomous technology risks may go ungoverned, leading to unintended outcomes or exploitation.", "compensating_control_1": { "control_id": "DCH-05", "name": "Cybersecurity & Data Protection Attributes", "description": "Mechanisms exist to bind cybersecurity and data protection attributes to information as it is stored, transmitted and processed.", "justification": "Cybersecurity & Data Protection Attributes (DCH-05) provides overlapping security capability that compensates for the absence of Maintenance of Attribute Associations By System (DCH-05.3) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "DCH-04", "name": "Media Marking", "description": "Mechanisms exist to mark media in accordance with data protection requirements so that personnel are alerted to distribution limitations, handling caveats and applicable security requirements.", "justification": "Media Marking (DCH-04) provides overlapping security capability that compensates for the absence of Maintenance of Attribute Associations By System (DCH-05.3) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "DCH-05.4", "risk_if_not_implemented": "Without Association of Attributes By Authorized Individuals, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "DCH-04", "name": "Media Marking", "description": "Mechanisms exist to mark media in accordance with data protection requirements so that personnel are alerted to distribution limitations, handling caveats and applicable security requirements.", "justification": "Media Marking (DCH-04) provides overlapping security capability that compensates for the absence of Association of Attributes By Authorized Individuals (DCH-05.4) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "DCH-05", "name": "Cybersecurity & Data Protection Attributes", "description": "Mechanisms exist to bind cybersecurity and data protection attributes to information as it is stored, transmitted and processed.", "justification": "Cybersecurity & Data Protection Attributes (DCH-05) provides overlapping security capability that compensates for the absence of Association of Attributes By Authorized Individuals (DCH-05.4) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "DCH-05.5", "risk_if_not_implemented": "Without Attribute Displays for Output Devices, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "DCH-02", "name": "Data & Asset Classification", "description": "Mechanisms exist to ensure data and assets are categorized in accordance with applicable statutory, regulatory and contractual requirements.", "justification": "Data & Asset Classification (DCH-02) provides overlapping security capability that compensates for the absence of Attribute Displays for Output Devices (DCH-05.5) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "DCH-04", "name": "Media Marking", "description": "Mechanisms exist to mark media in accordance with data protection requirements so that personnel are alerted to distribution limitations, handling caveats and applicable security requirements.", "justification": "Media Marking (DCH-04) provides overlapping security capability that compensates for the absence of Attribute Displays for Output Devices (DCH-05.5) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "DCH-05.6", "risk_if_not_implemented": "Without Data Subject Attribute Associations, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "DCH-05", "name": "Cybersecurity & Data Protection Attributes", "description": "Mechanisms exist to bind cybersecurity and data protection attributes to information as it is stored, transmitted and processed.", "justification": "Cybersecurity & Data Protection Attributes (DCH-05) provides overlapping security capability that compensates for the absence of Data Subject Attribute Associations (DCH-05.6) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "DCH-02", "name": "Data & Asset Classification", "description": "Mechanisms exist to ensure data and assets are categorized in accordance with applicable statutory, regulatory and contractual requirements.", "justification": "Data & Asset Classification (DCH-02) provides overlapping security capability that compensates for the absence of Data Subject Attribute Associations (DCH-05.6) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "DCH-05.7", "risk_if_not_implemented": "Without Consistent Attribute Interpretation, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "DCH-04", "name": "Media Marking", "description": "Mechanisms exist to mark media in accordance with data protection requirements so that personnel are alerted to distribution limitations, handling caveats and applicable security requirements.", "justification": "Media Marking (DCH-04) provides overlapping security capability that compensates for the absence of Consistent Attribute Interpretation (DCH-05.7) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "DCH-02", "name": "Data & Asset Classification", "description": "Mechanisms exist to ensure data and assets are categorized in accordance with applicable statutory, regulatory and contractual requirements.", "justification": "Data & Asset Classification (DCH-02) provides overlapping security capability that compensates for the absence of Consistent Attribute Interpretation (DCH-05.7) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "DCH-05.8", "risk_if_not_implemented": "Without Identity Association Techniques & Technologies, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "DCH-02", "name": "Data & Asset Classification", "description": "Mechanisms exist to ensure data and assets are categorized in accordance with applicable statutory, regulatory and contractual requirements.", "justification": "Data & Asset Classification (DCH-02) provides overlapping security capability that compensates for the absence of Identity Association Techniques & Technologies (DCH-05.8) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "DCH-04", "name": "Media Marking", "description": "Mechanisms exist to mark media in accordance with data protection requirements so that personnel are alerted to distribution limitations, handling caveats and applicable security requirements.", "justification": "Media Marking (DCH-04) provides overlapping security capability that compensates for the absence of Identity Association Techniques & Technologies (DCH-05.8) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "DCH-05.9", "risk_if_not_implemented": "Without Attribute Reassignment, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "DCH-05", "name": "Cybersecurity & Data Protection Attributes", "description": "Mechanisms exist to bind cybersecurity and data protection attributes to information as it is stored, transmitted and processed.", "justification": "Cybersecurity & Data Protection Attributes (DCH-05) provides overlapping security capability that compensates for the absence of Attribute Reassignment (DCH-05.9) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "DCH-04", "name": "Media Marking", "description": "Mechanisms exist to mark media in accordance with data protection requirements so that personnel are alerted to distribution limitations, handling caveats and applicable security requirements.", "justification": "Media Marking (DCH-04) provides overlapping security capability that compensates for the absence of Attribute Reassignment (DCH-05.9) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "DCH-05.10", "risk_if_not_implemented": "Without Attribute Configuration By Authorized Individuals, systems may operate with insecure settings or unauthorized changes, expanding the attack surface.", "compensating_control_1": { "control_id": "DCH-04", "name": "Media Marking", "description": "Mechanisms exist to mark media in accordance with data protection requirements so that personnel are alerted to distribution limitations, handling caveats and applicable security requirements.", "justification": "Media Marking (DCH-04) provides overlapping security capability that compensates for the absence of Attribute Configuration By Authorized Individuals (DCH-05.10) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "DCH-05", "name": "Cybersecurity & Data Protection Attributes", "description": "Mechanisms exist to bind cybersecurity and data protection attributes to information as it is stored, transmitted and processed.", "justification": "Cybersecurity & Data Protection Attributes (DCH-05) provides overlapping security capability that compensates for the absence of Attribute Configuration By Authorized Individuals (DCH-05.10) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "DCH-05.11", "risk_if_not_implemented": "Without Audit Changes, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "DCH-02", "name": "Data & Asset Classification", "description": "Mechanisms exist to ensure data and assets are categorized in accordance with applicable statutory, regulatory and contractual requirements.", "justification": "Data & Asset Classification (DCH-02) provides overlapping security capability that compensates for the absence of Audit Changes (DCH-05.11) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "DCH-05", "name": "Cybersecurity & Data Protection Attributes", "description": "Mechanisms exist to bind cybersecurity and data protection attributes to information as it is stored, transmitted and processed.", "justification": "Cybersecurity & Data Protection Attributes (DCH-05) provides overlapping security capability that compensates for the absence of Audit Changes (DCH-05.11) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "DCH-06", "risk_if_not_implemented": "Without Media Storage, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "PES-01", "name": "Physical & Environmental Protections", "description": "Mechanisms exist to facilitate the operation of physical and environmental protection controls.", "justification": "Physical & Environmental Protections (PES-01) provides physical access control that compensates for the absence of Media Storage (DCH-06) by preventing unauthorized physical interaction with systems and infrastructure. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CRY-05", "name": "Encrypting Data At Rest", "description": "Cryptographic mechanisms exist to prevent unauthorized disclosure of data at rest.", "justification": "Encrypting Data At Rest (CRY-05) provides cryptographic protection that compensates for the absence of Media Storage (DCH-06) by ensuring data confidentiality and integrity through alternative technical means. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "DCH-06.1", "risk_if_not_implemented": "Without Physically Secure All Media, unauthorized physical access to facilities may enable theft, tampering, or direct attacks on infrastructure.", "compensating_control_1": { "control_id": "CRY-05", "name": "Encrypting Data At Rest", "description": "Cryptographic mechanisms exist to prevent unauthorized disclosure of data at rest.", "justification": "Encrypting Data At Rest (CRY-05) provides cryptographic protection that compensates for the absence of Physically Secure All Media (DCH-06.1) by ensuring data confidentiality and integrity through alternative technical means. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PES-03", "name": "Physical Access Control", "description": "Physical access control mechanisms exist to enforce physical access authorizations for all physical access points (including designated entry/exit points) to facilities (excluding those areas within the facility officially designated as publicly accessible).", "justification": "Physical Access Control (PES-03) provides access control enforcement that compensates for the absence of Physically Secure All Media (DCH-06.1) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "DCH-06.2", "risk_if_not_implemented": "Without Sensitive Data Inventories, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "PES-03", "name": "Physical Access Control", "description": "Physical access control mechanisms exist to enforce physical access authorizations for all physical access points (including designated entry/exit points) to facilities (excluding those areas within the facility officially designated as publicly accessible).", "justification": "Physical Access Control (PES-03) provides access control enforcement that compensates for the absence of Sensitive Data Inventories (DCH-06.2) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CRY-05", "name": "Encrypting Data At Rest", "description": "Cryptographic mechanisms exist to prevent unauthorized disclosure of data at rest.", "justification": "Encrypting Data At Rest (CRY-05) provides cryptographic protection that compensates for the absence of Sensitive Data Inventories (DCH-06.2) by ensuring data confidentiality and integrity through alternative technical means. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "DCH-06.3", "risk_if_not_implemented": "Without Periodic Scans for Sensitive / Regulated Data, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CRY-05", "name": "Encrypting Data At Rest", "description": "Cryptographic mechanisms exist to prevent unauthorized disclosure of data at rest.", "justification": "Encrypting Data At Rest (CRY-05) provides cryptographic protection that compensates for the absence of Periodic Scans for Sensitive / Regulated Data (DCH-06.3) by ensuring data confidentiality and integrity through alternative technical means. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "DCH-06", "name": "Media Storage", "description": "Mechanisms exist to: \n(1) Physically control and securely store digital and non-digital media within controlled areas using organization-defined security measures; and\n(2) Protect system media until the media are destroyed or sanitized using approved equipment, techniques and procedures.", "justification": "Media Storage (DCH-06) provides overlapping security capability that compensates for the absence of Periodic Scans for Sensitive / Regulated Data (DCH-06.3) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "DCH-06.4", "risk_if_not_implemented": "Without Making Sensitive Data Unreadable In Storage, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "PES-01", "name": "Physical & Environmental Protections", "description": "Mechanisms exist to facilitate the operation of physical and environmental protection controls.", "justification": "Physical & Environmental Protections (PES-01) provides physical access control that compensates for the absence of Making Sensitive Data Unreadable In Storage (DCH-06.4) by preventing unauthorized physical interaction with systems and infrastructure. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "DCH-06", "name": "Media Storage", "description": "Mechanisms exist to: \n(1) Physically control and securely store digital and non-digital media within controlled areas using organization-defined security measures; and\n(2) Protect system media until the media are destroyed or sanitized using approved equipment, techniques and procedures.", "justification": "Media Storage (DCH-06) provides overlapping security capability that compensates for the absence of Making Sensitive Data Unreadable In Storage (DCH-06.4) by addressing related risk objectives through an alternative control mechanism aligned with Data applicability. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "DCH-06.5", "risk_if_not_implemented": "Without Storing Authentication Data, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "DCH-06", "name": "Media Storage", "description": "Mechanisms exist to: \n(1) Physically control and securely store digital and non-digital media within controlled areas using organization-defined security measures; and\n(2) Protect system media until the media are destroyed or sanitized using approved equipment, techniques and procedures.", "justification": "Media Storage (DCH-06) provides overlapping security capability that compensates for the absence of Storing Authentication Data (DCH-06.5) by addressing related risk objectives through an alternative control mechanism aligned with Data applicability. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CRY-05", "name": "Encrypting Data At Rest", "description": "Cryptographic mechanisms exist to prevent unauthorized disclosure of data at rest.", "justification": "Encrypting Data At Rest (CRY-05) provides cryptographic protection that compensates for the absence of Storing Authentication Data (DCH-06.5) by ensuring data confidentiality and integrity through alternative technical means. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "DCH-07", "risk_if_not_implemented": "Without Media Transportation, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CRY-03", "name": "Transmission Confidentiality", "description": "Cryptographic mechanisms exist to protect the confidentiality of data being transmitted.", "justification": "Transmission Confidentiality (CRY-03) provides cryptographic protection that compensates for the absence of Media Transportation (DCH-07) by ensuring data confidentiality and integrity through alternative technical means. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-14", "name": "Cross-Organizational Monitoring", "description": "Mechanisms exist to coordinate sanitized event logs among external organizations to identify anomalous events when event logs are shared across organizational boundaries, without giving away sensitive or critical business data.", "justification": "Cross-Organizational Monitoring (MON-14) provides detective monitoring capability that compensates for the absence of Media Transportation (DCH-07) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "DCH-07.1", "risk_if_not_implemented": "Without Custodians, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CRY-03", "name": "Transmission Confidentiality", "description": "Cryptographic mechanisms exist to protect the confidentiality of data being transmitted.", "justification": "Transmission Confidentiality (CRY-03) provides cryptographic protection that compensates for the absence of Custodians (DCH-07.1) by ensuring data confidentiality and integrity through alternative technical means. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-05", "name": "Interconnection Security Agreements (ISAs)", "description": "Mechanisms exist to authorize connections from systems to other systems using Interconnection Security Agreements (ISAs), or similar methods, that document, for each interconnection:\n(1) Interface characteristics;\n(2) Security, compliance and resilience requirements; and;\n(3) The nature of the information communicated.", "justification": "Interconnection Security Agreements (ISAs) (NET-05) provides overlapping security capability that compensates for the absence of Custodians (DCH-07.1) by addressing related risk objectives through an alternative control mechanism aligned with Data applicability. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "DCH-07.2", "risk_if_not_implemented": "Without Encrypting Data In Storage Media, sensitive data may be exposed to interception or unauthorized disclosure, resulting in confidentiality breaches.", "compensating_control_1": { "control_id": "NET-05", "name": "Interconnection Security Agreements (ISAs)", "description": "Mechanisms exist to authorize connections from systems to other systems using Interconnection Security Agreements (ISAs), or similar methods, that document, for each interconnection:\n(1) Interface characteristics;\n(2) Security, compliance and resilience requirements; and;\n(3) The nature of the information communicated.", "justification": "Interconnection Security Agreements (ISAs) (NET-05) provides overlapping security capability that compensates for the absence of Encrypting Data In Storage Media (DCH-07.2) by addressing related risk objectives through an alternative control mechanism aligned with Data applicability. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CRY-03", "name": "Transmission Confidentiality", "description": "Cryptographic mechanisms exist to protect the confidentiality of data being transmitted.", "justification": "Transmission Confidentiality (CRY-03) provides cryptographic protection that compensates for the absence of Encrypting Data In Storage Media (DCH-07.2) by ensuring data confidentiality and integrity through alternative technical means. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "DCH-09.1", "risk_if_not_implemented": "Without System Media Sanitization Documentation, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "AST-09", "name": "Secure Disposal, Destruction or Re-Use of Equipment", "description": "Mechanisms exist to securely dispose of, destroy or repurpose system components using organization-defined techniques and methods to prevent information being recovered from these components.", "justification": "Secure Disposal, Destruction or Re-Use of Equipment (AST-09) provides overlapping security capability that compensates for the absence of System Media Sanitization Documentation (DCH-09.1) by addressing related risk objectives through an alternative control mechanism aligned with Data applicability. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "DCH-08", "name": "Physical Media Disposal", "description": "Mechanisms exist to securely dispose of media when it is no longer required, using formal procedures.", "justification": "Physical Media Disposal (DCH-08) provides physical access control that compensates for the absence of System Media Sanitization Documentation (DCH-09.1) by preventing unauthorized physical interaction with systems and infrastructure. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "DCH-09.2", "risk_if_not_implemented": "Without Equipment Testing, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "DCH-08", "name": "Physical Media Disposal", "description": "Mechanisms exist to securely dispose of media when it is no longer required, using formal procedures.", "justification": "Physical Media Disposal (DCH-08) provides physical access control that compensates for the absence of Equipment Testing (DCH-09.2) by preventing unauthorized physical interaction with systems and infrastructure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "DCH-09", "name": "System Media Sanitization", "description": "Mechanisms exist to sanitize system media with the strength and integrity commensurate with the classification or sensitivity of the information prior to disposal, release out of organizational control or release for reuse.", "justification": "System Media Sanitization (DCH-09) provides overlapping security capability that compensates for the absence of Equipment Testing (DCH-09.2) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "DCH-09.3", "risk_if_not_implemented": "Without Sanitization of Personal Data (PD), personal data may be processed without appropriate safeguards, increasing regulatory and reputational risk.", "compensating_control_1": { "control_id": "AST-09", "name": "Secure Disposal, Destruction or Re-Use of Equipment", "description": "Mechanisms exist to securely dispose of, destroy or repurpose system components using organization-defined techniques and methods to prevent information being recovered from these components.", "justification": "Secure Disposal, Destruction or Re-Use of Equipment (AST-09) provides overlapping security capability that compensates for the absence of Sanitization of Personal Data (PD) (DCH-09.3) by addressing related risk objectives through an alternative control mechanism aligned with Data applicability. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "DCH-09", "name": "System Media Sanitization", "description": "Mechanisms exist to sanitize system media with the strength and integrity commensurate with the classification or sensitivity of the information prior to disposal, release out of organizational control or release for reuse.", "justification": "System Media Sanitization (DCH-09) provides overlapping security capability that compensates for the absence of Sanitization of Personal Data (PD) (DCH-09.3) by addressing related risk objectives through an alternative control mechanism aligned with Data applicability. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "DCH-09.4", "risk_if_not_implemented": "Without First Time Use Sanitization, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "DCH-09", "name": "System Media Sanitization", "description": "Mechanisms exist to sanitize system media with the strength and integrity commensurate with the classification or sensitivity of the information prior to disposal, release out of organizational control or release for reuse.", "justification": "System Media Sanitization (DCH-09) provides overlapping security capability that compensates for the absence of First Time Use Sanitization (DCH-09.4) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "AST-09", "name": "Secure Disposal, Destruction or Re-Use of Equipment", "description": "Mechanisms exist to securely dispose of, destroy or repurpose system components using organization-defined techniques and methods to prevent information being recovered from these components.", "justification": "Secure Disposal, Destruction or Re-Use of Equipment (AST-09) provides overlapping security capability that compensates for the absence of First Time Use Sanitization (DCH-09.4) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "DCH-09.5", "risk_if_not_implemented": "Without Dual Authorization for Sensitive Data Destruction, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "DCH-08", "name": "Physical Media Disposal", "description": "Mechanisms exist to securely dispose of media when it is no longer required, using formal procedures.", "justification": "Physical Media Disposal (DCH-08) provides physical access control that compensates for the absence of Dual Authorization for Sensitive Data Destruction (DCH-09.5) by preventing unauthorized physical interaction with systems and infrastructure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "AST-09", "name": "Secure Disposal, Destruction or Re-Use of Equipment", "description": "Mechanisms exist to securely dispose of, destroy or repurpose system components using organization-defined techniques and methods to prevent information being recovered from these components.", "justification": "Secure Disposal, Destruction or Re-Use of Equipment (AST-09) provides overlapping security capability that compensates for the absence of Dual Authorization for Sensitive Data Destruction (DCH-09.5) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "DCH-10", "risk_if_not_implemented": "Without Media Use, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CFG-03", "name": "Least Functionality", "description": "Mechanisms exist to configure systems to provide only essential capabilities by specifically prohibiting or restricting the use of ports, protocols, and/or services.", "justification": "Least Functionality (CFG-03) provides configuration hardening that compensates for the absence of Media Use (DCH-10) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-21", "name": "Least Privilege", "description": "Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.", "justification": "Least Privilege (IAC-21) provides access control enforcement that compensates for the absence of Media Use (DCH-10) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "DCH-10.2", "risk_if_not_implemented": "Without Prohibit Use Without Owner, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CFG-03", "name": "Least Functionality", "description": "Mechanisms exist to configure systems to provide only essential capabilities by specifically prohibiting or restricting the use of ports, protocols, and/or services.", "justification": "Least Functionality (CFG-03) provides configuration hardening that compensates for the absence of Prohibit Use Without Owner (DCH-10.2) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "DCH-10", "name": "Media Use", "description": "Mechanisms exist to restrict the use of types of digital media on systems or system components.", "justification": "Media Use (DCH-10) provides overlapping security capability that compensates for the absence of Prohibit Use Without Owner (DCH-10.2) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "DCH-11", "risk_if_not_implemented": "Without Data Reclassification, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "DCH-02", "name": "Data & Asset Classification", "description": "Mechanisms exist to ensure data and assets are categorized in accordance with applicable statutory, regulatory and contractual requirements.", "justification": "Data & Asset Classification (DCH-02) provides overlapping security capability that compensates for the absence of Data Reclassification (DCH-11) by addressing related risk objectives through an alternative control mechanism aligned with Data applicability. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "GOV-10", "name": "Data Governance", "description": "Mechanisms exist to facilitate data governance to oversee the organization's policies, standards and procedures so that sensitive/regulated data is effectively managed and maintained in accordance with applicable statutory, regulatory and contractual obligations.", "justification": "Data Governance (GOV-10) provides policy-level governance that compensates for the absence of Data Reclassification (DCH-11) by establishing documented expectations, accountability structures, and organizational guardrails. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "DCH-13", "risk_if_not_implemented": "Without Use of External Technology Assets, Applications and/or Services (TAAS), security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "TPM-01", "name": "Third-Party Management", "description": "Mechanisms exist to facilitate the implementation of third-party management controls.", "justification": "Third-Party Management (TPM-01) provides third-party oversight that compensates for the absence of Use of External Technology Assets, Applications and/or Services (TAAS) (DCH-13) by extending security obligations contractually and monitoring third-party risk in lieu of direct control. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CFG-04", "name": "Software Usage Restrictions", "description": "Mechanisms exist to enforce software usage restrictions to comply with applicable contract agreements and copyright laws.", "justification": "Software Usage Restrictions (CFG-04) provides overlapping security capability that compensates for the absence of Use of External Technology Assets, Applications and/or Services (TAAS) (DCH-13) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "DCH-13.1", "risk_if_not_implemented": "Without Limits of Authorized Use, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CFG-04", "name": "Software Usage Restrictions", "description": "Mechanisms exist to enforce software usage restrictions to comply with applicable contract agreements and copyright laws.", "justification": "Software Usage Restrictions (CFG-04) provides overlapping security capability that compensates for the absence of Limits of Authorized Use (DCH-13.1) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "TPM-01", "name": "Third-Party Management", "description": "Mechanisms exist to facilitate the implementation of third-party management controls.", "justification": "Third-Party Management (TPM-01) provides third-party oversight that compensates for the absence of Limits of Authorized Use (DCH-13.1) by extending security obligations contractually and monitoring third-party risk in lieu of direct control. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "DCH-13.2", "risk_if_not_implemented": "Without Portable Storage Devices, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "TPM-01", "name": "Third-Party Management", "description": "Mechanisms exist to facilitate the implementation of third-party management controls.", "justification": "Third-Party Management (TPM-01) provides third-party oversight that compensates for the absence of Portable Storage Devices (DCH-13.2) by extending security obligations contractually and monitoring third-party risk in lieu of direct control. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "DCH-13", "name": "Use of External Technology Assets, Applications and/or Services (TAAS)", "description": "Mechanisms exist to govern how external parties, including Technology Assets, Applications and/or Services (TAAS), are used to securely store, process and transmit data.", "justification": "Use of External Technology Assets, Applications and/or Services (TAAS) (DCH-13) provides detective monitoring capability that compensates for the absence of Portable Storage Devices (DCH-13.2) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "DCH-13.4", "risk_if_not_implemented": "Without Non-Organizationally Owned Technology Assets, Applications and/or Services (TAAS), security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "TPM-05", "name": "Third-Party Contract Requirements", "description": "Mechanisms exist to require contractual requirements for applicable security, compliance and resilience requirements with third-parties, reflecting the organization's needs to protect its Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Third-Party Contract Requirements (TPM-05) provides third-party oversight that compensates for the absence of Non-Organizationally Owned Technology Assets, Applications and/or Services (TAAS) (DCH-13.4) by extending security obligations contractually and monitoring third-party risk in lieu of direct control. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CFG-04", "name": "Software Usage Restrictions", "description": "Mechanisms exist to enforce software usage restrictions to comply with applicable contract agreements and copyright laws.", "justification": "Software Usage Restrictions (CFG-04) provides overlapping security capability that compensates for the absence of Non-Organizationally Owned Technology Assets, Applications and/or Services (TAAS) (DCH-13.4) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "DCH-14", "risk_if_not_implemented": "Without Information Sharing, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "TPM-05", "name": "Third-Party Contract Requirements", "description": "Mechanisms exist to require contractual requirements for applicable security, compliance and resilience requirements with third-parties, reflecting the organization's needs to protect its Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Third-Party Contract Requirements (TPM-05) provides third-party oversight that compensates for the absence of Information Sharing (DCH-14) by extending security obligations contractually and monitoring third-party risk in lieu of direct control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CRY-03", "name": "Transmission Confidentiality", "description": "Cryptographic mechanisms exist to protect the confidentiality of data being transmitted.", "justification": "Transmission Confidentiality (CRY-03) provides cryptographic protection that compensates for the absence of Information Sharing (DCH-14) by ensuring data confidentiality and integrity through alternative technical means. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "DCH-14.1", "risk_if_not_implemented": "Without Information Search & Retrieval, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CRY-03", "name": "Transmission Confidentiality", "description": "Cryptographic mechanisms exist to protect the confidentiality of data being transmitted.", "justification": "Transmission Confidentiality (CRY-03) provides cryptographic protection that compensates for the absence of Information Search & Retrieval (DCH-14.1) by ensuring data confidentiality and integrity through alternative technical means. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-20", "name": "Access Enforcement", "description": "Mechanisms exist to enforce Logical Access Control (LAC) permissions that conform to the principle of \"least privilege.\"", "justification": "Access Enforcement (IAC-20) provides access control enforcement that compensates for the absence of Information Search & Retrieval (DCH-14.1) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "DCH-14.2", "risk_if_not_implemented": "Without Transfer Authorizations, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IAC-20", "name": "Access Enforcement", "description": "Mechanisms exist to enforce Logical Access Control (LAC) permissions that conform to the principle of \"least privilege.\"", "justification": "Access Enforcement (IAC-20) provides access control enforcement that compensates for the absence of Transfer Authorizations (DCH-14.2) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CRY-03", "name": "Transmission Confidentiality", "description": "Cryptographic mechanisms exist to protect the confidentiality of data being transmitted.", "justification": "Transmission Confidentiality (CRY-03) provides cryptographic protection that compensates for the absence of Transfer Authorizations (DCH-14.2) by ensuring data confidentiality and integrity through alternative technical means. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "DCH-14.3", "risk_if_not_implemented": "Without Data Access Mapping, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "CRY-03", "name": "Transmission Confidentiality", "description": "Cryptographic mechanisms exist to protect the confidentiality of data being transmitted.", "justification": "Transmission Confidentiality (CRY-03) provides cryptographic protection that compensates for the absence of Data Access Mapping (DCH-14.3) by ensuring data confidentiality and integrity through alternative technical means. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "DCH-14", "name": "Information Sharing", "description": "Mechanisms exist to utilize a process to assist users in making information sharing decisions to ensure data is appropriately protected.", "justification": "Information Sharing (DCH-14) provides overlapping security capability that compensates for the absence of Data Access Mapping (DCH-14.3) by addressing related risk objectives through an alternative control mechanism aligned with Data applicability. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "DCH-16", "risk_if_not_implemented": "Without Data Mining Protection, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IAC-20", "name": "Access Enforcement", "description": "Mechanisms exist to enforce Logical Access Control (LAC) permissions that conform to the principle of \"least privilege.\"", "justification": "Access Enforcement (IAC-20) provides access control enforcement that compensates for the absence of Data Mining Protection (DCH-16) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-17", "name": "Data Loss Prevention (DLP)", "description": "Automated mechanisms exist to implement Data Loss Prevention (DLP) to protect sensitive information as it is stored, transmitted and processed.", "justification": "Data Loss Prevention (DLP) (NET-17) provides detective monitoring capability that compensates for the absence of Data Mining Protection (DCH-16) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "DCH-17", "risk_if_not_implemented": "Without Ad-Hoc Transfers, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "NET-17", "name": "Data Loss Prevention (DLP)", "description": "Automated mechanisms exist to implement Data Loss Prevention (DLP) to protect sensitive information as it is stored, transmitted and processed.", "justification": "Data Loss Prevention (DLP) (NET-17) provides detective monitoring capability that compensates for the absence of Ad-Hoc Transfers (DCH-17) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-20", "name": "Access Enforcement", "description": "Mechanisms exist to enforce Logical Access Control (LAC) permissions that conform to the principle of \"least privilege.\"", "justification": "Access Enforcement (IAC-20) provides access control enforcement that compensates for the absence of Ad-Hoc Transfers (DCH-17) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "DCH-18", "risk_if_not_implemented": "Without Media & Data Retention, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "DCH-09", "name": "System Media Sanitization", "description": "Mechanisms exist to sanitize system media with the strength and integrity commensurate with the classification or sensitivity of the information prior to disposal, release out of organizational control or release for reuse.", "justification": "System Media Sanitization (DCH-09) provides overlapping security capability that compensates for the absence of Media & Data Retention (DCH-18) by addressing related risk objectives through an alternative control mechanism aligned with Data applicability. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-10", "name": "Event Log Retention", "description": "Mechanisms exist to retain event logs for a time period consistent with records retention requirements to provide support for after-the-fact investigations of security incidents and to meet statutory, regulatory and contractual retention requirements.", "justification": "Event Log Retention (MON-10) provides detective monitoring capability that compensates for the absence of Media & Data Retention (DCH-18) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "DCH-18.1", "risk_if_not_implemented": "Without Minimize Sensitive / Regulated Data, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "MON-10", "name": "Event Log Retention", "description": "Mechanisms exist to retain event logs for a time period consistent with records retention requirements to provide support for after-the-fact investigations of security incidents and to meet statutory, regulatory and contractual retention requirements.", "justification": "Event Log Retention (MON-10) provides detective monitoring capability that compensates for the absence of Minimize Sensitive / Regulated Data (DCH-18.1) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "DCH-18", "name": "Media & Data Retention", "description": "Mechanisms exist to retain media and data in accordance with applicable statutory, regulatory and contractual obligations.", "justification": "Media & Data Retention (DCH-18) provides overlapping security capability that compensates for the absence of Minimize Sensitive / Regulated Data (DCH-18.1) by addressing related risk objectives through an alternative control mechanism aligned with Data applicability. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "DCH-18.2", "risk_if_not_implemented": "Without Limit Sensitive / Regulated Data In Testing, Training & Research, personnel may lack knowledge to recognize threats, increasing susceptibility to phishing and social engineering.", "compensating_control_1": { "control_id": "DCH-18", "name": "Media & Data Retention", "description": "Mechanisms exist to retain media and data in accordance with applicable statutory, regulatory and contractual obligations.", "justification": "Media & Data Retention (DCH-18) provides overlapping security capability that compensates for the absence of Limit Sensitive / Regulated Data In Testing, Training & Research (DCH-18.2) by addressing related risk objectives through an alternative control mechanism aligned with Data applicability. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-10", "name": "Event Log Retention", "description": "Mechanisms exist to retain event logs for a time period consistent with records retention requirements to provide support for after-the-fact investigations of security incidents and to meet statutory, regulatory and contractual retention requirements.", "justification": "Event Log Retention (MON-10) provides detective monitoring capability that compensates for the absence of Limit Sensitive / Regulated Data In Testing, Training & Research (DCH-18.2) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "DCH-18.3", "risk_if_not_implemented": "Without Temporary Files Containing Personal Data (PD), personal data may be processed without appropriate safeguards, increasing regulatory and reputational risk.", "compensating_control_1": { "control_id": "MON-10", "name": "Event Log Retention", "description": "Mechanisms exist to retain event logs for a time period consistent with records retention requirements to provide support for after-the-fact investigations of security incidents and to meet statutory, regulatory and contractual retention requirements.", "justification": "Event Log Retention (MON-10) provides detective monitoring capability that compensates for the absence of Temporary Files Containing Personal Data (PD) (DCH-18.3) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "DCH-09", "name": "System Media Sanitization", "description": "Mechanisms exist to sanitize system media with the strength and integrity commensurate with the classification or sensitivity of the information prior to disposal, release out of organizational control or release for reuse.", "justification": "System Media Sanitization (DCH-09) provides overlapping security capability that compensates for the absence of Temporary Files Containing Personal Data (PD) (DCH-18.3) by addressing related risk objectives through an alternative control mechanism aligned with Data applicability. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "DCH-19", "risk_if_not_implemented": "Without Geographic Location of Data, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CLD-09", "name": "Geolocation Requirements for Processing, Storage and Service Locations", "description": "Mechanisms exist to control the location of cloud processing/storage based on business requirements that includes statutory, regulatory and contractual obligations.", "justification": "Geolocation Requirements for Processing, Storage and Service Locations (CLD-09) provides overlapping security capability that compensates for the absence of Geographic Location of Data (DCH-19) by addressing related risk objectives through an alternative control mechanism aligned with Data applicability. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "DCH-26", "name": "Data Localization", "description": "Mechanisms exist to constrain the impact of \"digital sovereignty laws,\" that require localized data within the host country, where data and processes may be subjected to arbitrary enforcement actions that potentially violate other applicable statutory, regulatory and/or contractual obligations.", "justification": "Data Localization (DCH-26) provides overlapping security capability that compensates for the absence of Geographic Location of Data (DCH-19) by addressing related risk objectives through an alternative control mechanism aligned with Data applicability. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "DCH-20", "risk_if_not_implemented": "Without Archived Data Sets, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "BCD-11", "name": "Data Backups", "description": "Mechanisms exist to create recurring backups of data, software and/or system images, as well as verify the integrity of these backups, to ensure the availability of the data to satisfy Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).", "justification": "Data Backups (BCD-11) provides resilience and recovery capability that compensates for the absence of Archived Data Sets (DCH-20) by ensuring the organization can restore operations and data when the primary control is absent. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "DCH-06", "name": "Media Storage", "description": "Mechanisms exist to: \n(1) Physically control and securely store digital and non-digital media within controlled areas using organization-defined security measures; and\n(2) Protect system media until the media are destroyed or sanitized using approved equipment, techniques and procedures.", "justification": "Media Storage (DCH-06) provides overlapping security capability that compensates for the absence of Archived Data Sets (DCH-20) by addressing related risk objectives through an alternative control mechanism aligned with Data applicability. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "DCH-22", "risk_if_not_implemented": "Without Data Quality Operations, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "GOV-10", "name": "Data Governance", "description": "Mechanisms exist to facilitate data governance to oversee the organization's policies, standards and procedures so that sensitive/regulated data is effectively managed and maintained in accordance with applicable statutory, regulatory and contractual obligations.", "justification": "Data Governance (GOV-10) provides policy-level governance that compensates for the absence of Data Quality Operations (DCH-22) by establishing documented expectations, accountability structures, and organizational guardrails. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PRI-10", "name": "Data Quality Management", "description": "Mechanisms exist to manage the quality, utility, objectivity, integrity and impact determination and de-identification of sensitive/regulated data across the information lifecycle.", "justification": "Data Quality Management (PRI-10) provides overlapping security capability that compensates for the absence of Data Quality Operations (DCH-22) by addressing related risk objectives through an alternative control mechanism aligned with Data applicability. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "DCH-22.1", "risk_if_not_implemented": "Without Updating & Correcting Personal Data (PD), personal data may be processed without appropriate safeguards, increasing regulatory and reputational risk.", "compensating_control_1": { "control_id": "PRI-10", "name": "Data Quality Management", "description": "Mechanisms exist to manage the quality, utility, objectivity, integrity and impact determination and de-identification of sensitive/regulated data across the information lifecycle.", "justification": "Data Quality Management (PRI-10) provides overlapping security capability that compensates for the absence of Updating & Correcting Personal Data (PD) (DCH-22.1) by addressing related risk objectives through an alternative control mechanism aligned with Data applicability. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "GOV-10", "name": "Data Governance", "description": "Mechanisms exist to facilitate data governance to oversee the organization's policies, standards and procedures so that sensitive/regulated data is effectively managed and maintained in accordance with applicable statutory, regulatory and contractual obligations.", "justification": "Data Governance (GOV-10) provides policy-level governance that compensates for the absence of Updating & Correcting Personal Data (PD) (DCH-22.1) by establishing documented expectations, accountability structures, and organizational guardrails. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "DCH-22.2", "risk_if_not_implemented": "Without Data Tags, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "GOV-10", "name": "Data Governance", "description": "Mechanisms exist to facilitate data governance to oversee the organization's policies, standards and procedures so that sensitive/regulated data is effectively managed and maintained in accordance with applicable statutory, regulatory and contractual obligations.", "justification": "Data Governance (GOV-10) provides policy-level governance that compensates for the absence of Data Tags (DCH-22.2) by establishing documented expectations, accountability structures, and organizational guardrails. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "DCH-22", "name": "Data Quality Operations", "description": "Mechanisms exist to check for Redundant, Obsolete/Outdated, Toxic or Trivial (ROTT) data to ensure the accuracy, relevance, timeliness, impact, completeness and de-identification of information throughout the information lifecycle.", "justification": "Data Quality Operations (DCH-22) provides overlapping security capability that compensates for the absence of Data Tags (DCH-22.2) by addressing related risk objectives through an alternative control mechanism aligned with Data applicability. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "DCH-22.3", "risk_if_not_implemented": "Without Primary Source Personal Data (PD) Collection, personal data may be processed without appropriate safeguards, increasing regulatory and reputational risk.", "compensating_control_1": { "control_id": "DCH-22", "name": "Data Quality Operations", "description": "Mechanisms exist to check for Redundant, Obsolete/Outdated, Toxic or Trivial (ROTT) data to ensure the accuracy, relevance, timeliness, impact, completeness and de-identification of information throughout the information lifecycle.", "justification": "Data Quality Operations (DCH-22) provides overlapping security capability that compensates for the absence of Primary Source Personal Data (PD) Collection (DCH-22.3) by addressing related risk objectives through an alternative control mechanism aligned with Data applicability. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PRI-10", "name": "Data Quality Management", "description": "Mechanisms exist to manage the quality, utility, objectivity, integrity and impact determination and de-identification of sensitive/regulated data across the information lifecycle.", "justification": "Data Quality Management (PRI-10) provides overlapping security capability that compensates for the absence of Primary Source Personal Data (PD) Collection (DCH-22.3) by addressing related risk objectives through an alternative control mechanism aligned with Data applicability. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "DCH-23", "risk_if_not_implemented": "Without De-Identification (Anonymization), residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "PRI-05", "name": "Personal Data (PD) Retention & Disposal", "description": "Mechanisms exist to: \n(1) Retain Personal Data (PD), including metadata, for an organization-defined time period to fulfill the purpose(s) identified in the notice or as required by law;\n(2) Dispose of, destroys, erases, and/or anonymizes the PD, regardless of the method of storage; and\n(3) Use organization-defined techniques or methods to ensure secure deletion or destruction of PD (including originals, copies and archived records).", "justification": "Personal Data (PD) Retention & Disposal (PRI-05) provides privacy protection that compensates for the absence of De-Identification (Anonymization) (DCH-23) by applying alternative privacy safeguards to protect personal data and honor data subject rights. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "DCH-01", "name": "Data Protection", "description": "Mechanisms exist to facilitate the implementation of data protection controls.", "justification": "Data Protection (DCH-01) provides overlapping security capability that compensates for the absence of De-Identification (Anonymization) (DCH-23) by addressing related risk objectives through an alternative control mechanism aligned with Data applicability. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "DCH-23.1", "risk_if_not_implemented": "Without De-Identify Dataset Upon Collection, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "DCH-01", "name": "Data Protection", "description": "Mechanisms exist to facilitate the implementation of data protection controls.", "justification": "Data Protection (DCH-01) provides overlapping security capability that compensates for the absence of De-Identify Dataset Upon Collection (DCH-23.1) by addressing related risk objectives through an alternative control mechanism aligned with Data applicability. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PRI-05", "name": "Personal Data (PD) Retention & Disposal", "description": "Mechanisms exist to: \n(1) Retain Personal Data (PD), including metadata, for an organization-defined time period to fulfill the purpose(s) identified in the notice or as required by law;\n(2) Dispose of, destroys, erases, and/or anonymizes the PD, regardless of the method of storage; and\n(3) Use organization-defined techniques or methods to ensure secure deletion or destruction of PD (including originals, copies and archived records).", "justification": "Personal Data (PD) Retention & Disposal (PRI-05) provides privacy protection that compensates for the absence of De-Identify Dataset Upon Collection (DCH-23.1) by applying alternative privacy safeguards to protect personal data and honor data subject rights. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "DCH-23.2", "risk_if_not_implemented": "Without Archiving, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "PRI-05", "name": "Personal Data (PD) Retention & Disposal", "description": "Mechanisms exist to: \n(1) Retain Personal Data (PD), including metadata, for an organization-defined time period to fulfill the purpose(s) identified in the notice or as required by law;\n(2) Dispose of, destroys, erases, and/or anonymizes the PD, regardless of the method of storage; and\n(3) Use organization-defined techniques or methods to ensure secure deletion or destruction of PD (including originals, copies and archived records).", "justification": "Personal Data (PD) Retention & Disposal (PRI-05) provides privacy protection that compensates for the absence of Archiving (DCH-23.2) by applying alternative privacy safeguards to protect personal data and honor data subject rights. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "DCH-23", "name": "De-Identification (Anonymization)", "description": "Mechanisms exist to anonymize data by removing Personal Data (PD) from datasets.", "justification": "De-Identification (Anonymization) (DCH-23) provides overlapping security capability that compensates for the absence of Archiving (DCH-23.2) by addressing related risk objectives through an alternative control mechanism aligned with Data applicability. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "DCH-23.3", "risk_if_not_implemented": "Without Release, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "DCH-23", "name": "De-Identification (Anonymization)", "description": "Mechanisms exist to anonymize data by removing Personal Data (PD) from datasets.", "justification": "De-Identification (Anonymization) (DCH-23) provides overlapping security capability that compensates for the absence of Release (DCH-23.3) by addressing related risk objectives through an alternative control mechanism aligned with Data applicability. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "DCH-01", "name": "Data Protection", "description": "Mechanisms exist to facilitate the implementation of data protection controls.", "justification": "Data Protection (DCH-01) provides overlapping security capability that compensates for the absence of Release (DCH-23.3) by addressing related risk objectives through an alternative control mechanism aligned with Data applicability. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "DCH-23.4", "risk_if_not_implemented": "Without Removal, Masking, Encryption, Hashing or Replacement of Direct Identifiers, sensitive data may be exposed to interception or unauthorized disclosure, resulting in confidentiality breaches.", "compensating_control_1": { "control_id": "DCH-01", "name": "Data Protection", "description": "Mechanisms exist to facilitate the implementation of data protection controls.", "justification": "Data Protection (DCH-01) provides overlapping security capability that compensates for the absence of Removal, Masking, Encryption, Hashing or Replacement of Direct Identifiers (DCH-23.4) by addressing related risk objectives through an alternative control mechanism aligned with Data applicability. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "DCH-23", "name": "De-Identification (Anonymization)", "description": "Mechanisms exist to anonymize data by removing Personal Data (PD) from datasets.", "justification": "De-Identification (Anonymization) (DCH-23) provides overlapping security capability that compensates for the absence of Removal, Masking, Encryption, Hashing or Replacement of Direct Identifiers (DCH-23.4) by addressing related risk objectives through an alternative control mechanism aligned with Data applicability. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "DCH-23.5", "risk_if_not_implemented": "Without Statistical Disclosure Control, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "PRI-05", "name": "Personal Data (PD) Retention & Disposal", "description": "Mechanisms exist to: \n(1) Retain Personal Data (PD), including metadata, for an organization-defined time period to fulfill the purpose(s) identified in the notice or as required by law;\n(2) Dispose of, destroys, erases, and/or anonymizes the PD, regardless of the method of storage; and\n(3) Use organization-defined techniques or methods to ensure secure deletion or destruction of PD (including originals, copies and archived records).", "justification": "Personal Data (PD) Retention & Disposal (PRI-05) provides privacy protection that compensates for the absence of Statistical Disclosure Control (DCH-23.5) by applying alternative privacy safeguards to protect personal data and honor data subject rights. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "DCH-01", "name": "Data Protection", "description": "Mechanisms exist to facilitate the implementation of data protection controls.", "justification": "Data Protection (DCH-01) provides overlapping security capability that compensates for the absence of Statistical Disclosure Control (DCH-23.5) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "DCH-23.6", "risk_if_not_implemented": "Without Differential Data Privacy, personal data may be processed without appropriate safeguards, increasing regulatory and reputational risk.", "compensating_control_1": { "control_id": "DCH-23", "name": "De-Identification (Anonymization)", "description": "Mechanisms exist to anonymize data by removing Personal Data (PD) from datasets.", "justification": "De-Identification (Anonymization) (DCH-23) provides overlapping security capability that compensates for the absence of Differential Data Privacy (DCH-23.6) by addressing related risk objectives through an alternative control mechanism aligned with Data applicability. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PRI-05", "name": "Personal Data (PD) Retention & Disposal", "description": "Mechanisms exist to: \n(1) Retain Personal Data (PD), including metadata, for an organization-defined time period to fulfill the purpose(s) identified in the notice or as required by law;\n(2) Dispose of, destroys, erases, and/or anonymizes the PD, regardless of the method of storage; and\n(3) Use organization-defined techniques or methods to ensure secure deletion or destruction of PD (including originals, copies and archived records).", "justification": "Personal Data (PD) Retention & Disposal (PRI-05) provides privacy protection that compensates for the absence of Differential Data Privacy (DCH-23.6) by applying alternative privacy safeguards to protect personal data and honor data subject rights. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "DCH-23.7", "risk_if_not_implemented": "Without Automated De-Identification of Sensitive Data, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "DCH-01", "name": "Data Protection", "description": "Mechanisms exist to facilitate the implementation of data protection controls.", "justification": "Data Protection (DCH-01) provides overlapping security capability that compensates for the absence of Automated De-Identification of Sensitive Data (DCH-23.7) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "DCH-23", "name": "De-Identification (Anonymization)", "description": "Mechanisms exist to anonymize data by removing Personal Data (PD) from datasets.", "justification": "De-Identification (Anonymization) (DCH-23) provides overlapping security capability that compensates for the absence of Automated De-Identification of Sensitive Data (DCH-23.7) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "DCH-23.8", "risk_if_not_implemented": "Without Motivated Intruder, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "PRI-05", "name": "Personal Data (PD) Retention & Disposal", "description": "Mechanisms exist to: \n(1) Retain Personal Data (PD), including metadata, for an organization-defined time period to fulfill the purpose(s) identified in the notice or as required by law;\n(2) Dispose of, destroys, erases, and/or anonymizes the PD, regardless of the method of storage; and\n(3) Use organization-defined techniques or methods to ensure secure deletion or destruction of PD (including originals, copies and archived records).", "justification": "Personal Data (PD) Retention & Disposal (PRI-05) provides privacy protection that compensates for the absence of Motivated Intruder (DCH-23.8) by applying alternative privacy safeguards to protect personal data and honor data subject rights. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "DCH-23", "name": "De-Identification (Anonymization)", "description": "Mechanisms exist to anonymize data by removing Personal Data (PD) from datasets.", "justification": "De-Identification (Anonymization) (DCH-23) provides overlapping security capability that compensates for the absence of Motivated Intruder (DCH-23.8) by addressing related risk objectives through an alternative control mechanism aligned with Data applicability. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "DCH-23.9", "risk_if_not_implemented": "Without Code Names, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "DCH-23", "name": "De-Identification (Anonymization)", "description": "Mechanisms exist to anonymize data by removing Personal Data (PD) from datasets.", "justification": "De-Identification (Anonymization) (DCH-23) provides overlapping security capability that compensates for the absence of Code Names (DCH-23.9) by addressing related risk objectives through an alternative control mechanism aligned with Data applicability. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PRI-05", "name": "Personal Data (PD) Retention & Disposal", "description": "Mechanisms exist to: \n(1) Retain Personal Data (PD), including metadata, for an organization-defined time period to fulfill the purpose(s) identified in the notice or as required by law;\n(2) Dispose of, destroys, erases, and/or anonymizes the PD, regardless of the method of storage; and\n(3) Use organization-defined techniques or methods to ensure secure deletion or destruction of PD (including originals, copies and archived records).", "justification": "Personal Data (PD) Retention & Disposal (PRI-05) provides privacy protection that compensates for the absence of Code Names (DCH-23.9) by applying alternative privacy safeguards to protect personal data and honor data subject rights. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "DCH-24.1", "risk_if_not_implemented": "Without Automated Tools to Support Information Location, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "DCH-02", "name": "Data & Asset Classification", "description": "Mechanisms exist to ensure data and assets are categorized in accordance with applicable statutory, regulatory and contractual requirements.", "justification": "Data & Asset Classification (DCH-02) provides overlapping security capability that compensates for the absence of Automated Tools to Support Information Location (DCH-24.1) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "AST-02", "name": "Asset Inventories", "description": "Mechanisms exist to perform inventories of Technology Assets, Applications, Services and/or Data (TAASD) that:\n(1) Accurately reflects the current TAASD in use; \n(2) Identifies authorized software products, including business justification details;\n(3) Is at the level of granularity deemed necessary for tracking and reporting;\n(4) Includes organization-defined information deemed necessary to achieve effective property accountability; and\n(5) Is available for review and audit by designated organizational personnel.", "justification": "Asset Inventories (AST-02) provides overlapping security capability that compensates for the absence of Automated Tools to Support Information Location (DCH-24.1) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "DCH-25.1", "risk_if_not_implemented": "Without Transfer Activity Limits, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "NET-17", "name": "Data Loss Prevention (DLP)", "description": "Automated mechanisms exist to implement Data Loss Prevention (DLP) to protect sensitive information as it is stored, transmitted and processed.", "justification": "Data Loss Prevention (DLP) (NET-17) provides detective monitoring capability that compensates for the absence of Transfer Activity Limits (DCH-25.1) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CRY-03", "name": "Transmission Confidentiality", "description": "Cryptographic mechanisms exist to protect the confidentiality of data being transmitted.", "justification": "Transmission Confidentiality (CRY-03) provides cryptographic protection that compensates for the absence of Transfer Activity Limits (DCH-25.1) by ensuring data confidentiality and integrity through alternative technical means. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "DCH-27", "risk_if_not_implemented": "Without Data Rights Management (DRM), residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IAC-20", "name": "Access Enforcement", "description": "Mechanisms exist to enforce Logical Access Control (LAC) permissions that conform to the principle of \"least privilege.\"", "justification": "Access Enforcement (IAC-20) provides access control enforcement that compensates for the absence of Data Rights Management (DRM) (DCH-27) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CRY-05", "name": "Encrypting Data At Rest", "description": "Cryptographic mechanisms exist to prevent unauthorized disclosure of data at rest.", "justification": "Encrypting Data At Rest (CRY-05) provides cryptographic protection that compensates for the absence of Data Rights Management (DRM) (DCH-27) by ensuring data confidentiality and integrity through alternative technical means. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "EMB-02", "risk_if_not_implemented": "Without Internet of Things (IOT), residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "NET-06", "name": "Network Segmentation (macrosegementation)", "description": "Mechanisms exist to ensure network architecture utilizes network segmentation to isolate Technology Assets, Applications and/or Services (TAAS) to protect from other network resources.", "justification": "Network Segmentation (macrosegementation) (NET-06) provides network-level access restriction that compensates for the absence of Internet of Things (IOT) (EMB-02) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CFG-02", "name": "Secure Baseline Configurations", "description": "Mechanisms exist to develop, document and maintain secure baseline configurations for Technology Assets, Applications and/or Services (TAAS) that are consistent with industry-accepted system hardening standards.", "justification": "Secure Baseline Configurations (CFG-02) provides configuration hardening that compensates for the absence of Internet of Things (IOT) (EMB-02) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "EMB-03", "risk_if_not_implemented": "Without Operational Technology (OT), security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "NET-06", "name": "Network Segmentation (macrosegementation)", "description": "Mechanisms exist to ensure network architecture utilizes network segmentation to isolate Technology Assets, Applications and/or Services (TAAS) to protect from other network resources.", "justification": "Network Segmentation (macrosegementation) (NET-06) provides network-level access restriction that compensates for the absence of Operational Technology (OT) (EMB-03) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CFG-02", "name": "Secure Baseline Configurations", "description": "Mechanisms exist to develop, document and maintain secure baseline configurations for Technology Assets, Applications and/or Services (TAAS) that are consistent with industry-accepted system hardening standards.", "justification": "Secure Baseline Configurations (CFG-02) provides configuration hardening that compensates for the absence of Operational Technology (OT) (EMB-03) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "EMB-04", "risk_if_not_implemented": "Without Interface Security, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "NET-03", "name": "Boundary Protection", "description": "Mechanisms exist to monitor and control communications at the external network boundary and at key internal boundaries within the network.", "justification": "Boundary Protection (NET-03) provides network-level access restriction that compensates for the absence of Interface Security (EMB-04) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CFG-02", "name": "Secure Baseline Configurations", "description": "Mechanisms exist to develop, document and maintain secure baseline configurations for Technology Assets, Applications and/or Services (TAAS) that are consistent with industry-accepted system hardening standards.", "justification": "Secure Baseline Configurations (CFG-02) provides configuration hardening that compensates for the absence of Interface Security (EMB-04) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "EMB-05", "risk_if_not_implemented": "Without Embedded Technology Configuration Monitoring, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Embedded Technology Configuration Monitoring (EMB-05) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CFG-06", "name": "Configuration Enforcement", "description": "Automated mechanisms exist to monitor, enforce and report on configurations for endpoint devices.", "justification": "Configuration Enforcement (CFG-06) provides configuration hardening that compensates for the absence of Embedded Technology Configuration Monitoring (EMB-05) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "EMB-06", "risk_if_not_implemented": "Without Prevent Alterations, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CFG-06", "name": "Configuration Enforcement", "description": "Automated mechanisms exist to monitor, enforce and report on configurations for endpoint devices.", "justification": "Configuration Enforcement (CFG-06) provides configuration hardening that compensates for the absence of Prevent Alterations (EMB-06) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Prevent Alterations (EMB-06) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "EMB-07", "risk_if_not_implemented": "Without Embedded Technology Maintenance, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "MNT-01", "name": "Maintenance Operations", "description": "Mechanisms exist to develop, disseminate, review & update procedures to facilitate the implementation of maintenance controls across the enterprise.", "justification": "Maintenance Operations (MNT-01) provides overlapping security capability that compensates for the absence of Embedded Technology Maintenance (EMB-07) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CFG-01", "name": "Configuration Management Program", "description": "Mechanisms exist to facilitate the implementation of configuration management controls.", "justification": "Configuration Management Program (CFG-01) provides policy-level governance that compensates for the absence of Embedded Technology Maintenance (EMB-07) by establishing documented expectations, accountability structures, and organizational guardrails. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "EMB-08", "risk_if_not_implemented": "Without Resilience To Outages, the organization may be unable to recover from disruptions, resulting in data loss and extended downtime.", "compensating_control_1": { "control_id": "BCD-01", "name": "Business Continuity Management System (BCMS)", "description": "Mechanisms exist to facilitate the implementation of contingency planning controls to help ensure resilient Technology Assets, Applications and/or Services (TAAS) (e.g., Continuity of Operations Plan (COOP) or Business Continuity & Disaster Recovery (BC/DR) playbooks).", "justification": "Business Continuity Management System (BCMS) (BCD-01) provides resilience and recovery capability that compensates for the absence of Resilience To Outages (EMB-08) by ensuring the organization can restore operations and data when the primary control is absent. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CAP-01", "name": "Capacity & Performance Management", "description": "Mechanisms exist to facilitate the implementation of capacity management controls to ensure optimal system performance to meet expected and anticipated future capacity requirements.", "justification": "Capacity & Performance Management (CAP-01) provides overlapping security capability that compensates for the absence of Resilience To Outages (EMB-08) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "EMB-09", "risk_if_not_implemented": "Without Power Level Monitoring, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Power Level Monitoring (EMB-09) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PES-07", "name": "Supporting Utilities", "description": "Facility security mechanisms exist to protect power equipment and power cabling for the system from damage and destruction.", "justification": "Supporting Utilities (PES-07) provides overlapping security capability that compensates for the absence of Power Level Monitoring (EMB-09) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "EMB-10", "risk_if_not_implemented": "Without Embedded Technology Reviews, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of Embedded Technology Reviews (EMB-10) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Embedded Technology Reviews (EMB-10) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "EMB-11", "risk_if_not_implemented": "Without Message Queuing Telemetry Transport (MQTT) Security, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CRY-03", "name": "Transmission Confidentiality", "description": "Cryptographic mechanisms exist to protect the confidentiality of data being transmitted.", "justification": "Transmission Confidentiality (CRY-03) provides cryptographic protection that compensates for the absence of Message Queuing Telemetry Transport (MQTT) Security (EMB-11) by ensuring data confidentiality and integrity through alternative technical means. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-20", "name": "Access Enforcement", "description": "Mechanisms exist to enforce Logical Access Control (LAC) permissions that conform to the principle of \"least privilege.\"", "justification": "Access Enforcement (IAC-20) provides access control enforcement that compensates for the absence of Message Queuing Telemetry Transport (MQTT) Security (EMB-11) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "EMB-12", "risk_if_not_implemented": "Without Restrict Communications, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "NET-03", "name": "Boundary Protection", "description": "Mechanisms exist to monitor and control communications at the external network boundary and at key internal boundaries within the network.", "justification": "Boundary Protection (NET-03) provides network-level access restriction that compensates for the absence of Restrict Communications (EMB-12) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CFG-03", "name": "Least Functionality", "description": "Mechanisms exist to configure systems to provide only essential capabilities by specifically prohibiting or restricting the use of ports, protocols, and/or services.", "justification": "Least Functionality (CFG-03) provides configuration hardening that compensates for the absence of Restrict Communications (EMB-12) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "EMB-13", "risk_if_not_implemented": "Without Authorized Communications, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IAC-20", "name": "Access Enforcement", "description": "Mechanisms exist to enforce Logical Access Control (LAC) permissions that conform to the principle of \"least privilege.\"", "justification": "Access Enforcement (IAC-20) provides access control enforcement that compensates for the absence of Authorized Communications (EMB-13) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-04", "name": "Data Flow Enforcement – Access Control Lists (ACLs)", "description": "Mechanisms exist to implement and govern Access Control Lists (ACLs) to provide data flow enforcement that explicitly restrict network traffic to only what is authorized.", "justification": "Data Flow Enforcement – Access Control Lists (ACLs) (NET-04) provides access control enforcement that compensates for the absence of Authorized Communications (EMB-13) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "EMB-14", "risk_if_not_implemented": "Without Operating Environment Certification, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Operating Environment Certification (EMB-14) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAO-02", "name": "Assessments", "description": "Mechanisms exist to formally assess the security, compliance and resilience controls in Technology Assets, Applications and/or Services (TAAS) through Information Assurance Program (IAP) activities to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting expected requirements.", "justification": "Assessments (IAO-02) provides periodic assessment and assurance that compensates for the absence of Operating Environment Certification (EMB-14) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "EMB-15", "risk_if_not_implemented": "Without Safety Assessment, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "RSK-04", "name": "Risk Assessment", "description": "Mechanisms exist to conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Risk Assessment (RSK-04) provides periodic assessment and assurance that compensates for the absence of Safety Assessment (EMB-15) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of Safety Assessment (EMB-15) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "EMB-16", "risk_if_not_implemented": "Without Certificate-Based Authentication, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "CRY-02", "name": "Automated Authentication Through Cryptographic Modules", "description": "Automated mechanisms exist to enable systems to authenticate to a cryptographic module.", "justification": "Automated Authentication Through Cryptographic Modules (CRY-02) provides cryptographic protection that compensates for the absence of Certificate-Based Authentication (EMB-16) by ensuring data confidentiality and integrity through alternative technical means. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-06", "name": "Multi-Factor Authentication (MFA)", "description": "Automated mechanisms exist to enforce Multi-Factor Authentication (MFA) for:\n(1) Remote network access; \n(2) Third-party Technology Assets, Applications and/or Services (TAAS); and/ or\n(3) Non-console access to critical TAAS that store, transmit and/or process sensitive/regulated data.", "justification": "Multi-Factor Authentication (MFA) (IAC-06) provides access control enforcement that compensates for the absence of Certificate-Based Authentication (EMB-16) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "EMB-17", "risk_if_not_implemented": "Without Chip-To-Cloud Security, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CRY-01", "name": "Use of Cryptographic Controls", "description": "Mechanisms exist to facilitate the implementation of cryptographic protections controls using known public standards and trusted cryptographic technologies.", "justification": "Use of Cryptographic Controls (CRY-01) provides cryptographic protection that compensates for the absence of Chip-To-Cloud Security (EMB-17) by ensuring data confidentiality and integrity through alternative technical means. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-03", "name": "Boundary Protection", "description": "Mechanisms exist to monitor and control communications at the external network boundary and at key internal boundaries within the network.", "justification": "Boundary Protection (NET-03) provides network-level access restriction that compensates for the absence of Chip-To-Cloud Security (EMB-17) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "EMB-18", "risk_if_not_implemented": "Without Real-Time Operating System (RTOS) Security, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CFG-02", "name": "Secure Baseline Configurations", "description": "Mechanisms exist to develop, document and maintain secure baseline configurations for Technology Assets, Applications and/or Services (TAAS) that are consistent with industry-accepted system hardening standards.", "justification": "Secure Baseline Configurations (CFG-02) provides configuration hardening that compensates for the absence of Real-Time Operating System (RTOS) Security (EMB-18) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "VPM-05", "name": "Software & Firmware Patching", "description": "Mechanisms exist to conduct software patching for all deployed Technology Assets, Applications and/or Services (TAAS), including firmware.", "justification": "Software & Firmware Patching (VPM-05) provides vulnerability management that compensates for the absence of Real-Time Operating System (RTOS) Security (EMB-18) by reducing the exploitable attack surface by addressing known weaknesses before they are leveraged. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "EMB-19", "risk_if_not_implemented": "Without Safe Operations, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "EMB-15", "name": "Safety Assessment", "description": "Mechanisms exist to evaluate the safety aspects of embedded technologies via a fault tree analysis, or similar method, to determine possible consequences of misuse, misconfiguration and/or failure.", "justification": "Safety Assessment (EMB-15) provides periodic assessment and assurance that compensates for the absence of Safe Operations (EMB-19) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "RSK-04", "name": "Risk Assessment", "description": "Mechanisms exist to conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Risk Assessment (RSK-04) provides periodic assessment and assurance that compensates for the absence of Safe Operations (EMB-19) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "END-01.1", "risk_if_not_implemented": "Without Unified Endpoint Device Management (UEDM), residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CFG-02", "name": "Secure Baseline Configurations", "description": "Mechanisms exist to develop, document and maintain secure baseline configurations for Technology Assets, Applications and/or Services (TAAS) that are consistent with industry-accepted system hardening standards.", "justification": "Secure Baseline Configurations (CFG-02) provides configuration hardening that compensates for the absence of Unified Endpoint Device Management (UEDM) (END-01.1) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Unified Endpoint Device Management (UEDM) (END-01.1) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "END-02", "risk_if_not_implemented": "Without Endpoint Protection Measures, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CFG-02", "name": "Secure Baseline Configurations", "description": "Mechanisms exist to develop, document and maintain secure baseline configurations for Technology Assets, Applications and/or Services (TAAS) that are consistent with industry-accepted system hardening standards.", "justification": "Secure Baseline Configurations (CFG-02) provides configuration hardening that compensates for the absence of Endpoint Protection Measures (END-02) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "VPM-01", "name": "Vulnerability & Patch Management Program (VPMP)", "description": "Mechanisms exist to facilitate the implementation and monitoring of vulnerability management controls.", "justification": "Vulnerability & Patch Management Program (VPMP) (VPM-01) provides policy-level governance that compensates for the absence of Endpoint Protection Measures (END-02) by establishing documented expectations, accountability structures, and organizational guardrails. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "END-03", "risk_if_not_implemented": "Without Prohibit Installation Without Privileged Status, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "CFG-03", "name": "Least Functionality", "description": "Mechanisms exist to configure systems to provide only essential capabilities by specifically prohibiting or restricting the use of ports, protocols, and/or services.", "justification": "Least Functionality (CFG-03) provides configuration hardening that compensates for the absence of Prohibit Installation Without Privileged Status (END-03) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-21", "name": "Least Privilege", "description": "Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.", "justification": "Least Privilege (IAC-21) provides access control enforcement that compensates for the absence of Prohibit Installation Without Privileged Status (END-03) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "END-03.1", "risk_if_not_implemented": "Without Software Installation Alerts, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IAC-21", "name": "Least Privilege", "description": "Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.", "justification": "Least Privilege (IAC-21) provides access control enforcement that compensates for the absence of Software Installation Alerts (END-03.1) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CFG-03", "name": "Least Functionality", "description": "Mechanisms exist to configure systems to provide only essential capabilities by specifically prohibiting or restricting the use of ports, protocols, and/or services.", "justification": "Least Functionality (CFG-03) provides configuration hardening that compensates for the absence of Software Installation Alerts (END-03.1) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "END-03.2", "risk_if_not_implemented": "Without Governing Access Restriction for Change, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "CFG-03", "name": "Least Functionality", "description": "Mechanisms exist to configure systems to provide only essential capabilities by specifically prohibiting or restricting the use of ports, protocols, and/or services.", "justification": "Least Functionality (CFG-03) provides configuration hardening that compensates for the absence of Governing Access Restriction for Change (END-03.2) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "END-03", "name": "Prohibit Installation Without Privileged Status", "description": "Automated mechanisms exist to prohibit software installations without explicitly assigned privileged status.", "justification": "Prohibit Installation Without Privileged Status (END-03) provides access control enforcement that compensates for the absence of Governing Access Restriction for Change (END-03.2) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "END-04.1", "risk_if_not_implemented": "Without Automatic Antimalware Signature Updates, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "VPM-05", "name": "Software & Firmware Patching", "description": "Mechanisms exist to conduct software patching for all deployed Technology Assets, Applications and/or Services (TAAS), including firmware.", "justification": "Software & Firmware Patching (VPM-05) provides vulnerability management that compensates for the absence of Automatic Antimalware Signature Updates (END-04.1) by reducing the exploitable attack surface by addressing known weaknesses before they are leveraged. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CFG-02", "name": "Secure Baseline Configurations", "description": "Mechanisms exist to develop, document and maintain secure baseline configurations for Technology Assets, Applications and/or Services (TAAS) that are consistent with industry-accepted system hardening standards.", "justification": "Secure Baseline Configurations (CFG-02) provides configuration hardening that compensates for the absence of Automatic Antimalware Signature Updates (END-04.1) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "END-04.2", "risk_if_not_implemented": "Without Documented Protection Measures, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Documented Protection Measures (END-04.2) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "END-04", "name": "Malicious Code Protection (Anti-Malware)", "description": "Mechanisms exist to utilize antimalware technologies to detect and eradicate malicious code.", "justification": "Malicious Code Protection (Anti-Malware) (END-04) provides overlapping security capability that compensates for the absence of Documented Protection Measures (END-04.2) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "END-04.3", "risk_if_not_implemented": "Without Centralized Management of Antimalware Technologies, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "CFG-02", "name": "Secure Baseline Configurations", "description": "Mechanisms exist to develop, document and maintain secure baseline configurations for Technology Assets, Applications and/or Services (TAAS) that are consistent with industry-accepted system hardening standards.", "justification": "Secure Baseline Configurations (CFG-02) provides configuration hardening that compensates for the absence of Centralized Management of Antimalware Technologies (END-04.3) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "END-04", "name": "Malicious Code Protection (Anti-Malware)", "description": "Mechanisms exist to utilize antimalware technologies to detect and eradicate malicious code.", "justification": "Malicious Code Protection (Anti-Malware) (END-04) provides overlapping security capability that compensates for the absence of Centralized Management of Antimalware Technologies (END-04.3) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "END-04.4", "risk_if_not_implemented": "Without Heuristic / Nonsignature-Based Detection, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "VPM-05", "name": "Software & Firmware Patching", "description": "Mechanisms exist to conduct software patching for all deployed Technology Assets, Applications and/or Services (TAAS), including firmware.", "justification": "Software & Firmware Patching (VPM-05) provides vulnerability management that compensates for the absence of Heuristic / Nonsignature-Based Detection (END-04.4) by reducing the exploitable attack surface by addressing known weaknesses before they are leveraged. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "END-04", "name": "Malicious Code Protection (Anti-Malware)", "description": "Mechanisms exist to utilize antimalware technologies to detect and eradicate malicious code.", "justification": "Malicious Code Protection (Anti-Malware) (END-04) provides overlapping security capability that compensates for the absence of Heuristic / Nonsignature-Based Detection (END-04.4) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "END-04.5", "risk_if_not_implemented": "Without Malware Protection Mechanism Testing, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "END-04", "name": "Malicious Code Protection (Anti-Malware)", "description": "Mechanisms exist to utilize antimalware technologies to detect and eradicate malicious code.", "justification": "Malicious Code Protection (Anti-Malware) (END-04) provides overlapping security capability that compensates for the absence of Malware Protection Mechanism Testing (END-04.5) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Malware Protection Mechanism Testing (END-04.5) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "END-04.6", "risk_if_not_implemented": "Without Evolving Malware Threats, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Evolving Malware Threats (END-04.6) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CFG-02", "name": "Secure Baseline Configurations", "description": "Mechanisms exist to develop, document and maintain secure baseline configurations for Technology Assets, Applications and/or Services (TAAS) that are consistent with industry-accepted system hardening standards.", "justification": "Secure Baseline Configurations (CFG-02) provides configuration hardening that compensates for the absence of Evolving Malware Threats (END-04.6) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "END-04.7", "risk_if_not_implemented": "Without Always On Protection, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "VPM-05", "name": "Software & Firmware Patching", "description": "Mechanisms exist to conduct software patching for all deployed Technology Assets, Applications and/or Services (TAAS), including firmware.", "justification": "Software & Firmware Patching (VPM-05) provides vulnerability management that compensates for the absence of Always On Protection (END-04.7) by reducing the exploitable attack surface by addressing known weaknesses before they are leveraged. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Always On Protection (END-04.7) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "END-05", "risk_if_not_implemented": "Without Software Firewall, network defenses are weakened, enabling lateral movement and exploitation of unprotected pathways.", "compensating_control_1": { "control_id": "NET-03", "name": "Boundary Protection", "description": "Mechanisms exist to monitor and control communications at the external network boundary and at key internal boundaries within the network.", "justification": "Boundary Protection (NET-03) provides network-level access restriction that compensates for the absence of Software Firewall (END-05) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CFG-02", "name": "Secure Baseline Configurations", "description": "Mechanisms exist to develop, document and maintain secure baseline configurations for Technology Assets, Applications and/or Services (TAAS) that are consistent with industry-accepted system hardening standards.", "justification": "Secure Baseline Configurations (CFG-02) provides configuration hardening that compensates for the absence of Software Firewall (END-05) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "END-06", "risk_if_not_implemented": "Without Endpoint File Integrity Monitoring (FIM), security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Endpoint File Integrity Monitoring (FIM) (END-06) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CRY-13", "name": "Cryptographic Hash", "description": "Mechanisms exist to utilize hash algorithms to generate a hash value that can be used to validate the integrity of data and/or software.", "justification": "Cryptographic Hash (CRY-13) provides cryptographic protection that compensates for the absence of Endpoint File Integrity Monitoring (FIM) (END-06) by ensuring data confidentiality and integrity through alternative technical means. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "END-06.1", "risk_if_not_implemented": "Without Integrity Checks, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CRY-13", "name": "Cryptographic Hash", "description": "Mechanisms exist to utilize hash algorithms to generate a hash value that can be used to validate the integrity of data and/or software.", "justification": "Cryptographic Hash (CRY-13) provides cryptographic protection that compensates for the absence of Integrity Checks (END-06.1) by ensuring data confidentiality and integrity through alternative technical means. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-18", "name": "File Activity Monitoring (FAM)", "description": "Automated mechanisms exist to monitor sensitive/regulated data in Technology Assets, Applications and/or Services (TAAS) and data repositories.", "justification": "File Activity Monitoring (FAM) (MON-18) provides detective monitoring capability that compensates for the absence of Integrity Checks (END-06.1) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "END-06.2", "risk_if_not_implemented": "Without Endpoint Detection & Response (EDR), security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "MON-18", "name": "File Activity Monitoring (FAM)", "description": "Automated mechanisms exist to monitor sensitive/regulated data in Technology Assets, Applications and/or Services (TAAS) and data repositories.", "justification": "File Activity Monitoring (FAM) (MON-18) provides detective monitoring capability that compensates for the absence of Endpoint Detection & Response (EDR) (END-06.2) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CRY-13", "name": "Cryptographic Hash", "description": "Mechanisms exist to utilize hash algorithms to generate a hash value that can be used to validate the integrity of data and/or software.", "justification": "Cryptographic Hash (CRY-13) provides cryptographic protection that compensates for the absence of Endpoint Detection & Response (EDR) (END-06.2) by ensuring data confidentiality and integrity through alternative technical means. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "END-06.3", "risk_if_not_implemented": "Without Automated Notifications of Integrity Violations, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CRY-13", "name": "Cryptographic Hash", "description": "Mechanisms exist to utilize hash algorithms to generate a hash value that can be used to validate the integrity of data and/or software.", "justification": "Cryptographic Hash (CRY-13) provides cryptographic protection that compensates for the absence of Automated Notifications of Integrity Violations (END-06.3) by ensuring data confidentiality and integrity through alternative technical means. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "END-06", "name": "Endpoint File Integrity Monitoring (FIM)", "description": "Mechanisms exist to utilize File Integrity Monitor (FIM), or similar technologies, to detect and report on unauthorized changes to selected files and configuration settings.", "justification": "Endpoint File Integrity Monitoring (FIM) (END-06) provides detective monitoring capability that compensates for the absence of Automated Notifications of Integrity Violations (END-06.3) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "END-06.4", "risk_if_not_implemented": "Without Automated Response to Integrity Violations, the organization may lack capability to detect, contain, or recover from security incidents effectively.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Automated Response to Integrity Violations (END-06.4) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "END-06", "name": "Endpoint File Integrity Monitoring (FIM)", "description": "Mechanisms exist to utilize File Integrity Monitor (FIM), or similar technologies, to detect and report on unauthorized changes to selected files and configuration settings.", "justification": "Endpoint File Integrity Monitoring (FIM) (END-06) provides detective monitoring capability that compensates for the absence of Automated Response to Integrity Violations (END-06.4) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "END-06.5", "risk_if_not_implemented": "Without Boot Process Integrity, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "END-06", "name": "Endpoint File Integrity Monitoring (FIM)", "description": "Mechanisms exist to utilize File Integrity Monitor (FIM), or similar technologies, to detect and report on unauthorized changes to selected files and configuration settings.", "justification": "Endpoint File Integrity Monitoring (FIM) (END-06) provides detective monitoring capability that compensates for the absence of Boot Process Integrity (END-06.5) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Boot Process Integrity (END-06.5) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "END-06.6", "risk_if_not_implemented": "Without Protection of Boot Firmware, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CRY-13", "name": "Cryptographic Hash", "description": "Mechanisms exist to utilize hash algorithms to generate a hash value that can be used to validate the integrity of data and/or software.", "justification": "Cryptographic Hash (CRY-13) provides cryptographic protection that compensates for the absence of Protection of Boot Firmware (END-06.6) by ensuring data confidentiality and integrity through alternative technical means. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Protection of Boot Firmware (END-06.6) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "END-06.7", "risk_if_not_implemented": "Without Binary or Machine-Executable Code, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "MON-18", "name": "File Activity Monitoring (FAM)", "description": "Automated mechanisms exist to monitor sensitive/regulated data in Technology Assets, Applications and/or Services (TAAS) and data repositories.", "justification": "File Activity Monitoring (FAM) (MON-18) provides detective monitoring capability that compensates for the absence of Binary or Machine-Executable Code (END-06.7) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "END-06", "name": "Endpoint File Integrity Monitoring (FIM)", "description": "Mechanisms exist to utilize File Integrity Monitor (FIM), or similar technologies, to detect and report on unauthorized changes to selected files and configuration settings.", "justification": "Endpoint File Integrity Monitoring (FIM) (END-06) provides detective monitoring capability that compensates for the absence of Binary or Machine-Executable Code (END-06.7) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "END-06.8", "risk_if_not_implemented": "Without Extended Detection & Response (XDR), security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "END-06", "name": "Endpoint File Integrity Monitoring (FIM)", "description": "Mechanisms exist to utilize File Integrity Monitor (FIM), or similar technologies, to detect and report on unauthorized changes to selected files and configuration settings.", "justification": "Endpoint File Integrity Monitoring (FIM) (END-06) provides detective monitoring capability that compensates for the absence of Extended Detection & Response (XDR) (END-06.8) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CRY-13", "name": "Cryptographic Hash", "description": "Mechanisms exist to utilize hash algorithms to generate a hash value that can be used to validate the integrity of data and/or software.", "justification": "Cryptographic Hash (CRY-13) provides cryptographic protection that compensates for the absence of Extended Detection & Response (XDR) (END-06.8) by ensuring data confidentiality and integrity through alternative technical means. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "END-07", "risk_if_not_implemented": "Without Host Intrusion Detection and Prevention Systems (HIDS / HIPS), security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Host Intrusion Detection and Prevention Systems (HIDS / HIPS) (END-07) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "END-04", "name": "Malicious Code Protection (Anti-Malware)", "description": "Mechanisms exist to utilize antimalware technologies to detect and eradicate malicious code.", "justification": "Malicious Code Protection (Anti-Malware) (END-04) provides overlapping security capability that compensates for the absence of Host Intrusion Detection and Prevention Systems (HIDS / HIPS) (END-07) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "END-08.1", "risk_if_not_implemented": "Without Central Management, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "NET-18", "name": "DNS & Content Filtering", "description": "Mechanisms exist to force Internet-bound network traffic through a proxy device (e.g., Policy Enforcement Point (PEP)) for URL content filtering and DNS filtering to limit a user's ability to connect to dangerous or prohibited Internet sites.", "justification": "DNS & Content Filtering (NET-18) provides network-level access restriction that compensates for the absence of Central Management (END-08.1) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "END-08", "name": "Phishing & Spam Protection", "description": "Mechanisms exist to utilize anti-phishing and spam protection technologies to detect and take action on unsolicited messages transported by electronic mail.", "justification": "Phishing & Spam Protection (END-08) provides overlapping security capability that compensates for the absence of Central Management (END-08.1) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "END-08.2", "risk_if_not_implemented": "Without Automatic Spam and Phishing Protection Updates, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "END-04", "name": "Malicious Code Protection (Anti-Malware)", "description": "Mechanisms exist to utilize antimalware technologies to detect and eradicate malicious code.", "justification": "Malicious Code Protection (Anti-Malware) (END-04) provides overlapping security capability that compensates for the absence of Automatic Spam and Phishing Protection Updates (END-08.2) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-20", "name": "Email Content Protections", "description": "Mechanisms exist to implement an email filtering security service to detect malicious attachments in emails and prevent users from accessing them.", "justification": "Email Content Protections (NET-20) provides overlapping security capability that compensates for the absence of Automatic Spam and Phishing Protection Updates (END-08.2) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "END-09", "risk_if_not_implemented": "Without Trusted Path, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IAC-20", "name": "Access Enforcement", "description": "Mechanisms exist to enforce Logical Access Control (LAC) permissions that conform to the principle of \"least privilege.\"", "justification": "Access Enforcement (IAC-20) provides access control enforcement that compensates for the absence of Trusted Path (END-09) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CRY-03", "name": "Transmission Confidentiality", "description": "Cryptographic mechanisms exist to protect the confidentiality of data being transmitted.", "justification": "Transmission Confidentiality (CRY-03) provides cryptographic protection that compensates for the absence of Trusted Path (END-09) by ensuring data confidentiality and integrity through alternative technical means. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "END-10", "risk_if_not_implemented": "Without Mobile Code, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CFG-03", "name": "Least Functionality", "description": "Mechanisms exist to configure systems to provide only essential capabilities by specifically prohibiting or restricting the use of ports, protocols, and/or services.", "justification": "Least Functionality (CFG-03) provides configuration hardening that compensates for the absence of Mobile Code (END-10) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-21", "name": "Least Privilege", "description": "Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.", "justification": "Least Privilege (IAC-21) provides access control enforcement that compensates for the absence of Mobile Code (END-10) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "END-11", "risk_if_not_implemented": "Without Thin Nodes, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "NET-06", "name": "Network Segmentation (macrosegementation)", "description": "Mechanisms exist to ensure network architecture utilizes network segmentation to isolate Technology Assets, Applications and/or Services (TAAS) to protect from other network resources.", "justification": "Network Segmentation (macrosegementation) (NET-06) provides network-level access restriction that compensates for the absence of Thin Nodes (END-11) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CFG-03", "name": "Least Functionality", "description": "Mechanisms exist to configure systems to provide only essential capabilities by specifically prohibiting or restricting the use of ports, protocols, and/or services.", "justification": "Least Functionality (CFG-03) provides configuration hardening that compensates for the absence of Thin Nodes (END-11) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "END-12", "risk_if_not_implemented": "Without Port & Input / Output (I/O) Device Access, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "CFG-03", "name": "Least Functionality", "description": "Mechanisms exist to configure systems to provide only essential capabilities by specifically prohibiting or restricting the use of ports, protocols, and/or services.", "justification": "Least Functionality (CFG-03) provides configuration hardening that compensates for the absence of Port & Input / Output (I/O) Device Access (END-12) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-21", "name": "Least Privilege", "description": "Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.", "justification": "Least Privilege (IAC-21) provides access control enforcement that compensates for the absence of Port & Input / Output (I/O) Device Access (END-12) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "END-13", "risk_if_not_implemented": "Without Sensor Capability, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "PES-01", "name": "Physical & Environmental Protections", "description": "Mechanisms exist to facilitate the operation of physical and environmental protection controls.", "justification": "Physical & Environmental Protections (PES-01) provides physical access control that compensates for the absence of Sensor Capability (END-13) by preventing unauthorized physical interaction with systems and infrastructure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CFG-03", "name": "Least Functionality", "description": "Mechanisms exist to configure systems to provide only essential capabilities by specifically prohibiting or restricting the use of ports, protocols, and/or services.", "justification": "Least Functionality (CFG-03) provides configuration hardening that compensates for the absence of Sensor Capability (END-13) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "END-13.1", "risk_if_not_implemented": "Without Authorized Use, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CFG-03", "name": "Least Functionality", "description": "Mechanisms exist to configure systems to provide only essential capabilities by specifically prohibiting or restricting the use of ports, protocols, and/or services.", "justification": "Least Functionality (CFG-03) provides configuration hardening that compensates for the absence of Authorized Use (END-13.1) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PES-01", "name": "Physical & Environmental Protections", "description": "Mechanisms exist to facilitate the operation of physical and environmental protection controls.", "justification": "Physical & Environmental Protections (PES-01) provides physical access control that compensates for the absence of Authorized Use (END-13.1) by preventing unauthorized physical interaction with systems and infrastructure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "END-13.2", "risk_if_not_implemented": "Without Notice of Collection, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "PES-01", "name": "Physical & Environmental Protections", "description": "Mechanisms exist to facilitate the operation of physical and environmental protection controls.", "justification": "Physical & Environmental Protections (PES-01) provides physical access control that compensates for the absence of Notice of Collection (END-13.2) by preventing unauthorized physical interaction with systems and infrastructure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "END-13", "name": "Sensor Capability", "description": "Mechanisms exist to configure embedded sensors on systems to: \n(1) Prohibit the remote activation of sensing capabilities; and\n(2) Provide an explicit indication of sensor use to users.", "justification": "Sensor Capability (END-13) provides overlapping security capability that compensates for the absence of Notice of Collection (END-13.2) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "END-13.3", "risk_if_not_implemented": "Without Collection Minimization, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CFG-03", "name": "Least Functionality", "description": "Mechanisms exist to configure systems to provide only essential capabilities by specifically prohibiting or restricting the use of ports, protocols, and/or services.", "justification": "Least Functionality (CFG-03) provides configuration hardening that compensates for the absence of Collection Minimization (END-13.3) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "END-13", "name": "Sensor Capability", "description": "Mechanisms exist to configure embedded sensors on systems to: \n(1) Prohibit the remote activation of sensing capabilities; and\n(2) Provide an explicit indication of sensor use to users.", "justification": "Sensor Capability (END-13) provides overlapping security capability that compensates for the absence of Collection Minimization (END-13.3) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "END-13.4", "risk_if_not_implemented": "Without Sensor Delivery Verification, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "PES-01", "name": "Physical & Environmental Protections", "description": "Mechanisms exist to facilitate the operation of physical and environmental protection controls.", "justification": "Physical & Environmental Protections (PES-01) provides physical access control that compensates for the absence of Sensor Delivery Verification (END-13.4) by preventing unauthorized physical interaction with systems and infrastructure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CFG-03", "name": "Least Functionality", "description": "Mechanisms exist to configure systems to provide only essential capabilities by specifically prohibiting or restricting the use of ports, protocols, and/or services.", "justification": "Least Functionality (CFG-03) provides configuration hardening that compensates for the absence of Sensor Delivery Verification (END-13.4) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "END-14", "risk_if_not_implemented": "Without Collaborative Computing Devices, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "PES-04", "name": "Physical Security of Offices, Rooms & Facilities", "description": "Mechanisms exist to identify systems, equipment and respective operating environments that require limited physical access so that appropriate physical access controls are designed and implemented for offices, rooms and facilities.", "justification": "Physical Security of Offices, Rooms & Facilities (PES-04) provides physical access control that compensates for the absence of Collaborative Computing Devices (END-14) by preventing unauthorized physical interaction with systems and infrastructure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CFG-03", "name": "Least Functionality", "description": "Mechanisms exist to configure systems to provide only essential capabilities by specifically prohibiting or restricting the use of ports, protocols, and/or services.", "justification": "Least Functionality (CFG-03) provides configuration hardening that compensates for the absence of Collaborative Computing Devices (END-14) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "END-14.1", "risk_if_not_implemented": "Without Disabling / Removal In Secure Work Areas, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CFG-03", "name": "Least Functionality", "description": "Mechanisms exist to configure systems to provide only essential capabilities by specifically prohibiting or restricting the use of ports, protocols, and/or services.", "justification": "Least Functionality (CFG-03) provides configuration hardening that compensates for the absence of Disabling / Removal In Secure Work Areas (END-14.1) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PES-04", "name": "Physical Security of Offices, Rooms & Facilities", "description": "Mechanisms exist to identify systems, equipment and respective operating environments that require limited physical access so that appropriate physical access controls are designed and implemented for offices, rooms and facilities.", "justification": "Physical Security of Offices, Rooms & Facilities (PES-04) provides physical access control that compensates for the absence of Disabling / Removal In Secure Work Areas (END-14.1) by preventing unauthorized physical interaction with systems and infrastructure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "END-14.2", "risk_if_not_implemented": "Without Explicitly Indicate Current Participants, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "PES-04", "name": "Physical Security of Offices, Rooms & Facilities", "description": "Mechanisms exist to identify systems, equipment and respective operating environments that require limited physical access so that appropriate physical access controls are designed and implemented for offices, rooms and facilities.", "justification": "Physical Security of Offices, Rooms & Facilities (PES-04) provides physical access control that compensates for the absence of Explicitly Indicate Current Participants (END-14.2) by preventing unauthorized physical interaction with systems and infrastructure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "END-14", "name": "Collaborative Computing Devices", "description": "Mechanisms exist to unplug or prohibit the remote activation of collaborative computing devices with the following exceptions: \n(1) Networked whiteboards; \n(2) Video teleconference cameras; and \n(3) Teleconference microphones.", "justification": "Collaborative Computing Devices (END-14) provides overlapping security capability that compensates for the absence of Explicitly Indicate Current Participants (END-14.2) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "END-14.3", "risk_if_not_implemented": "Without Participant Identity Verification, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "CFG-03", "name": "Least Functionality", "description": "Mechanisms exist to configure systems to provide only essential capabilities by specifically prohibiting or restricting the use of ports, protocols, and/or services.", "justification": "Least Functionality (CFG-03) provides configuration hardening that compensates for the absence of Participant Identity Verification (END-14.3) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "END-14", "name": "Collaborative Computing Devices", "description": "Mechanisms exist to unplug or prohibit the remote activation of collaborative computing devices with the following exceptions: \n(1) Networked whiteboards; \n(2) Video teleconference cameras; and \n(3) Teleconference microphones.", "justification": "Collaborative Computing Devices (END-14) provides overlapping security capability that compensates for the absence of Participant Identity Verification (END-14.3) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "END-14.4", "risk_if_not_implemented": "Without Participant Connection Management, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "PES-04", "name": "Physical Security of Offices, Rooms & Facilities", "description": "Mechanisms exist to identify systems, equipment and respective operating environments that require limited physical access so that appropriate physical access controls are designed and implemented for offices, rooms and facilities.", "justification": "Physical Security of Offices, Rooms & Facilities (PES-04) provides physical access control that compensates for the absence of Participant Connection Management (END-14.4) by preventing unauthorized physical interaction with systems and infrastructure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CFG-03", "name": "Least Functionality", "description": "Mechanisms exist to configure systems to provide only essential capabilities by specifically prohibiting or restricting the use of ports, protocols, and/or services.", "justification": "Least Functionality (CFG-03) provides configuration hardening that compensates for the absence of Participant Connection Management (END-14.4) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "END-14.5", "risk_if_not_implemented": "Without Malicious Link & File Protections, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "END-14", "name": "Collaborative Computing Devices", "description": "Mechanisms exist to unplug or prohibit the remote activation of collaborative computing devices with the following exceptions: \n(1) Networked whiteboards; \n(2) Video teleconference cameras; and \n(3) Teleconference microphones.", "justification": "Collaborative Computing Devices (END-14) provides overlapping security capability that compensates for the absence of Malicious Link & File Protections (END-14.5) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PES-04", "name": "Physical Security of Offices, Rooms & Facilities", "description": "Mechanisms exist to identify systems, equipment and respective operating environments that require limited physical access so that appropriate physical access controls are designed and implemented for offices, rooms and facilities.", "justification": "Physical Security of Offices, Rooms & Facilities (PES-04) provides physical access control that compensates for the absence of Malicious Link & File Protections (END-14.5) by preventing unauthorized physical interaction with systems and infrastructure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "END-14.6", "risk_if_not_implemented": "Without Explicit Indication Of Use, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CFG-03", "name": "Least Functionality", "description": "Mechanisms exist to configure systems to provide only essential capabilities by specifically prohibiting or restricting the use of ports, protocols, and/or services.", "justification": "Least Functionality (CFG-03) provides configuration hardening that compensates for the absence of Explicit Indication Of Use (END-14.6) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PES-04", "name": "Physical Security of Offices, Rooms & Facilities", "description": "Mechanisms exist to identify systems, equipment and respective operating environments that require limited physical access so that appropriate physical access controls are designed and implemented for offices, rooms and facilities.", "justification": "Physical Security of Offices, Rooms & Facilities (PES-04) provides physical access control that compensates for the absence of Explicit Indication Of Use (END-14.6) by preventing unauthorized physical interaction with systems and infrastructure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "END-15", "risk_if_not_implemented": "Without Hypervisor Access, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "IAC-21", "name": "Least Privilege", "description": "Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.", "justification": "Least Privilege (IAC-21) provides access control enforcement that compensates for the absence of Hypervisor Access (END-15) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CFG-02", "name": "Secure Baseline Configurations", "description": "Mechanisms exist to develop, document and maintain secure baseline configurations for Technology Assets, Applications and/or Services (TAAS) that are consistent with industry-accepted system hardening standards.", "justification": "Secure Baseline Configurations (CFG-02) provides configuration hardening that compensates for the absence of Hypervisor Access (END-15) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "END-16", "risk_if_not_implemented": "Without Restrict Access To Security Functions, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "IAC-21", "name": "Least Privilege", "description": "Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.", "justification": "Least Privilege (IAC-21) provides access control enforcement that compensates for the absence of Restrict Access To Security Functions (END-16) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CFG-03", "name": "Least Functionality", "description": "Mechanisms exist to configure systems to provide only essential capabilities by specifically prohibiting or restricting the use of ports, protocols, and/or services.", "justification": "Least Functionality (CFG-03) provides configuration hardening that compensates for the absence of Restrict Access To Security Functions (END-16) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "END-16.1", "risk_if_not_implemented": "Without Host-Based Security Function Isolation, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CFG-03", "name": "Least Functionality", "description": "Mechanisms exist to configure systems to provide only essential capabilities by specifically prohibiting or restricting the use of ports, protocols, and/or services.", "justification": "Least Functionality (CFG-03) provides configuration hardening that compensates for the absence of Host-Based Security Function Isolation (END-16.1) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-21", "name": "Least Privilege", "description": "Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.", "justification": "Least Privilege (IAC-21) provides access control enforcement that compensates for the absence of Host-Based Security Function Isolation (END-16.1) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "HRS-01.1", "risk_if_not_implemented": "Without Onboarding, Transferring & Offboarding Personnel, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "HRS-04", "name": "Personnel Screening", "description": "Mechanisms exist to manage personnel security risk by screening individuals prior to authorizing access.", "justification": "Personnel Screening (HRS-04) provides overlapping security capability that compensates for the absence of Onboarding, Transferring & Offboarding Personnel (HRS-01.1) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "SAT-02", "name": "Security, Compliance & Resilience Awareness Training", "description": "Mechanisms exist to provide all employees and contractors appropriate security, compliance and resilience awareness education and training that is relevant for their job function.", "justification": "Security, Compliance & Resilience Awareness Training (SAT-02) provides personnel training and awareness that compensates for the absence of Onboarding, Transferring & Offboarding Personnel (HRS-01.1) by reducing human-factor risk by equipping personnel to recognize and respond to relevant threats. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "HRS-02", "risk_if_not_implemented": "Without Position Categorization, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "HRS-03", "name": "Defined Roles & Responsibilities", "description": "Mechanisms exist to define cybersecurity roles & responsibilities for all personnel.", "justification": "Defined Roles & Responsibilities (HRS-03) provides overlapping security capability that compensates for the absence of Position Categorization (HRS-02) by addressing related risk objectives through an alternative control mechanism aligned with People applicability. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-08", "name": "Role-Based Access Control (RBAC)", "description": "Mechanisms exist to enforce Role-Based Access Control (RBAC) for Technology Assets, Applications, Services and/or Data (TAASD) to restrict access to individuals assigned specific roles with legitimate business needs.", "justification": "Role-Based Access Control (RBAC) (IAC-08) provides access control enforcement that compensates for the absence of Position Categorization (HRS-02) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "HRS-02.2", "risk_if_not_implemented": "Without Probationary Periods, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "HRS-02", "name": "Position Categorization", "description": "Mechanisms exist to manage personnel security risk by assigning a risk designation to all positions and establishing screening criteria for individuals filling those positions.", "justification": "Position Categorization (HRS-02) provides overlapping security capability that compensates for the absence of Probationary Periods (HRS-02.2) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-08", "name": "Role-Based Access Control (RBAC)", "description": "Mechanisms exist to enforce Role-Based Access Control (RBAC) for Technology Assets, Applications, Services and/or Data (TAASD) to restrict access to individuals assigned specific roles with legitimate business needs.", "justification": "Role-Based Access Control (RBAC) (IAC-08) provides access control enforcement that compensates for the absence of Probationary Periods (HRS-02.2) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "HRS-03.1", "risk_if_not_implemented": "Without User Awareness, personnel may lack knowledge to recognize threats, increasing susceptibility to phishing and social engineering.", "compensating_control_1": { "control_id": "IAC-08", "name": "Role-Based Access Control (RBAC)", "description": "Mechanisms exist to enforce Role-Based Access Control (RBAC) for Technology Assets, Applications, Services and/or Data (TAASD) to restrict access to individuals assigned specific roles with legitimate business needs.", "justification": "Role-Based Access Control (RBAC) (IAC-08) provides access control enforcement that compensates for the absence of User Awareness (HRS-03.1) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "GOV-04", "name": "Assigned Security, Compliance & Resilience Responsibilities", "description": "Mechanisms exist to assign one or more qualified individuals with the mission and resources to centrally-manage, coordinate, develop, implement and maintain an enterprise-wide Security, Compliance & Resilience Program (SCRP).", "justification": "Assigned Security, Compliance & Resilience Responsibilities (GOV-04) provides resilience and recovery capability that compensates for the absence of User Awareness (HRS-03.1) by ensuring the organization can restore operations and data when the primary control is absent. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "HRS-03.2", "risk_if_not_implemented": "Without Competency Requirements for Security-Related Positions, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "GOV-04", "name": "Assigned Security, Compliance & Resilience Responsibilities", "description": "Mechanisms exist to assign one or more qualified individuals with the mission and resources to centrally-manage, coordinate, develop, implement and maintain an enterprise-wide Security, Compliance & Resilience Program (SCRP).", "justification": "Assigned Security, Compliance & Resilience Responsibilities (GOV-04) provides resilience and recovery capability that compensates for the absence of Competency Requirements for Security-Related Positions (HRS-03.2) by ensuring the organization can restore operations and data when the primary control is absent. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "HRS-03", "name": "Defined Roles & Responsibilities", "description": "Mechanisms exist to define cybersecurity roles & responsibilities for all personnel.", "justification": "Defined Roles & Responsibilities (HRS-03) provides overlapping security capability that compensates for the absence of Competency Requirements for Security-Related Positions (HRS-03.2) by addressing related risk objectives through an alternative control mechanism aligned with People applicability. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "HRS-04.1", "risk_if_not_implemented": "Without Roles With Special Protection Measures, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "HRS-01", "name": "Human Resources Security Management", "description": "Mechanisms exist to facilitate the implementation of personnel security controls.", "justification": "Human Resources Security Management (HRS-01) provides overlapping security capability that compensates for the absence of Roles With Special Protection Measures (HRS-04.1) by addressing related risk objectives through an alternative control mechanism aligned with People applicability. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Roles With Special Protection Measures (HRS-04.1) by addressing related risk objectives through an alternative control mechanism aligned with People applicability. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "HRS-04.2", "risk_if_not_implemented": "Without Formal Indoctrination, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Formal Indoctrination (HRS-04.2) by addressing related risk objectives through an alternative control mechanism aligned with People applicability. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "HRS-04", "name": "Personnel Screening", "description": "Mechanisms exist to manage personnel security risk by screening individuals prior to authorizing access.", "justification": "Personnel Screening (HRS-04) provides overlapping security capability that compensates for the absence of Formal Indoctrination (HRS-04.2) by addressing related risk objectives through an alternative control mechanism aligned with People applicability. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "HRS-04.3", "risk_if_not_implemented": "Without Citizenship Requirements, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "HRS-04", "name": "Personnel Screening", "description": "Mechanisms exist to manage personnel security risk by screening individuals prior to authorizing access.", "justification": "Personnel Screening (HRS-04) provides overlapping security capability that compensates for the absence of Citizenship Requirements (HRS-04.3) by addressing related risk objectives through an alternative control mechanism aligned with People applicability. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "TPM-06", "name": "Third-Party Personnel Security", "description": "Mechanisms exist to control personnel security requirements including security roles and responsibilities for third-party providers.", "justification": "Third-Party Personnel Security (TPM-06) provides third-party oversight that compensates for the absence of Citizenship Requirements (HRS-04.3) by extending security obligations contractually and monitoring third-party risk in lieu of direct control. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "HRS-04.4", "risk_if_not_implemented": "Without Citizenship Identification, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "TPM-06", "name": "Third-Party Personnel Security", "description": "Mechanisms exist to control personnel security requirements including security roles and responsibilities for third-party providers.", "justification": "Third-Party Personnel Security (TPM-06) provides third-party oversight that compensates for the absence of Citizenship Identification (HRS-04.4) by extending security obligations contractually and monitoring third-party risk in lieu of direct control. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "HRS-04", "name": "Personnel Screening", "description": "Mechanisms exist to manage personnel security risk by screening individuals prior to authorizing access.", "justification": "Personnel Screening (HRS-04) provides overlapping security capability that compensates for the absence of Citizenship Identification (HRS-04.4) by addressing related risk objectives through an alternative control mechanism aligned with People applicability. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "HRS-05.2", "risk_if_not_implemented": "Without Social Media & Social Networking Restrictions, network defenses are weakened, enabling lateral movement and exploitation of unprotected pathways.", "compensating_control_1": { "control_id": "HRS-06", "name": "Access Agreements", "description": "Mechanisms exist to require internal and third-party users to sign appropriate access agreements prior to being granted access.", "justification": "Access Agreements (HRS-06) provides access control enforcement that compensates for the absence of Social Media & Social Networking Restrictions (HRS-05.2) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "HRS-05", "name": "Terms of Employment", "description": "Mechanisms exist to require all employees and contractors to apply cybersecurity and data protection principles in their daily work to enable secure, compliant and resilient capabilities.", "justification": "Terms of Employment (HRS-05) provides overlapping security capability that compensates for the absence of Social Media & Social Networking Restrictions (HRS-05.2) by addressing related risk objectives through an alternative control mechanism aligned with People applicability. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "HRS-05.4", "risk_if_not_implemented": "Without Use of Critical Technologies, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "GOV-02", "name": "Publishing Security, Compliance & Resilience Documentation", "description": "Mechanisms exist to establish, maintain and disseminate policies, standards and procedures necessary for secure, compliant and resilient capabilities.", "justification": "Publishing Security, Compliance & Resilience Documentation (GOV-02) provides resilience and recovery capability that compensates for the absence of Use of Critical Technologies (HRS-05.4) by ensuring the organization can restore operations and data when the primary control is absent. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "HRS-06", "name": "Access Agreements", "description": "Mechanisms exist to require internal and third-party users to sign appropriate access agreements prior to being granted access.", "justification": "Access Agreements (HRS-06) provides access control enforcement that compensates for the absence of Use of Critical Technologies (HRS-05.4) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "HRS-05.5", "risk_if_not_implemented": "Without Use of Mobile Devices, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "HRS-05", "name": "Terms of Employment", "description": "Mechanisms exist to require all employees and contractors to apply cybersecurity and data protection principles in their daily work to enable secure, compliant and resilient capabilities.", "justification": "Terms of Employment (HRS-05) provides overlapping security capability that compensates for the absence of Use of Mobile Devices (HRS-05.5) by addressing related risk objectives through an alternative control mechanism aligned with People applicability. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "HRS-06", "name": "Access Agreements", "description": "Mechanisms exist to require internal and third-party users to sign appropriate access agreements prior to being granted access.", "justification": "Access Agreements (HRS-06) provides access control enforcement that compensates for the absence of Use of Mobile Devices (HRS-05.5) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "HRS-05.6", "risk_if_not_implemented": "Without Security-Minded Dress Code, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "HRS-06", "name": "Access Agreements", "description": "Mechanisms exist to require internal and third-party users to sign appropriate access agreements prior to being granted access.", "justification": "Access Agreements (HRS-06) provides access control enforcement that compensates for the absence of Security-Minded Dress Code (HRS-05.6) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "GOV-02", "name": "Publishing Security, Compliance & Resilience Documentation", "description": "Mechanisms exist to establish, maintain and disseminate policies, standards and procedures necessary for secure, compliant and resilient capabilities.", "justification": "Publishing Security, Compliance & Resilience Documentation (GOV-02) provides resilience and recovery capability that compensates for the absence of Security-Minded Dress Code (HRS-05.6) by ensuring the organization can restore operations and data when the primary control is absent. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "HRS-05.7", "risk_if_not_implemented": "Without Policy Familiarization & Acknowledgement, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "GOV-02", "name": "Publishing Security, Compliance & Resilience Documentation", "description": "Mechanisms exist to establish, maintain and disseminate policies, standards and procedures necessary for secure, compliant and resilient capabilities.", "justification": "Publishing Security, Compliance & Resilience Documentation (GOV-02) provides resilience and recovery capability that compensates for the absence of Policy Familiarization & Acknowledgement (HRS-05.7) by ensuring the organization can restore operations and data when the primary control is absent. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "HRS-05", "name": "Terms of Employment", "description": "Mechanisms exist to require all employees and contractors to apply cybersecurity and data protection principles in their daily work to enable secure, compliant and resilient capabilities.", "justification": "Terms of Employment (HRS-05) provides overlapping security capability that compensates for the absence of Policy Familiarization & Acknowledgement (HRS-05.7) by addressing related risk objectives through an alternative control mechanism aligned with People applicability. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "HRS-06.2", "risk_if_not_implemented": "Without Post-Employment Requirements Awareness, personnel may lack knowledge to recognize threats, increasing susceptibility to phishing and social engineering.", "compensating_control_1": { "control_id": "IAC-07", "name": "User Provisioning & De-Provisioning", "description": "Mechanisms exist to utilize a formal user registration and de-registration process that governs the assignment of access rights.", "justification": "User Provisioning & De-Provisioning (IAC-07) provides access control enforcement that compensates for the absence of Post-Employment Requirements Awareness (HRS-06.2) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "HRS-06", "name": "Access Agreements", "description": "Mechanisms exist to require internal and third-party users to sign appropriate access agreements prior to being granted access.", "justification": "Access Agreements (HRS-06) provides access control enforcement that compensates for the absence of Post-Employment Requirements Awareness (HRS-06.2) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "HRS-07", "risk_if_not_implemented": "Without Personnel Sanctions, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CPL-04", "name": "Audit Activities", "description": "Mechanisms exist to thoughtfully plan audits by including input from operational risk and compliance partners to minimize the impact of audit-related activities on business operations.", "justification": "Audit Activities (CPL-04) provides detective monitoring capability that compensates for the absence of Personnel Sanctions (HRS-07) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "HRS-01", "name": "Human Resources Security Management", "description": "Mechanisms exist to facilitate the implementation of personnel security controls.", "justification": "Human Resources Security Management (HRS-01) provides overlapping security capability that compensates for the absence of Personnel Sanctions (HRS-07) by addressing related risk objectives through an alternative control mechanism aligned with People applicability. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "HRS-07.1", "risk_if_not_implemented": "Without Workplace Investigations, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "HRS-01", "name": "Human Resources Security Management", "description": "Mechanisms exist to facilitate the implementation of personnel security controls.", "justification": "Human Resources Security Management (HRS-01) provides overlapping security capability that compensates for the absence of Workplace Investigations (HRS-07.1) by addressing related risk objectives through an alternative control mechanism aligned with People applicability. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-04", "name": "Audit Activities", "description": "Mechanisms exist to thoughtfully plan audits by including input from operational risk and compliance partners to minimize the impact of audit-related activities on business operations.", "justification": "Audit Activities (CPL-04) provides detective monitoring capability that compensates for the absence of Workplace Investigations (HRS-07.1) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "HRS-07.2", "risk_if_not_implemented": "Without Updating Disciplinary Processes, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CPL-04", "name": "Audit Activities", "description": "Mechanisms exist to thoughtfully plan audits by including input from operational risk and compliance partners to minimize the impact of audit-related activities on business operations.", "justification": "Audit Activities (CPL-04) provides detective monitoring capability that compensates for the absence of Updating Disciplinary Processes (HRS-07.2) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "HRS-07", "name": "Personnel Sanctions", "description": "Mechanisms exist to sanction personnel failing to comply with established security policies, standards and procedures.", "justification": "Personnel Sanctions (HRS-07) provides overlapping security capability that compensates for the absence of Updating Disciplinary Processes (HRS-07.2) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "HRS-07.3", "risk_if_not_implemented": "Without Preventative Access Restriction, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "HRS-07", "name": "Personnel Sanctions", "description": "Mechanisms exist to sanction personnel failing to comply with established security policies, standards and procedures.", "justification": "Personnel Sanctions (HRS-07) provides overlapping security capability that compensates for the absence of Preventative Access Restriction (HRS-07.3) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-04", "name": "Audit Activities", "description": "Mechanisms exist to thoughtfully plan audits by including input from operational risk and compliance partners to minimize the impact of audit-related activities on business operations.", "justification": "Audit Activities (CPL-04) provides detective monitoring capability that compensates for the absence of Preventative Access Restriction (HRS-07.3) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "HRS-08", "risk_if_not_implemented": "Without Personnel Transfer, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IAC-07", "name": "User Provisioning & De-Provisioning", "description": "Mechanisms exist to utilize a formal user registration and de-registration process that governs the assignment of access rights.", "justification": "User Provisioning & De-Provisioning (IAC-07) provides access control enforcement that compensates for the absence of Personnel Transfer (HRS-08) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-17", "name": "Periodic Review of Account Privileges", "description": "Mechanisms exist to periodically-review the privileges assigned to individuals and service accounts to validate the need for such privileges and reassign or remove unnecessary privileges, as necessary.", "justification": "Periodic Review of Account Privileges (IAC-17) provides periodic assessment and assurance that compensates for the absence of Personnel Transfer (HRS-08) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "HRS-09", "risk_if_not_implemented": "Without Personnel Termination, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IAC-07", "name": "User Provisioning & De-Provisioning", "description": "Mechanisms exist to utilize a formal user registration and de-registration process that governs the assignment of access rights.", "justification": "User Provisioning & De-Provisioning (IAC-07) provides access control enforcement that compensates for the absence of Personnel Termination (HRS-09) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-15", "name": "Account Management", "description": "Mechanisms exist to proactively govern account management of individual, group, system, service, application, guest and temporary accounts.", "justification": "Account Management (IAC-15) provides access control enforcement that compensates for the absence of Personnel Termination (HRS-09) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "HRS-09.1", "risk_if_not_implemented": "Without Asset Collection, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IAC-07", "name": "User Provisioning & De-Provisioning", "description": "Mechanisms exist to utilize a formal user registration and de-registration process that governs the assignment of access rights.", "justification": "User Provisioning & De-Provisioning (IAC-07) provides access control enforcement that compensates for the absence of Asset Collection (HRS-09.1) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-17", "name": "Periodic Review of Account Privileges", "description": "Mechanisms exist to periodically-review the privileges assigned to individuals and service accounts to validate the need for such privileges and reassign or remove unnecessary privileges, as necessary.", "justification": "Periodic Review of Account Privileges (IAC-17) provides periodic assessment and assurance that compensates for the absence of Asset Collection (HRS-09.1) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "HRS-09.2", "risk_if_not_implemented": "Without High-Risk Terminations, security risks may go unmanaged, resulting in uncontrolled exposures and misaligned security investments.", "compensating_control_1": { "control_id": "IAC-15", "name": "Account Management", "description": "Mechanisms exist to proactively govern account management of individual, group, system, service, application, guest and temporary accounts.", "justification": "Account Management (IAC-15) provides access control enforcement that compensates for the absence of High-Risk Terminations (HRS-09.2) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-07", "name": "User Provisioning & De-Provisioning", "description": "Mechanisms exist to utilize a formal user registration and de-registration process that governs the assignment of access rights.", "justification": "User Provisioning & De-Provisioning (IAC-07) provides access control enforcement that compensates for the absence of High-Risk Terminations (HRS-09.2) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "HRS-09.3", "risk_if_not_implemented": "Without Post-Employment Requirements Notification, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IAC-07", "name": "User Provisioning & De-Provisioning", "description": "Mechanisms exist to utilize a formal user registration and de-registration process that governs the assignment of access rights.", "justification": "User Provisioning & De-Provisioning (IAC-07) provides access control enforcement that compensates for the absence of Post-Employment Requirements Notification (HRS-09.3) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "HRS-09", "name": "Personnel Termination", "description": "Mechanisms exist to govern the termination of individual employment.", "justification": "Personnel Termination (HRS-09) provides overlapping security capability that compensates for the absence of Post-Employment Requirements Notification (HRS-09.3) by addressing related risk objectives through an alternative control mechanism aligned with People applicability. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "HRS-09.4", "risk_if_not_implemented": "Without Automated Employment Status Notifications, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IAC-15", "name": "Account Management", "description": "Mechanisms exist to proactively govern account management of individual, group, system, service, application, guest and temporary accounts.", "justification": "Account Management (IAC-15) provides access control enforcement that compensates for the absence of Automated Employment Status Notifications (HRS-09.4) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "HRS-09", "name": "Personnel Termination", "description": "Mechanisms exist to govern the termination of individual employment.", "justification": "Personnel Termination (HRS-09) provides overlapping security capability that compensates for the absence of Automated Employment Status Notifications (HRS-09.4) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "HRS-11", "risk_if_not_implemented": "Without Separation of Duties (SoD), residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IAC-21", "name": "Least Privilege", "description": "Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.", "justification": "Least Privilege (IAC-21) provides access control enforcement that compensates for the absence of Separation of Duties (SoD) (HRS-11) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-08", "name": "Role-Based Access Control (RBAC)", "description": "Mechanisms exist to enforce Role-Based Access Control (RBAC) for Technology Assets, Applications, Services and/or Data (TAASD) to restrict access to individuals assigned specific roles with legitimate business needs.", "justification": "Role-Based Access Control (RBAC) (IAC-08) provides access control enforcement that compensates for the absence of Separation of Duties (SoD) (HRS-11) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "HRS-12", "risk_if_not_implemented": "Without Incompatible Roles, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "HRS-11", "name": "Separation of Duties (SoD)", "description": "Mechanisms exist to implement and maintain Separation of Duties (SoD) to prevent potential inappropriate activity without collusion.", "justification": "Separation of Duties (SoD) (HRS-11) provides overlapping security capability that compensates for the absence of Incompatible Roles (HRS-12) by addressing related risk objectives through an alternative control mechanism aligned with People applicability. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-21", "name": "Least Privilege", "description": "Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.", "justification": "Least Privilege (IAC-21) provides access control enforcement that compensates for the absence of Incompatible Roles (HRS-12) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "HRS-12.1", "risk_if_not_implemented": "Without Two-Person Rule, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IAC-21", "name": "Least Privilege", "description": "Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.", "justification": "Least Privilege (IAC-21) provides access control enforcement that compensates for the absence of Two-Person Rule (HRS-12.1) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "HRS-11", "name": "Separation of Duties (SoD)", "description": "Mechanisms exist to implement and maintain Separation of Duties (SoD) to prevent potential inappropriate activity without collusion.", "justification": "Separation of Duties (SoD) (HRS-11) provides overlapping security capability that compensates for the absence of Two-Person Rule (HRS-12.1) by addressing related risk objectives through an alternative control mechanism aligned with People applicability. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "HRS-13", "risk_if_not_implemented": "Without Identify Critical Skills & Gaps, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "SAT-03", "name": "Role-Based Security, Compliance & Resilience Training", "description": "Mechanisms exist to provide role-based security, compliance and resilience-related training: \n(1) Before authorizing access to the system or performing assigned duties; \n(2) When required by system changes; and \n(3) Annually thereafter.", "justification": "Role-Based Security, Compliance & Resilience Training (SAT-03) provides personnel training and awareness that compensates for the absence of Identify Critical Skills & Gaps (HRS-13) by reducing human-factor risk by equipping personnel to recognize and respond to relevant threats. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "GOV-04", "name": "Assigned Security, Compliance & Resilience Responsibilities", "description": "Mechanisms exist to assign one or more qualified individuals with the mission and resources to centrally-manage, coordinate, develop, implement and maintain an enterprise-wide Security, Compliance & Resilience Program (SCRP).", "justification": "Assigned Security, Compliance & Resilience Responsibilities (GOV-04) provides resilience and recovery capability that compensates for the absence of Identify Critical Skills & Gaps (HRS-13) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "HRS-13.1", "risk_if_not_implemented": "Without Remediate Identified Skills Deficiencies, unpatched vulnerabilities accumulate, providing attackers with known and exploitable entry points.", "compensating_control_1": { "control_id": "GOV-04", "name": "Assigned Security, Compliance & Resilience Responsibilities", "description": "Mechanisms exist to assign one or more qualified individuals with the mission and resources to centrally-manage, coordinate, develop, implement and maintain an enterprise-wide Security, Compliance & Resilience Program (SCRP).", "justification": "Assigned Security, Compliance & Resilience Responsibilities (GOV-04) provides resilience and recovery capability that compensates for the absence of Remediate Identified Skills Deficiencies (HRS-13.1) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "SAT-03", "name": "Role-Based Security, Compliance & Resilience Training", "description": "Mechanisms exist to provide role-based security, compliance and resilience-related training: \n(1) Before authorizing access to the system or performing assigned duties; \n(2) When required by system changes; and \n(3) Annually thereafter.", "justification": "Role-Based Security, Compliance & Resilience Training (SAT-03) provides personnel training and awareness that compensates for the absence of Remediate Identified Skills Deficiencies (HRS-13.1) by reducing human-factor risk by equipping personnel to recognize and respond to relevant threats. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "HRS-13.2", "risk_if_not_implemented": "Without Identify Vital Security, Compliance & Resilience Staff, the organization may be unable to recover from disruptions, resulting in data loss and extended downtime.", "compensating_control_1": { "control_id": "SAT-03", "name": "Role-Based Security, Compliance & Resilience Training", "description": "Mechanisms exist to provide role-based security, compliance and resilience-related training: \n(1) Before authorizing access to the system or performing assigned duties; \n(2) When required by system changes; and \n(3) Annually thereafter.", "justification": "Role-Based Security, Compliance & Resilience Training (SAT-03) provides personnel training and awareness that compensates for the absence of Identify Vital Security, Compliance & Resilience Staff (HRS-13.2) by reducing human-factor risk by equipping personnel to recognize and respond to relevant threats. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "HRS-13", "name": "Identify Critical Skills & Gaps", "description": "Mechanisms exist to evaluate the critical security, compliance and resilience skills needed to support the organization's mission and identify gaps that exist.", "justification": "Identify Critical Skills & Gaps (HRS-13) provides overlapping security capability that compensates for the absence of Identify Vital Security, Compliance & Resilience Staff (HRS-13.2) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "HRS-13.3", "risk_if_not_implemented": "Without Establish Redundancy for Vital Security, Compliance & Resilience Staff, the organization may be unable to recover from disruptions, resulting in data loss and extended downtime.", "compensating_control_1": { "control_id": "GOV-04", "name": "Assigned Security, Compliance & Resilience Responsibilities", "description": "Mechanisms exist to assign one or more qualified individuals with the mission and resources to centrally-manage, coordinate, develop, implement and maintain an enterprise-wide Security, Compliance & Resilience Program (SCRP).", "justification": "Assigned Security, Compliance & Resilience Responsibilities (GOV-04) provides resilience and recovery capability that compensates for the absence of Establish Redundancy for Vital Security, Compliance & Resilience Staff (HRS-13.3) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "HRS-13", "name": "Identify Critical Skills & Gaps", "description": "Mechanisms exist to evaluate the critical security, compliance and resilience skills needed to support the organization's mission and identify gaps that exist.", "justification": "Identify Critical Skills & Gaps (HRS-13) provides overlapping security capability that compensates for the absence of Establish Redundancy for Vital Security, Compliance & Resilience Staff (HRS-13.3) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "HRS-13.4", "risk_if_not_implemented": "Without Perform Succession Planning, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "SAT-03", "name": "Role-Based Security, Compliance & Resilience Training", "description": "Mechanisms exist to provide role-based security, compliance and resilience-related training: \n(1) Before authorizing access to the system or performing assigned duties; \n(2) When required by system changes; and \n(3) Annually thereafter.", "justification": "Role-Based Security, Compliance & Resilience Training (SAT-03) provides personnel training and awareness that compensates for the absence of Perform Succession Planning (HRS-13.4) by reducing human-factor risk by equipping personnel to recognize and respond to relevant threats. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "GOV-04", "name": "Assigned Security, Compliance & Resilience Responsibilities", "description": "Mechanisms exist to assign one or more qualified individuals with the mission and resources to centrally-manage, coordinate, develop, implement and maintain an enterprise-wide Security, Compliance & Resilience Program (SCRP).", "justification": "Assigned Security, Compliance & Resilience Responsibilities (GOV-04) provides resilience and recovery capability that compensates for the absence of Perform Succession Planning (HRS-13.4) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "HRS-14", "risk_if_not_implemented": "Without Identifying Authorized Work Locations, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "PES-01", "name": "Physical & Environmental Protections", "description": "Mechanisms exist to facilitate the operation of physical and environmental protection controls.", "justification": "Physical & Environmental Protections (PES-01) provides physical access control that compensates for the absence of Identifying Authorized Work Locations (HRS-14) by preventing unauthorized physical interaction with systems and infrastructure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-14", "name": "Remote Access", "description": "Mechanisms exist to define, control and review organization-approved, secure remote access methods.", "justification": "Remote Access (NET-14) provides access control enforcement that compensates for the absence of Identifying Authorized Work Locations (HRS-14) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "HRS-14.1", "risk_if_not_implemented": "Without Communicating Authorized Work Locations, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "NET-14", "name": "Remote Access", "description": "Mechanisms exist to define, control and review organization-approved, secure remote access methods.", "justification": "Remote Access (NET-14) provides access control enforcement that compensates for the absence of Communicating Authorized Work Locations (HRS-14.1) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PES-01", "name": "Physical & Environmental Protections", "description": "Mechanisms exist to facilitate the operation of physical and environmental protection controls.", "justification": "Physical & Environmental Protections (PES-01) provides physical access control that compensates for the absence of Communicating Authorized Work Locations (HRS-14.1) by preventing unauthorized physical interaction with systems and infrastructure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "HRS-15", "risk_if_not_implemented": "Without Reporting Suspicious Activities, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "MON-16", "name": "Anomalous Behavior", "description": "Mechanisms exist to utilize User & Entity Behavior Analytics (UEBA) and/or User Activity Monitoring (UAM) solutions to detect and respond to anomalous behavior that could indicate account compromise or other malicious activities.", "justification": "Anomalous Behavior (MON-16) provides detective monitoring capability that compensates for the absence of Reporting Suspicious Activities (HRS-15) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IRO-04", "name": "Incident Response Plan (IRP)", "description": "Mechanisms exist to maintain and make available a current and viable Incident Response Plan (IRP) to all stakeholders.", "justification": "Incident Response Plan (IRP) (IRO-04) provides incident response capability that compensates for the absence of Reporting Suspicious Activities (HRS-15) by enabling timely detection, containment, and recovery from security events in the absence of the primary control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-01.1", "risk_if_not_implemented": "Without Retain Access Records, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "IAC-15", "name": "Account Management", "description": "Mechanisms exist to proactively govern account management of individual, group, system, service, application, guest and temporary accounts.", "justification": "Account Management (IAC-15) provides access control enforcement that compensates for the absence of Retain Access Records (IAC-01.1) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-17", "name": "Periodic Review of Account Privileges", "description": "Mechanisms exist to periodically-review the privileges assigned to individuals and service accounts to validate the need for such privileges and reassign or remove unnecessary privileges, as necessary.", "justification": "Periodic Review of Account Privileges (IAC-17) provides periodic assessment and assurance that compensates for the absence of Retain Access Records (IAC-01.1) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-01.2", "risk_if_not_implemented": "Without Authenticate, Authorize and Audit (AAA), security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "IAC-02", "name": "Identification & Authentication for Organizational Users", "description": "Mechanisms exist to uniquely identify and centrally Authenticate, Authorize and Audit (AAA) organizational users and processes acting on behalf of organizational users.", "justification": "Identification & Authentication for Organizational Users (IAC-02) provides access control enforcement that compensates for the absence of Authenticate, Authorize and Audit (AAA) (IAC-01.2) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-12", "name": "Session Audit", "description": "Mechanisms exist to provide session audit capabilities that can: \n(1) Capture and log all content related to a user session; and\n(2) Remotely view all content related to an established user session in real time.", "justification": "Session Audit (MON-12) provides detective monitoring capability that compensates for the absence of Authenticate, Authorize and Audit (AAA) (IAC-01.2) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-02", "risk_if_not_implemented": "Without Identification & Authentication for Organizational Users, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "IAC-06", "name": "Multi-Factor Authentication (MFA)", "description": "Automated mechanisms exist to enforce Multi-Factor Authentication (MFA) for:\n(1) Remote network access; \n(2) Third-party Technology Assets, Applications and/or Services (TAAS); and/ or\n(3) Non-console access to critical TAAS that store, transmit and/or process sensitive/regulated data.", "justification": "Multi-Factor Authentication (MFA) (IAC-06) provides access control enforcement that compensates for the absence of Identification & Authentication for Organizational Users (IAC-02) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-12", "name": "Session Audit", "description": "Mechanisms exist to provide session audit capabilities that can: \n(1) Capture and log all content related to a user session; and\n(2) Remotely view all content related to an established user session in real time.", "justification": "Session Audit (MON-12) provides detective monitoring capability that compensates for the absence of Identification & Authentication for Organizational Users (IAC-02) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-02.1", "risk_if_not_implemented": "Without Group Authentication, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "IAC-06", "name": "Multi-Factor Authentication (MFA)", "description": "Automated mechanisms exist to enforce Multi-Factor Authentication (MFA) for:\n(1) Remote network access; \n(2) Third-party Technology Assets, Applications and/or Services (TAAS); and/ or\n(3) Non-console access to critical TAAS that store, transmit and/or process sensitive/regulated data.", "justification": "Multi-Factor Authentication (MFA) (IAC-06) provides access control enforcement that compensates for the absence of Group Authentication (IAC-02.1) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-22", "name": "Account Lockout", "description": "Mechanisms exist to enforce a limit for consecutive invalid login attempts by a user during an organization-defined time period and automatically locks the account when the maximum number of unsuccessful attempts is exceeded.", "justification": "Account Lockout (IAC-22) provides access control enforcement that compensates for the absence of Group Authentication (IAC-02.1) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-02.2", "risk_if_not_implemented": "Without Replay-Resistant Authentication, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "CRY-02", "name": "Automated Authentication Through Cryptographic Modules", "description": "Automated mechanisms exist to enable systems to authenticate to a cryptographic module.", "justification": "Automated Authentication Through Cryptographic Modules (CRY-02) provides cryptographic protection that compensates for the absence of Replay-Resistant Authentication (IAC-02.2) by ensuring data confidentiality and integrity through alternative technical means. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-06", "name": "Multi-Factor Authentication (MFA)", "description": "Automated mechanisms exist to enforce Multi-Factor Authentication (MFA) for:\n(1) Remote network access; \n(2) Third-party Technology Assets, Applications and/or Services (TAAS); and/ or\n(3) Non-console access to critical TAAS that store, transmit and/or process sensitive/regulated data.", "justification": "Multi-Factor Authentication (MFA) (IAC-06) provides access control enforcement that compensates for the absence of Replay-Resistant Authentication (IAC-02.2) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-02.3", "risk_if_not_implemented": "Without Acceptance of PIV Credentials, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IAC-22", "name": "Account Lockout", "description": "Mechanisms exist to enforce a limit for consecutive invalid login attempts by a user during an organization-defined time period and automatically locks the account when the maximum number of unsuccessful attempts is exceeded.", "justification": "Account Lockout (IAC-22) provides access control enforcement that compensates for the absence of Acceptance of PIV Credentials (IAC-02.3) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-06", "name": "Multi-Factor Authentication (MFA)", "description": "Automated mechanisms exist to enforce Multi-Factor Authentication (MFA) for:\n(1) Remote network access; \n(2) Third-party Technology Assets, Applications and/or Services (TAAS); and/ or\n(3) Non-console access to critical TAAS that store, transmit and/or process sensitive/regulated data.", "justification": "Multi-Factor Authentication (MFA) (IAC-06) provides access control enforcement that compensates for the absence of Acceptance of PIV Credentials (IAC-02.3) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-02.4", "risk_if_not_implemented": "Without Out-of-Band Authentication (OOBA), unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "MON-12", "name": "Session Audit", "description": "Mechanisms exist to provide session audit capabilities that can: \n(1) Capture and log all content related to a user session; and\n(2) Remotely view all content related to an established user session in real time.", "justification": "Session Audit (MON-12) provides detective monitoring capability that compensates for the absence of Out-of-Band Authentication (OOBA) (IAC-02.4) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-06", "name": "Multi-Factor Authentication (MFA)", "description": "Automated mechanisms exist to enforce Multi-Factor Authentication (MFA) for:\n(1) Remote network access; \n(2) Third-party Technology Assets, Applications and/or Services (TAAS); and/ or\n(3) Non-console access to critical TAAS that store, transmit and/or process sensitive/regulated data.", "justification": "Multi-Factor Authentication (MFA) (IAC-06) provides access control enforcement that compensates for the absence of Out-of-Band Authentication (OOBA) (IAC-02.4) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-03", "risk_if_not_implemented": "Without Identification & Authentication for Non-Organizational Users, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "IAC-06", "name": "Multi-Factor Authentication (MFA)", "description": "Automated mechanisms exist to enforce Multi-Factor Authentication (MFA) for:\n(1) Remote network access; \n(2) Third-party Technology Assets, Applications and/or Services (TAAS); and/ or\n(3) Non-console access to critical TAAS that store, transmit and/or process sensitive/regulated data.", "justification": "Multi-Factor Authentication (MFA) (IAC-06) provides access control enforcement that compensates for the absence of Identification & Authentication for Non-Organizational Users (IAC-03) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-12", "name": "Session Audit", "description": "Mechanisms exist to provide session audit capabilities that can: \n(1) Capture and log all content related to a user session; and\n(2) Remotely view all content related to an established user session in real time.", "justification": "Session Audit (MON-12) provides detective monitoring capability that compensates for the absence of Identification & Authentication for Non-Organizational Users (IAC-03) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-03.1", "risk_if_not_implemented": "Without Acceptance of PIV Credentials from Other Organizations, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "TPM-06", "name": "Third-Party Personnel Security", "description": "Mechanisms exist to control personnel security requirements including security roles and responsibilities for third-party providers.", "justification": "Third-Party Personnel Security (TPM-06) provides third-party oversight that compensates for the absence of Acceptance of PIV Credentials from Other Organizations (IAC-03.1) by extending security obligations contractually and monitoring third-party risk in lieu of direct control. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-06", "name": "Multi-Factor Authentication (MFA)", "description": "Automated mechanisms exist to enforce Multi-Factor Authentication (MFA) for:\n(1) Remote network access; \n(2) Third-party Technology Assets, Applications and/or Services (TAAS); and/ or\n(3) Non-console access to critical TAAS that store, transmit and/or process sensitive/regulated data.", "justification": "Multi-Factor Authentication (MFA) (IAC-06) provides access control enforcement that compensates for the absence of Acceptance of PIV Credentials from Other Organizations (IAC-03.1) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-03.2", "risk_if_not_implemented": "Without Acceptance of Third-Party Credentials, third-party risks may go unmanaged, creating supply-chain exposure that compromises the organization.", "compensating_control_1": { "control_id": "IAC-06", "name": "Multi-Factor Authentication (MFA)", "description": "Automated mechanisms exist to enforce Multi-Factor Authentication (MFA) for:\n(1) Remote network access; \n(2) Third-party Technology Assets, Applications and/or Services (TAAS); and/ or\n(3) Non-console access to critical TAAS that store, transmit and/or process sensitive/regulated data.", "justification": "Multi-Factor Authentication (MFA) (IAC-06) provides access control enforcement that compensates for the absence of Acceptance of Third-Party Credentials (IAC-03.2) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-03", "name": "Identification & Authentication for Non-Organizational Users", "description": "Mechanisms exist to uniquely identify and centrally Authenticate, Authorize and Audit (AAA) third-party users and processes that provide services to the organization.", "justification": "Identification & Authentication for Non-Organizational Users (IAC-03) provides access control enforcement that compensates for the absence of Acceptance of Third-Party Credentials (IAC-03.2) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-03.3", "risk_if_not_implemented": "Without Use of FICAM-Issued Profiles, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "MON-12", "name": "Session Audit", "description": "Mechanisms exist to provide session audit capabilities that can: \n(1) Capture and log all content related to a user session; and\n(2) Remotely view all content related to an established user session in real time.", "justification": "Session Audit (MON-12) provides detective monitoring capability that compensates for the absence of Use of FICAM-Issued Profiles (IAC-03.3) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-06", "name": "Multi-Factor Authentication (MFA)", "description": "Automated mechanisms exist to enforce Multi-Factor Authentication (MFA) for:\n(1) Remote network access; \n(2) Third-party Technology Assets, Applications and/or Services (TAAS); and/ or\n(3) Non-console access to critical TAAS that store, transmit and/or process sensitive/regulated data.", "justification": "Multi-Factor Authentication (MFA) (IAC-06) provides access control enforcement that compensates for the absence of Use of FICAM-Issued Profiles (IAC-03.3) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-03.4", "risk_if_not_implemented": "Without Disassociability, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IAC-03", "name": "Identification & Authentication for Non-Organizational Users", "description": "Mechanisms exist to uniquely identify and centrally Authenticate, Authorize and Audit (AAA) third-party users and processes that provide services to the organization.", "justification": "Identification & Authentication for Non-Organizational Users (IAC-03) provides access control enforcement that compensates for the absence of Disassociability (IAC-03.4) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-06", "name": "Multi-Factor Authentication (MFA)", "description": "Automated mechanisms exist to enforce Multi-Factor Authentication (MFA) for:\n(1) Remote network access; \n(2) Third-party Technology Assets, Applications and/or Services (TAAS); and/ or\n(3) Non-console access to critical TAAS that store, transmit and/or process sensitive/regulated data.", "justification": "Multi-Factor Authentication (MFA) (IAC-06) provides access control enforcement that compensates for the absence of Disassociability (IAC-03.4) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-03.5", "risk_if_not_implemented": "Without Acceptance of External Authenticators, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "IAC-06", "name": "Multi-Factor Authentication (MFA)", "description": "Automated mechanisms exist to enforce Multi-Factor Authentication (MFA) for:\n(1) Remote network access; \n(2) Third-party Technology Assets, Applications and/or Services (TAAS); and/ or\n(3) Non-console access to critical TAAS that store, transmit and/or process sensitive/regulated data.", "justification": "Multi-Factor Authentication (MFA) (IAC-06) provides access control enforcement that compensates for the absence of Acceptance of External Authenticators (IAC-03.5) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-12", "name": "Session Audit", "description": "Mechanisms exist to provide session audit capabilities that can: \n(1) Capture and log all content related to a user session; and\n(2) Remotely view all content related to an established user session in real time.", "justification": "Session Audit (MON-12) provides detective monitoring capability that compensates for the absence of Acceptance of External Authenticators (IAC-03.5) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-04", "risk_if_not_implemented": "Without Identification & Authentication for Devices, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "NET-08", "name": "Network Intrusion Detection / Prevention Systems (NIDS / NIPS)", "description": "Mechanisms exist to employ Network Intrusion Detection / Prevention Systems (NIDS/NIPS) to detect and/or prevent intrusions into the network.", "justification": "Network Intrusion Detection / Prevention Systems (NIDS / NIPS) (NET-08) provides detective monitoring capability that compensates for the absence of Identification & Authentication for Devices (IAC-04) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Identification & Authentication for Devices (IAC-04) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-04.1", "risk_if_not_implemented": "Without Device Attestation, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CRY-02", "name": "Automated Authentication Through Cryptographic Modules", "description": "Automated mechanisms exist to enable systems to authenticate to a cryptographic module.", "justification": "Automated Authentication Through Cryptographic Modules (CRY-02) provides cryptographic protection that compensates for the absence of Device Attestation (IAC-04.1) by ensuring data confidentiality and integrity through alternative technical means. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-08", "name": "Network Intrusion Detection / Prevention Systems (NIDS / NIPS)", "description": "Mechanisms exist to employ Network Intrusion Detection / Prevention Systems (NIDS/NIPS) to detect and/or prevent intrusions into the network.", "justification": "Network Intrusion Detection / Prevention Systems (NIDS / NIPS) (NET-08) provides detective monitoring capability that compensates for the absence of Device Attestation (IAC-04.1) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-04.2", "risk_if_not_implemented": "Without Device Authorization Enforcement, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Device Authorization Enforcement (IAC-04.2) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-04", "name": "Identification & Authentication for Devices", "description": "Mechanisms exist to uniquely identify and centrally Authenticate, Authorize and Audit (AAA) devices before establishing a connection using bidirectional authentication that is cryptographically- based and replay resistant.", "justification": "Identification & Authentication for Devices (IAC-04) provides access control enforcement that compensates for the absence of Device Authorization Enforcement (IAC-04.2) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-05", "risk_if_not_implemented": "Without Identification & Authentication for Third-Party Technology Assets, Applications and/or Services (TAAS), security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "TPM-05", "name": "Third-Party Contract Requirements", "description": "Mechanisms exist to require contractual requirements for applicable security, compliance and resilience requirements with third-parties, reflecting the organization's needs to protect its Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Third-Party Contract Requirements (TPM-05) provides third-party oversight that compensates for the absence of Identification & Authentication for Third-Party Technology Assets, Applications and/or Services (TAAS) (IAC-05) by extending security obligations contractually and monitoring third-party risk in lieu of direct control. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-06", "name": "Multi-Factor Authentication (MFA)", "description": "Automated mechanisms exist to enforce Multi-Factor Authentication (MFA) for:\n(1) Remote network access; \n(2) Third-party Technology Assets, Applications and/or Services (TAAS); and/ or\n(3) Non-console access to critical TAAS that store, transmit and/or process sensitive/regulated data.", "justification": "Multi-Factor Authentication (MFA) (IAC-06) provides access control enforcement that compensates for the absence of Identification & Authentication for Third-Party Technology Assets, Applications and/or Services (TAAS) (IAC-05) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-05.1", "risk_if_not_implemented": "Without Sharing Identification & Authentication Information, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "TPM-06", "name": "Third-Party Personnel Security", "description": "Mechanisms exist to control personnel security requirements including security roles and responsibilities for third-party providers.", "justification": "Third-Party Personnel Security (TPM-06) provides third-party oversight that compensates for the absence of Sharing Identification & Authentication Information (IAC-05.1) by extending security obligations contractually and monitoring third-party risk in lieu of direct control. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-06", "name": "Multi-Factor Authentication (MFA)", "description": "Automated mechanisms exist to enforce Multi-Factor Authentication (MFA) for:\n(1) Remote network access; \n(2) Third-party Technology Assets, Applications and/or Services (TAAS); and/ or\n(3) Non-console access to critical TAAS that store, transmit and/or process sensitive/regulated data.", "justification": "Multi-Factor Authentication (MFA) (IAC-06) provides access control enforcement that compensates for the absence of Sharing Identification & Authentication Information (IAC-05.1) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-05.2", "risk_if_not_implemented": "Without Privileged Access by Non-Organizational Users, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "IAC-06", "name": "Multi-Factor Authentication (MFA)", "description": "Automated mechanisms exist to enforce Multi-Factor Authentication (MFA) for:\n(1) Remote network access; \n(2) Third-party Technology Assets, Applications and/or Services (TAAS); and/ or\n(3) Non-console access to critical TAAS that store, transmit and/or process sensitive/regulated data.", "justification": "Multi-Factor Authentication (MFA) (IAC-06) provides access control enforcement that compensates for the absence of Privileged Access by Non-Organizational Users (IAC-05.2) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "TPM-05", "name": "Third-Party Contract Requirements", "description": "Mechanisms exist to require contractual requirements for applicable security, compliance and resilience requirements with third-parties, reflecting the organization's needs to protect its Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Third-Party Contract Requirements (TPM-05) provides third-party oversight that compensates for the absence of Privileged Access by Non-Organizational Users (IAC-05.2) by extending security obligations contractually and monitoring third-party risk in lieu of direct control. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-06", "risk_if_not_implemented": "Without Multi-Factor Authentication (MFA), unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "NET-03", "name": "Boundary Protection", "description": "Mechanisms exist to monitor and control communications at the external network boundary and at key internal boundaries within the network.", "justification": "Boundary Protection (NET-03) provides network-level access restriction that compensates for the absence of Multi-Factor Authentication (MFA) (IAC-06) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-16", "name": "Anomalous Behavior", "description": "Mechanisms exist to utilize User & Entity Behavior Analytics (UEBA) and/or User Activity Monitoring (UAM) solutions to detect and respond to anomalous behavior that could indicate account compromise or other malicious activities.", "justification": "Anomalous Behavior (MON-16) provides detective monitoring capability that compensates for the absence of Multi-Factor Authentication (MFA) (IAC-06) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-06.1", "risk_if_not_implemented": "Without Network Access to Privileged Accounts, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "IAC-13", "name": "Adaptive Identification & Authentication", "description": "Mechanisms exist to allow individuals to utilize alternative methods of authentication under specific circumstances or situations.", "justification": "Adaptive Identification & Authentication (IAC-13) provides access control enforcement that compensates for the absence of Network Access to Privileged Accounts (IAC-06.1) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-03", "name": "Boundary Protection", "description": "Mechanisms exist to monitor and control communications at the external network boundary and at key internal boundaries within the network.", "justification": "Boundary Protection (NET-03) provides network-level access restriction that compensates for the absence of Network Access to Privileged Accounts (IAC-06.1) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-06.2", "risk_if_not_implemented": "Without Network Access to Non-Privileged Accounts, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "NET-03", "name": "Boundary Protection", "description": "Mechanisms exist to monitor and control communications at the external network boundary and at key internal boundaries within the network.", "justification": "Boundary Protection (NET-03) provides network-level access restriction that compensates for the absence of Network Access to Non-Privileged Accounts (IAC-06.2) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-06", "name": "Multi-Factor Authentication (MFA)", "description": "Automated mechanisms exist to enforce Multi-Factor Authentication (MFA) for:\n(1) Remote network access; \n(2) Third-party Technology Assets, Applications and/or Services (TAAS); and/ or\n(3) Non-console access to critical TAAS that store, transmit and/or process sensitive/regulated data.", "justification": "Multi-Factor Authentication (MFA) (IAC-06) provides access control enforcement that compensates for the absence of Network Access to Non-Privileged Accounts (IAC-06.2) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-06.3", "risk_if_not_implemented": "Without Local Access to Privileged Accounts, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "MON-16", "name": "Anomalous Behavior", "description": "Mechanisms exist to utilize User & Entity Behavior Analytics (UEBA) and/or User Activity Monitoring (UAM) solutions to detect and respond to anomalous behavior that could indicate account compromise or other malicious activities.", "justification": "Anomalous Behavior (MON-16) provides detective monitoring capability that compensates for the absence of Local Access to Privileged Accounts (IAC-06.3) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-06", "name": "Multi-Factor Authentication (MFA)", "description": "Automated mechanisms exist to enforce Multi-Factor Authentication (MFA) for:\n(1) Remote network access; \n(2) Third-party Technology Assets, Applications and/or Services (TAAS); and/ or\n(3) Non-console access to critical TAAS that store, transmit and/or process sensitive/regulated data.", "justification": "Multi-Factor Authentication (MFA) (IAC-06) provides access control enforcement that compensates for the absence of Local Access to Privileged Accounts (IAC-06.3) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-06.4", "risk_if_not_implemented": "Without Out-of-Band Multi-Factor Authentication, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "IAC-06", "name": "Multi-Factor Authentication (MFA)", "description": "Automated mechanisms exist to enforce Multi-Factor Authentication (MFA) for:\n(1) Remote network access; \n(2) Third-party Technology Assets, Applications and/or Services (TAAS); and/ or\n(3) Non-console access to critical TAAS that store, transmit and/or process sensitive/regulated data.", "justification": "Multi-Factor Authentication (MFA) (IAC-06) provides access control enforcement that compensates for the absence of Out-of-Band Multi-Factor Authentication (IAC-06.4) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-03", "name": "Boundary Protection", "description": "Mechanisms exist to monitor and control communications at the external network boundary and at key internal boundaries within the network.", "justification": "Boundary Protection (NET-03) provides network-level access restriction that compensates for the absence of Out-of-Band Multi-Factor Authentication (IAC-06.4) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-06.5", "risk_if_not_implemented": "Without Alternative Multi-Factor Authentication, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "IAC-13", "name": "Adaptive Identification & Authentication", "description": "Mechanisms exist to allow individuals to utilize alternative methods of authentication under specific circumstances or situations.", "justification": "Adaptive Identification & Authentication (IAC-13) provides access control enforcement that compensates for the absence of Alternative Multi-Factor Authentication (IAC-06.5) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-06", "name": "Multi-Factor Authentication (MFA)", "description": "Automated mechanisms exist to enforce Multi-Factor Authentication (MFA) for:\n(1) Remote network access; \n(2) Third-party Technology Assets, Applications and/or Services (TAAS); and/ or\n(3) Non-console access to critical TAAS that store, transmit and/or process sensitive/regulated data.", "justification": "Multi-Factor Authentication (MFA) (IAC-06) provides access control enforcement that compensates for the absence of Alternative Multi-Factor Authentication (IAC-06.5) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-08", "risk_if_not_implemented": "Without Role-Based Access Control (RBAC), unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "HRS-11", "name": "Separation of Duties (SoD)", "description": "Mechanisms exist to implement and maintain Separation of Duties (SoD) to prevent potential inappropriate activity without collusion.", "justification": "Separation of Duties (SoD) (HRS-11) provides overlapping security capability that compensates for the absence of Role-Based Access Control (RBAC) (IAC-08) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-21", "name": "Least Privilege", "description": "Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.", "justification": "Least Privilege (IAC-21) provides access control enforcement that compensates for the absence of Role-Based Access Control (RBAC) (IAC-08) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-09", "risk_if_not_implemented": "Without Identifier Management (User Names), residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IAC-10", "name": "Authenticator Management", "description": "Mechanisms exist to:\n(1) Securely manage authenticators for users and devices; and\n(2) Ensure the strength of authentication is appropriate to the classification of the data being accessed.", "justification": "Authenticator Management (IAC-10) provides access control enforcement that compensates for the absence of Identifier Management (User Names) (IAC-09) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-02", "name": "Identification & Authentication for Organizational Users", "description": "Mechanisms exist to uniquely identify and centrally Authenticate, Authorize and Audit (AAA) organizational users and processes acting on behalf of organizational users.", "justification": "Identification & Authentication for Organizational Users (IAC-02) provides access control enforcement that compensates for the absence of Identifier Management (User Names) (IAC-09) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-09.1", "risk_if_not_implemented": "Without User Identity (ID) Management, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "IAC-02", "name": "Identification & Authentication for Organizational Users", "description": "Mechanisms exist to uniquely identify and centrally Authenticate, Authorize and Audit (AAA) organizational users and processes acting on behalf of organizational users.", "justification": "Identification & Authentication for Organizational Users (IAC-02) provides access control enforcement that compensates for the absence of User Identity (ID) Management (IAC-09.1) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-10", "name": "Authenticator Management", "description": "Mechanisms exist to:\n(1) Securely manage authenticators for users and devices; and\n(2) Ensure the strength of authentication is appropriate to the classification of the data being accessed.", "justification": "Authenticator Management (IAC-10) provides access control enforcement that compensates for the absence of User Identity (ID) Management (IAC-09.1) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-09.2", "risk_if_not_implemented": "Without Identity User Status, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "IAC-10", "name": "Authenticator Management", "description": "Mechanisms exist to:\n(1) Securely manage authenticators for users and devices; and\n(2) Ensure the strength of authentication is appropriate to the classification of the data being accessed.", "justification": "Authenticator Management (IAC-10) provides access control enforcement that compensates for the absence of Identity User Status (IAC-09.2) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-09", "name": "Identifier Management (User Names)", "description": "Mechanisms exist to govern naming standards for usernames and Technology Assets, Applications and/or Services (TAAS).", "justification": "Identifier Management (User Names) (IAC-09) provides overlapping security capability that compensates for the absence of Identity User Status (IAC-09.2) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-09.3", "risk_if_not_implemented": "Without Dynamic Management, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IAC-02", "name": "Identification & Authentication for Organizational Users", "description": "Mechanisms exist to uniquely identify and centrally Authenticate, Authorize and Audit (AAA) organizational users and processes acting on behalf of organizational users.", "justification": "Identification & Authentication for Organizational Users (IAC-02) provides access control enforcement that compensates for the absence of Dynamic Management (IAC-09.3) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-09", "name": "Identifier Management (User Names)", "description": "Mechanisms exist to govern naming standards for usernames and Technology Assets, Applications and/or Services (TAAS).", "justification": "Identifier Management (User Names) (IAC-09) provides overlapping security capability that compensates for the absence of Dynamic Management (IAC-09.3) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-09.4", "risk_if_not_implemented": "Without Cross-Organization Management, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IAC-10", "name": "Authenticator Management", "description": "Mechanisms exist to:\n(1) Securely manage authenticators for users and devices; and\n(2) Ensure the strength of authentication is appropriate to the classification of the data being accessed.", "justification": "Authenticator Management (IAC-10) provides access control enforcement that compensates for the absence of Cross-Organization Management (IAC-09.4) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-02", "name": "Identification & Authentication for Organizational Users", "description": "Mechanisms exist to uniquely identify and centrally Authenticate, Authorize and Audit (AAA) organizational users and processes acting on behalf of organizational users.", "justification": "Identification & Authentication for Organizational Users (IAC-02) provides access control enforcement that compensates for the absence of Cross-Organization Management (IAC-09.4) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-09.5", "risk_if_not_implemented": "Without Privileged Account Identifiers, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "IAC-09", "name": "Identifier Management (User Names)", "description": "Mechanisms exist to govern naming standards for usernames and Technology Assets, Applications and/or Services (TAAS).", "justification": "Identifier Management (User Names) (IAC-09) provides overlapping security capability that compensates for the absence of Privileged Account Identifiers (IAC-09.5) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-10", "name": "Authenticator Management", "description": "Mechanisms exist to:\n(1) Securely manage authenticators for users and devices; and\n(2) Ensure the strength of authentication is appropriate to the classification of the data being accessed.", "justification": "Authenticator Management (IAC-10) provides access control enforcement that compensates for the absence of Privileged Account Identifiers (IAC-09.5) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-09.6", "risk_if_not_implemented": "Without Pairwise Pseudonymous Identifiers (PPID), AI and autonomous technology risks may go ungoverned, leading to unintended outcomes or exploitation.", "compensating_control_1": { "control_id": "IAC-02", "name": "Identification & Authentication for Organizational Users", "description": "Mechanisms exist to uniquely identify and centrally Authenticate, Authorize and Audit (AAA) organizational users and processes acting on behalf of organizational users.", "justification": "Identification & Authentication for Organizational Users (IAC-02) provides access control enforcement that compensates for the absence of Pairwise Pseudonymous Identifiers (PPID) (IAC-09.6) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-10", "name": "Authenticator Management", "description": "Mechanisms exist to:\n(1) Securely manage authenticators for users and devices; and\n(2) Ensure the strength of authentication is appropriate to the classification of the data being accessed.", "justification": "Authenticator Management (IAC-10) provides access control enforcement that compensates for the absence of Pairwise Pseudonymous Identifiers (PPID) (IAC-09.6) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-10.1", "risk_if_not_implemented": "Without Password-Based Authentication, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "CRY-09", "name": "Cryptographic Key Management", "description": "Mechanisms exist to facilitate cryptographic key management controls to protect the confidentiality, integrity and availability of keys.", "justification": "Cryptographic Key Management (CRY-09) provides cryptographic protection that compensates for the absence of Password-Based Authentication (IAC-10.1) by ensuring data confidentiality and integrity through alternative technical means. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-22", "name": "Account Lockout", "description": "Mechanisms exist to enforce a limit for consecutive invalid login attempts by a user during an organization-defined time period and automatically locks the account when the maximum number of unsuccessful attempts is exceeded.", "justification": "Account Lockout (IAC-22) provides access control enforcement that compensates for the absence of Password-Based Authentication (IAC-10.1) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-10.2", "risk_if_not_implemented": "Without PKI-Based Authentication, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "IAC-22", "name": "Account Lockout", "description": "Mechanisms exist to enforce a limit for consecutive invalid login attempts by a user during an organization-defined time period and automatically locks the account when the maximum number of unsuccessful attempts is exceeded.", "justification": "Account Lockout (IAC-22) provides access control enforcement that compensates for the absence of PKI-Based Authentication (IAC-10.2) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CRY-09", "name": "Cryptographic Key Management", "description": "Mechanisms exist to facilitate cryptographic key management controls to protect the confidentiality, integrity and availability of keys.", "justification": "Cryptographic Key Management (CRY-09) provides cryptographic protection that compensates for the absence of PKI-Based Authentication (IAC-10.2) by ensuring data confidentiality and integrity through alternative technical means. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-10.3", "risk_if_not_implemented": "Without In-Person or Trusted Third-Party Registration, third-party risks may go unmanaged, creating supply-chain exposure that compromises the organization.", "compensating_control_1": { "control_id": "CRY-09", "name": "Cryptographic Key Management", "description": "Mechanisms exist to facilitate cryptographic key management controls to protect the confidentiality, integrity and availability of keys.", "justification": "Cryptographic Key Management (CRY-09) provides cryptographic protection that compensates for the absence of In-Person or Trusted Third-Party Registration (IAC-10.3) by ensuring data confidentiality and integrity through alternative technical means. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-10", "name": "Authenticator Management", "description": "Mechanisms exist to:\n(1) Securely manage authenticators for users and devices; and\n(2) Ensure the strength of authentication is appropriate to the classification of the data being accessed.", "justification": "Authenticator Management (IAC-10) provides access control enforcement that compensates for the absence of In-Person or Trusted Third-Party Registration (IAC-10.3) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-10.4", "risk_if_not_implemented": "Without Automated Support For Password Strength, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IAC-10", "name": "Authenticator Management", "description": "Mechanisms exist to:\n(1) Securely manage authenticators for users and devices; and\n(2) Ensure the strength of authentication is appropriate to the classification of the data being accessed.", "justification": "Authenticator Management (IAC-10) provides access control enforcement that compensates for the absence of Automated Support For Password Strength (IAC-10.4) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-06", "name": "Multi-Factor Authentication (MFA)", "description": "Automated mechanisms exist to enforce Multi-Factor Authentication (MFA) for:\n(1) Remote network access; \n(2) Third-party Technology Assets, Applications and/or Services (TAAS); and/ or\n(3) Non-console access to critical TAAS that store, transmit and/or process sensitive/regulated data.", "justification": "Multi-Factor Authentication (MFA) (IAC-06) provides access control enforcement that compensates for the absence of Automated Support For Password Strength (IAC-10.4) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-10.7", "risk_if_not_implemented": "Without Hardware Token-Based Authentication, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "IAC-10", "name": "Authenticator Management", "description": "Mechanisms exist to:\n(1) Securely manage authenticators for users and devices; and\n(2) Ensure the strength of authentication is appropriate to the classification of the data being accessed.", "justification": "Authenticator Management (IAC-10) provides access control enforcement that compensates for the absence of Hardware Token-Based Authentication (IAC-10.7) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CRY-09", "name": "Cryptographic Key Management", "description": "Mechanisms exist to facilitate cryptographic key management controls to protect the confidentiality, integrity and availability of keys.", "justification": "Cryptographic Key Management (CRY-09) provides cryptographic protection that compensates for the absence of Hardware Token-Based Authentication (IAC-10.7) by ensuring data confidentiality and integrity through alternative technical means. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-10.9", "risk_if_not_implemented": "Without Multiple System Accounts, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "CRY-09", "name": "Cryptographic Key Management", "description": "Mechanisms exist to facilitate cryptographic key management controls to protect the confidentiality, integrity and availability of keys.", "justification": "Cryptographic Key Management (CRY-09) provides cryptographic protection that compensates for the absence of Multiple System Accounts (IAC-10.9) by ensuring data confidentiality and integrity through alternative technical means. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-22", "name": "Account Lockout", "description": "Mechanisms exist to enforce a limit for consecutive invalid login attempts by a user during an organization-defined time period and automatically locks the account when the maximum number of unsuccessful attempts is exceeded.", "justification": "Account Lockout (IAC-22) provides access control enforcement that compensates for the absence of Multiple System Accounts (IAC-10.9) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-10.10", "risk_if_not_implemented": "Without Expiration of Cached Authenticators, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "IAC-22", "name": "Account Lockout", "description": "Mechanisms exist to enforce a limit for consecutive invalid login attempts by a user during an organization-defined time period and automatically locks the account when the maximum number of unsuccessful attempts is exceeded.", "justification": "Account Lockout (IAC-22) provides access control enforcement that compensates for the absence of Expiration of Cached Authenticators (IAC-10.10) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-10", "name": "Authenticator Management", "description": "Mechanisms exist to:\n(1) Securely manage authenticators for users and devices; and\n(2) Ensure the strength of authentication is appropriate to the classification of the data being accessed.", "justification": "Authenticator Management (IAC-10) provides access control enforcement that compensates for the absence of Expiration of Cached Authenticators (IAC-10.10) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-10.11", "risk_if_not_implemented": "Without Password Managers, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IAC-10", "name": "Authenticator Management", "description": "Mechanisms exist to:\n(1) Securely manage authenticators for users and devices; and\n(2) Ensure the strength of authentication is appropriate to the classification of the data being accessed.", "justification": "Authenticator Management (IAC-10) provides access control enforcement that compensates for the absence of Password Managers (IAC-10.11) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-22", "name": "Account Lockout", "description": "Mechanisms exist to enforce a limit for consecutive invalid login attempts by a user during an organization-defined time period and automatically locks the account when the maximum number of unsuccessful attempts is exceeded.", "justification": "Account Lockout (IAC-22) provides access control enforcement that compensates for the absence of Password Managers (IAC-10.11) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-10.12", "risk_if_not_implemented": "Without Biometric Authentication, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "CRY-09", "name": "Cryptographic Key Management", "description": "Mechanisms exist to facilitate cryptographic key management controls to protect the confidentiality, integrity and availability of keys.", "justification": "Cryptographic Key Management (CRY-09) provides cryptographic protection that compensates for the absence of Biometric Authentication (IAC-10.12) by ensuring data confidentiality and integrity through alternative technical means. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-06", "name": "Multi-Factor Authentication (MFA)", "description": "Automated mechanisms exist to enforce Multi-Factor Authentication (MFA) for:\n(1) Remote network access; \n(2) Third-party Technology Assets, Applications and/or Services (TAAS); and/ or\n(3) Non-console access to critical TAAS that store, transmit and/or process sensitive/regulated data.", "justification": "Multi-Factor Authentication (MFA) (IAC-06) provides access control enforcement that compensates for the absence of Biometric Authentication (IAC-10.12) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-10.13", "risk_if_not_implemented": "Without Events Requiring Authenticator Change, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "IAC-06", "name": "Multi-Factor Authentication (MFA)", "description": "Automated mechanisms exist to enforce Multi-Factor Authentication (MFA) for:\n(1) Remote network access; \n(2) Third-party Technology Assets, Applications and/or Services (TAAS); and/ or\n(3) Non-console access to critical TAAS that store, transmit and/or process sensitive/regulated data.", "justification": "Multi-Factor Authentication (MFA) (IAC-06) provides access control enforcement that compensates for the absence of Events Requiring Authenticator Change (IAC-10.13) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-22", "name": "Account Lockout", "description": "Mechanisms exist to enforce a limit for consecutive invalid login attempts by a user during an organization-defined time period and automatically locks the account when the maximum number of unsuccessful attempts is exceeded.", "justification": "Account Lockout (IAC-22) provides access control enforcement that compensates for the absence of Events Requiring Authenticator Change (IAC-10.13) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-10.14", "risk_if_not_implemented": "Without Passkeys, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IAC-22", "name": "Account Lockout", "description": "Mechanisms exist to enforce a limit for consecutive invalid login attempts by a user during an organization-defined time period and automatically locks the account when the maximum number of unsuccessful attempts is exceeded.", "justification": "Account Lockout (IAC-22) provides access control enforcement that compensates for the absence of Passkeys (IAC-10.14) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CRY-09", "name": "Cryptographic Key Management", "description": "Mechanisms exist to facilitate cryptographic key management controls to protect the confidentiality, integrity and availability of keys.", "justification": "Cryptographic Key Management (CRY-09) provides cryptographic protection that compensates for the absence of Passkeys (IAC-10.14) by ensuring data confidentiality and integrity through alternative technical means. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-11", "risk_if_not_implemented": "Without Authenticator Feedback, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "IAC-22", "name": "Account Lockout", "description": "Mechanisms exist to enforce a limit for consecutive invalid login attempts by a user during an organization-defined time period and automatically locks the account when the maximum number of unsuccessful attempts is exceeded.", "justification": "Account Lockout (IAC-22) provides access control enforcement that compensates for the absence of Authenticator Feedback (IAC-11) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-12", "name": "Session Audit", "description": "Mechanisms exist to provide session audit capabilities that can: \n(1) Capture and log all content related to a user session; and\n(2) Remotely view all content related to an established user session in real time.", "justification": "Session Audit (MON-12) provides detective monitoring capability that compensates for the absence of Authenticator Feedback (IAC-11) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-12", "risk_if_not_implemented": "Without Cryptographic Module Authentication, sensitive data may be exposed to interception or unauthorized disclosure, resulting in confidentiality breaches.", "compensating_control_1": { "control_id": "CRY-09", "name": "Cryptographic Key Management", "description": "Mechanisms exist to facilitate cryptographic key management controls to protect the confidentiality, integrity and availability of keys.", "justification": "Cryptographic Key Management (CRY-09) provides cryptographic protection that compensates for the absence of Cryptographic Module Authentication (IAC-12) by ensuring data confidentiality and integrity through alternative technical means. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-02", "name": "Identification & Authentication for Organizational Users", "description": "Mechanisms exist to uniquely identify and centrally Authenticate, Authorize and Audit (AAA) organizational users and processes acting on behalf of organizational users.", "justification": "Identification & Authentication for Organizational Users (IAC-02) provides access control enforcement that compensates for the absence of Cryptographic Module Authentication (IAC-12) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-12.1", "risk_if_not_implemented": "Without Hardware Security Modules (HSM), residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IAC-02", "name": "Identification & Authentication for Organizational Users", "description": "Mechanisms exist to uniquely identify and centrally Authenticate, Authorize and Audit (AAA) organizational users and processes acting on behalf of organizational users.", "justification": "Identification & Authentication for Organizational Users (IAC-02) provides access control enforcement that compensates for the absence of Hardware Security Modules (HSM) (IAC-12.1) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CRY-09", "name": "Cryptographic Key Management", "description": "Mechanisms exist to facilitate cryptographic key management controls to protect the confidentiality, integrity and availability of keys.", "justification": "Cryptographic Key Management (CRY-09) provides cryptographic protection that compensates for the absence of Hardware Security Modules (HSM) (IAC-12.1) by ensuring data confidentiality and integrity through alternative technical means. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-13", "risk_if_not_implemented": "Without Adaptive Identification & Authentication, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "IAC-06", "name": "Multi-Factor Authentication (MFA)", "description": "Automated mechanisms exist to enforce Multi-Factor Authentication (MFA) for:\n(1) Remote network access; \n(2) Third-party Technology Assets, Applications and/or Services (TAAS); and/ or\n(3) Non-console access to critical TAAS that store, transmit and/or process sensitive/regulated data.", "justification": "Multi-Factor Authentication (MFA) (IAC-06) provides access control enforcement that compensates for the absence of Adaptive Identification & Authentication (IAC-13) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-16", "name": "Anomalous Behavior", "description": "Mechanisms exist to utilize User & Entity Behavior Analytics (UEBA) and/or User Activity Monitoring (UAM) solutions to detect and respond to anomalous behavior that could indicate account compromise or other malicious activities.", "justification": "Anomalous Behavior (MON-16) provides detective monitoring capability that compensates for the absence of Adaptive Identification & Authentication (IAC-13) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-13.1", "risk_if_not_implemented": "Without Single Sign-On (SSO) Transparent Authentication, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "MON-16", "name": "Anomalous Behavior", "description": "Mechanisms exist to utilize User & Entity Behavior Analytics (UEBA) and/or User Activity Monitoring (UAM) solutions to detect and respond to anomalous behavior that could indicate account compromise or other malicious activities.", "justification": "Anomalous Behavior (MON-16) provides detective monitoring capability that compensates for the absence of Single Sign-On (SSO) Transparent Authentication (IAC-13.1) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-06", "name": "Multi-Factor Authentication (MFA)", "description": "Automated mechanisms exist to enforce Multi-Factor Authentication (MFA) for:\n(1) Remote network access; \n(2) Third-party Technology Assets, Applications and/or Services (TAAS); and/ or\n(3) Non-console access to critical TAAS that store, transmit and/or process sensitive/regulated data.", "justification": "Multi-Factor Authentication (MFA) (IAC-06) provides access control enforcement that compensates for the absence of Single Sign-On (SSO) Transparent Authentication (IAC-13.1) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-13.2", "risk_if_not_implemented": "Without Federated Credential Management, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IAC-06", "name": "Multi-Factor Authentication (MFA)", "description": "Automated mechanisms exist to enforce Multi-Factor Authentication (MFA) for:\n(1) Remote network access; \n(2) Third-party Technology Assets, Applications and/or Services (TAAS); and/ or\n(3) Non-console access to critical TAAS that store, transmit and/or process sensitive/regulated data.", "justification": "Multi-Factor Authentication (MFA) (IAC-06) provides access control enforcement that compensates for the absence of Federated Credential Management (IAC-13.2) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-13", "name": "Adaptive Identification & Authentication", "description": "Mechanisms exist to allow individuals to utilize alternative methods of authentication under specific circumstances or situations.", "justification": "Adaptive Identification & Authentication (IAC-13) provides access control enforcement that compensates for the absence of Federated Credential Management (IAC-13.2) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-13.3", "risk_if_not_implemented": "Without Continuous Authentication, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "MON-16", "name": "Anomalous Behavior", "description": "Mechanisms exist to utilize User & Entity Behavior Analytics (UEBA) and/or User Activity Monitoring (UAM) solutions to detect and respond to anomalous behavior that could indicate account compromise or other malicious activities.", "justification": "Anomalous Behavior (MON-16) provides detective monitoring capability that compensates for the absence of Continuous Authentication (IAC-13.3) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-13", "name": "Adaptive Identification & Authentication", "description": "Mechanisms exist to allow individuals to utilize alternative methods of authentication under specific circumstances or situations.", "justification": "Adaptive Identification & Authentication (IAC-13) provides access control enforcement that compensates for the absence of Continuous Authentication (IAC-13.3) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-14", "risk_if_not_implemented": "Without Re-Authentication, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "IAC-24", "name": "Session Lock", "description": "Mechanisms exist to initiate a session lock after an organization-defined time period of inactivity, or upon receiving a request from a user and retain the session lock until the user reestablishes access using established identification and authentication methods.", "justification": "Session Lock (IAC-24) provides overlapping security capability that compensates for the absence of Re-Authentication (IAC-14) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-25", "name": "Session Termination", "description": "Automated mechanisms exist to log out users, both locally on the network and for remote sessions, at the end of the session or after an organization-defined period of inactivity.", "justification": "Session Termination (IAC-25) provides overlapping security capability that compensates for the absence of Re-Authentication (IAC-14) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-15.1", "risk_if_not_implemented": "Without Automated System Account Management (Directory Services), unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "IAC-07", "name": "User Provisioning & De-Provisioning", "description": "Mechanisms exist to utilize a formal user registration and de-registration process that governs the assignment of access rights.", "justification": "User Provisioning & De-Provisioning (IAC-07) provides access control enforcement that compensates for the absence of Automated System Account Management (Directory Services) (IAC-15.1) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-17", "name": "Periodic Review of Account Privileges", "description": "Mechanisms exist to periodically-review the privileges assigned to individuals and service accounts to validate the need for such privileges and reassign or remove unnecessary privileges, as necessary.", "justification": "Periodic Review of Account Privileges (IAC-17) provides periodic assessment and assurance that compensates for the absence of Automated System Account Management (Directory Services) (IAC-15.1) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-15.2", "risk_if_not_implemented": "Without Removal of Temporary / Emergency Accounts, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "MON-12", "name": "Session Audit", "description": "Mechanisms exist to provide session audit capabilities that can: \n(1) Capture and log all content related to a user session; and\n(2) Remotely view all content related to an established user session in real time.", "justification": "Session Audit (MON-12) provides detective monitoring capability that compensates for the absence of Removal of Temporary / Emergency Accounts (IAC-15.2) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-17", "name": "Periodic Review of Account Privileges", "description": "Mechanisms exist to periodically-review the privileges assigned to individuals and service accounts to validate the need for such privileges and reassign or remove unnecessary privileges, as necessary.", "justification": "Periodic Review of Account Privileges (IAC-17) provides periodic assessment and assurance that compensates for the absence of Removal of Temporary / Emergency Accounts (IAC-15.2) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-15.4", "risk_if_not_implemented": "Without Automated Audit Actions, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "MON-12", "name": "Session Audit", "description": "Mechanisms exist to provide session audit capabilities that can: \n(1) Capture and log all content related to a user session; and\n(2) Remotely view all content related to an established user session in real time.", "justification": "Session Audit (MON-12) provides detective monitoring capability that compensates for the absence of Automated Audit Actions (IAC-15.4) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-15", "name": "Account Management", "description": "Mechanisms exist to proactively govern account management of individual, group, system, service, application, guest and temporary accounts.", "justification": "Account Management (IAC-15) provides access control enforcement that compensates for the absence of Automated Audit Actions (IAC-15.4) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-15.8", "risk_if_not_implemented": "Without Usage Conditions, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "MON-12", "name": "Session Audit", "description": "Mechanisms exist to provide session audit capabilities that can: \n(1) Capture and log all content related to a user session; and\n(2) Remotely view all content related to an established user session in real time.", "justification": "Session Audit (MON-12) provides detective monitoring capability that compensates for the absence of Usage Conditions (IAC-15.8) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-15", "name": "Account Management", "description": "Mechanisms exist to proactively govern account management of individual, group, system, service, application, guest and temporary accounts.", "justification": "Account Management (IAC-15) provides access control enforcement that compensates for the absence of Usage Conditions (IAC-15.8) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-15.9", "risk_if_not_implemented": "Without Emergency Accounts, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "IAC-17", "name": "Periodic Review of Account Privileges", "description": "Mechanisms exist to periodically-review the privileges assigned to individuals and service accounts to validate the need for such privileges and reassign or remove unnecessary privileges, as necessary.", "justification": "Periodic Review of Account Privileges (IAC-17) provides periodic assessment and assurance that compensates for the absence of Emergency Accounts (IAC-15.9) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-07", "name": "User Provisioning & De-Provisioning", "description": "Mechanisms exist to utilize a formal user registration and de-registration process that governs the assignment of access rights.", "justification": "User Provisioning & De-Provisioning (IAC-07) provides access control enforcement that compensates for the absence of Emergency Accounts (IAC-15.9) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-16.2", "risk_if_not_implemented": "Without Privileged Account Separation, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "MON-12", "name": "Session Audit", "description": "Mechanisms exist to provide session audit capabilities that can: \n(1) Capture and log all content related to a user session; and\n(2) Remotely view all content related to an established user session in real time.", "justification": "Session Audit (MON-12) provides detective monitoring capability that compensates for the absence of Privileged Account Separation (IAC-16.2) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-17", "name": "Periodic Review of Account Privileges", "description": "Mechanisms exist to periodically-review the privileges assigned to individuals and service accounts to validate the need for such privileges and reassign or remove unnecessary privileges, as necessary.", "justification": "Periodic Review of Account Privileges (IAC-17) provides periodic assessment and assurance that compensates for the absence of Privileged Account Separation (IAC-16.2) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-16.3", "risk_if_not_implemented": "Without Privileged Command Execution, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "IAC-21", "name": "Least Privilege", "description": "Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.", "justification": "Least Privilege (IAC-21) provides access control enforcement that compensates for the absence of Privileged Command Execution (IAC-16.3) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-16", "name": "Privileged Account Management (PAM)", "description": "Mechanisms exist to restrict and control privileged access rights for users and Technology Assets, Applications and/or Services (TAAS).", "justification": "Privileged Account Management (PAM) (IAC-16) provides access control enforcement that compensates for the absence of Privileged Command Execution (IAC-16.3) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-16.4", "risk_if_not_implemented": "Without Dedicated Privileged Account, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "HRS-11", "name": "Separation of Duties (SoD)", "description": "Mechanisms exist to implement and maintain Separation of Duties (SoD) to prevent potential inappropriate activity without collusion.", "justification": "Separation of Duties (SoD) (HRS-11) provides overlapping security capability that compensates for the absence of Dedicated Privileged Account (IAC-16.4) by addressing related risk objectives through an alternative control mechanism aligned with People applicability. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-16", "name": "Privileged Account Management (PAM)", "description": "Mechanisms exist to restrict and control privileged access rights for users and Technology Assets, Applications and/or Services (TAAS).", "justification": "Privileged Account Management (PAM) (IAC-16) provides access control enforcement that compensates for the absence of Dedicated Privileged Account (IAC-16.4) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-16.5", "risk_if_not_implemented": "Without Manual Override, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IAC-16", "name": "Privileged Account Management (PAM)", "description": "Mechanisms exist to restrict and control privileged access rights for users and Technology Assets, Applications and/or Services (TAAS).", "justification": "Privileged Account Management (PAM) (IAC-16) provides access control enforcement that compensates for the absence of Manual Override (IAC-16.5) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-21", "name": "Least Privilege", "description": "Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.", "justification": "Least Privilege (IAC-21) provides access control enforcement that compensates for the absence of Manual Override (IAC-16.5) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-20.3", "risk_if_not_implemented": "Without Use of Privileged Utility Programs, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "IAC-21", "name": "Least Privilege", "description": "Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.", "justification": "Least Privilege (IAC-21) provides access control enforcement that compensates for the absence of Use of Privileged Utility Programs (IAC-20.3) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-20", "name": "Access Enforcement", "description": "Mechanisms exist to enforce Logical Access Control (LAC) permissions that conform to the principle of \"least privilege.\"", "justification": "Access Enforcement (IAC-20) provides access control enforcement that compensates for the absence of Use of Privileged Utility Programs (IAC-20.3) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-20.4", "risk_if_not_implemented": "Without Dedicated Administrative Machines, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "MON-12", "name": "Session Audit", "description": "Mechanisms exist to provide session audit capabilities that can: \n(1) Capture and log all content related to a user session; and\n(2) Remotely view all content related to an established user session in real time.", "justification": "Session Audit (MON-12) provides detective monitoring capability that compensates for the absence of Dedicated Administrative Machines (IAC-20.4) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-20", "name": "Access Enforcement", "description": "Mechanisms exist to enforce Logical Access Control (LAC) permissions that conform to the principle of \"least privilege.\"", "justification": "Access Enforcement (IAC-20) provides access control enforcement that compensates for the absence of Dedicated Administrative Machines (IAC-20.4) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-20.5", "risk_if_not_implemented": "Without Dual Authorization for Privileged Commands, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "IAC-20", "name": "Access Enforcement", "description": "Mechanisms exist to enforce Logical Access Control (LAC) permissions that conform to the principle of \"least privilege.\"", "justification": "Access Enforcement (IAC-20) provides access control enforcement that compensates for the absence of Dual Authorization for Privileged Commands (IAC-20.5) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-21", "name": "Least Privilege", "description": "Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.", "justification": "Least Privilege (IAC-21) provides access control enforcement that compensates for the absence of Dual Authorization for Privileged Commands (IAC-20.5) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-20.6", "risk_if_not_implemented": "Without Revocation of Access Authorizations, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "IAC-20", "name": "Access Enforcement", "description": "Mechanisms exist to enforce Logical Access Control (LAC) permissions that conform to the principle of \"least privilege.\"", "justification": "Access Enforcement (IAC-20) provides access control enforcement that compensates for the absence of Revocation of Access Authorizations (IAC-20.6) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-12", "name": "Session Audit", "description": "Mechanisms exist to provide session audit capabilities that can: \n(1) Capture and log all content related to a user session; and\n(2) Remotely view all content related to an established user session in real time.", "justification": "Session Audit (MON-12) provides detective monitoring capability that compensates for the absence of Revocation of Access Authorizations (IAC-20.6) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-20.7", "risk_if_not_implemented": "Without Authorized System Accounts, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "IAC-21", "name": "Least Privilege", "description": "Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.", "justification": "Least Privilege (IAC-21) provides access control enforcement that compensates for the absence of Authorized System Accounts (IAC-20.7) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-12", "name": "Session Audit", "description": "Mechanisms exist to provide session audit capabilities that can: \n(1) Capture and log all content related to a user session; and\n(2) Remotely view all content related to an established user session in real time.", "justification": "Session Audit (MON-12) provides detective monitoring capability that compensates for the absence of Authorized System Accounts (IAC-20.7) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-21.1", "risk_if_not_implemented": "Without Authorize Access to Security Functions, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "HRS-11", "name": "Separation of Duties (SoD)", "description": "Mechanisms exist to implement and maintain Separation of Duties (SoD) to prevent potential inappropriate activity without collusion.", "justification": "Separation of Duties (SoD) (HRS-11) provides overlapping security capability that compensates for the absence of Authorize Access to Security Functions (IAC-21.1) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-08", "name": "Role-Based Access Control (RBAC)", "description": "Mechanisms exist to enforce Role-Based Access Control (RBAC) for Technology Assets, Applications, Services and/or Data (TAASD) to restrict access to individuals assigned specific roles with legitimate business needs.", "justification": "Role-Based Access Control (RBAC) (IAC-08) provides access control enforcement that compensates for the absence of Authorize Access to Security Functions (IAC-21.1) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-21.2", "risk_if_not_implemented": "Without Non-Privileged Access for Non-Security Functions, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "IAC-08", "name": "Role-Based Access Control (RBAC)", "description": "Mechanisms exist to enforce Role-Based Access Control (RBAC) for Technology Assets, Applications, Services and/or Data (TAASD) to restrict access to individuals assigned specific roles with legitimate business needs.", "justification": "Role-Based Access Control (RBAC) (IAC-08) provides access control enforcement that compensates for the absence of Non-Privileged Access for Non-Security Functions (IAC-21.2) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-17", "name": "Periodic Review of Account Privileges", "description": "Mechanisms exist to periodically-review the privileges assigned to individuals and service accounts to validate the need for such privileges and reassign or remove unnecessary privileges, as necessary.", "justification": "Periodic Review of Account Privileges (IAC-17) provides periodic assessment and assurance that compensates for the absence of Non-Privileged Access for Non-Security Functions (IAC-21.2) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-21.4", "risk_if_not_implemented": "Without Auditing Use of Privileged Functions, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "IAC-08", "name": "Role-Based Access Control (RBAC)", "description": "Mechanisms exist to enforce Role-Based Access Control (RBAC) for Technology Assets, Applications, Services and/or Data (TAASD) to restrict access to individuals assigned specific roles with legitimate business needs.", "justification": "Role-Based Access Control (RBAC) (IAC-08) provides access control enforcement that compensates for the absence of Auditing Use of Privileged Functions (IAC-21.4) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-21", "name": "Least Privilege", "description": "Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.", "justification": "Least Privilege (IAC-21) provides access control enforcement that compensates for the absence of Auditing Use of Privileged Functions (IAC-21.4) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-21.5", "risk_if_not_implemented": "Without Prohibit Non-Privileged Users from Executing Privileged Functions, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "IAC-21", "name": "Least Privilege", "description": "Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.", "justification": "Least Privilege (IAC-21) provides access control enforcement that compensates for the absence of Prohibit Non-Privileged Users from Executing Privileged Functions (IAC-21.5) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-16", "name": "Privileged Account Management (PAM)", "description": "Mechanisms exist to restrict and control privileged access rights for users and Technology Assets, Applications and/or Services (TAAS).", "justification": "Privileged Account Management (PAM) (IAC-16) provides access control enforcement that compensates for the absence of Prohibit Non-Privileged Users from Executing Privileged Functions (IAC-21.5) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-21.6", "risk_if_not_implemented": "Without Network Access to Privileged Commands, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "HRS-11", "name": "Separation of Duties (SoD)", "description": "Mechanisms exist to implement and maintain Separation of Duties (SoD) to prevent potential inappropriate activity without collusion.", "justification": "Separation of Duties (SoD) (HRS-11) provides overlapping security capability that compensates for the absence of Network Access to Privileged Commands (IAC-21.6) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-21", "name": "Least Privilege", "description": "Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.", "justification": "Least Privilege (IAC-21) provides access control enforcement that compensates for the absence of Network Access to Privileged Commands (IAC-21.6) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-21.7", "risk_if_not_implemented": "Without Privilege Levels for Code Execution, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "IAC-21", "name": "Least Privilege", "description": "Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.", "justification": "Least Privilege (IAC-21) provides access control enforcement that compensates for the absence of Privilege Levels for Code Execution (IAC-21.7) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "HRS-11", "name": "Separation of Duties (SoD)", "description": "Mechanisms exist to implement and maintain Separation of Duties (SoD) to prevent potential inappropriate activity without collusion.", "justification": "Separation of Duties (SoD) (HRS-11) provides overlapping security capability that compensates for the absence of Privilege Levels for Code Execution (IAC-21.7) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-22", "risk_if_not_implemented": "Without Account Lockout, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "IAC-13", "name": "Adaptive Identification & Authentication", "description": "Mechanisms exist to allow individuals to utilize alternative methods of authentication under specific circumstances or situations.", "justification": "Adaptive Identification & Authentication (IAC-13) provides access control enforcement that compensates for the absence of Account Lockout (IAC-22) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Account Lockout (IAC-22) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-23", "risk_if_not_implemented": "Without Concurrent Session Control, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IAC-25", "name": "Session Termination", "description": "Automated mechanisms exist to log out users, both locally on the network and for remote sessions, at the end of the session or after an organization-defined period of inactivity.", "justification": "Session Termination (IAC-25) provides overlapping security capability that compensates for the absence of Concurrent Session Control (IAC-23) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-22", "name": "Account Lockout", "description": "Mechanisms exist to enforce a limit for consecutive invalid login attempts by a user during an organization-defined time period and automatically locks the account when the maximum number of unsuccessful attempts is exceeded.", "justification": "Account Lockout (IAC-22) provides access control enforcement that compensates for the absence of Concurrent Session Control (IAC-23) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-24", "risk_if_not_implemented": "Without Session Lock, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IAC-25", "name": "Session Termination", "description": "Automated mechanisms exist to log out users, both locally on the network and for remote sessions, at the end of the session or after an organization-defined period of inactivity.", "justification": "Session Termination (IAC-25) provides overlapping security capability that compensates for the absence of Session Lock (IAC-24) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-14", "name": "Re-Authentication", "description": "Mechanisms exist to force users and devices to re-authenticate according to organization-defined circumstances that necessitate re-authentication.", "justification": "Re-Authentication (IAC-14) provides access control enforcement that compensates for the absence of Session Lock (IAC-24) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-24.1", "risk_if_not_implemented": "Without Pattern-Hiding Displays, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IAC-14", "name": "Re-Authentication", "description": "Mechanisms exist to force users and devices to re-authenticate according to organization-defined circumstances that necessitate re-authentication.", "justification": "Re-Authentication (IAC-14) provides access control enforcement that compensates for the absence of Pattern-Hiding Displays (IAC-24.1) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-25", "name": "Session Termination", "description": "Automated mechanisms exist to log out users, both locally on the network and for remote sessions, at the end of the session or after an organization-defined period of inactivity.", "justification": "Session Termination (IAC-25) provides overlapping security capability that compensates for the absence of Pattern-Hiding Displays (IAC-24.1) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-25", "risk_if_not_implemented": "Without Session Termination, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IAC-24", "name": "Session Lock", "description": "Mechanisms exist to initiate a session lock after an organization-defined time period of inactivity, or upon receiving a request from a user and retain the session lock until the user reestablishes access using established identification and authentication methods.", "justification": "Session Lock (IAC-24) provides overlapping security capability that compensates for the absence of Session Termination (IAC-25) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-14", "name": "Re-Authentication", "description": "Mechanisms exist to force users and devices to re-authenticate according to organization-defined circumstances that necessitate re-authentication.", "justification": "Re-Authentication (IAC-14) provides access control enforcement that compensates for the absence of Session Termination (IAC-25) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-25.1", "risk_if_not_implemented": "Without User-Initiated Logouts / Message Displays, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "IAC-14", "name": "Re-Authentication", "description": "Mechanisms exist to force users and devices to re-authenticate according to organization-defined circumstances that necessitate re-authentication.", "justification": "Re-Authentication (IAC-14) provides access control enforcement that compensates for the absence of User-Initiated Logouts / Message Displays (IAC-25.1) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-24", "name": "Session Lock", "description": "Mechanisms exist to initiate a session lock after an organization-defined time period of inactivity, or upon receiving a request from a user and retain the session lock until the user reestablishes access using established identification and authentication methods.", "justification": "Session Lock (IAC-24) provides overlapping security capability that compensates for the absence of User-Initiated Logouts / Message Displays (IAC-25.1) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-26", "risk_if_not_implemented": "Without Permitted Actions Without Identification or Authorization, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IAC-20", "name": "Access Enforcement", "description": "Mechanisms exist to enforce Logical Access Control (LAC) permissions that conform to the principle of \"least privilege.\"", "justification": "Access Enforcement (IAC-20) provides access control enforcement that compensates for the absence of Permitted Actions Without Identification or Authorization (IAC-26) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-03", "name": "Boundary Protection", "description": "Mechanisms exist to monitor and control communications at the external network boundary and at key internal boundaries within the network.", "justification": "Boundary Protection (NET-03) provides network-level access restriction that compensates for the absence of Permitted Actions Without Identification or Authorization (IAC-26) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-27", "risk_if_not_implemented": "Without Reference Monitor, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "IAC-20", "name": "Access Enforcement", "description": "Mechanisms exist to enforce Logical Access Control (LAC) permissions that conform to the principle of \"least privilege.\"", "justification": "Access Enforcement (IAC-20) provides access control enforcement that compensates for the absence of Reference Monitor (IAC-27) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Reference Monitor (IAC-27) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-28.2", "risk_if_not_implemented": "Without Identity Evidence, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "IAC-06", "name": "Multi-Factor Authentication (MFA)", "description": "Automated mechanisms exist to enforce Multi-Factor Authentication (MFA) for:\n(1) Remote network access; \n(2) Third-party Technology Assets, Applications and/or Services (TAAS); and/ or\n(3) Non-console access to critical TAAS that store, transmit and/or process sensitive/regulated data.", "justification": "Multi-Factor Authentication (MFA) (IAC-06) provides access control enforcement that compensates for the absence of Identity Evidence (IAC-28.2) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-28", "name": "Identity Proofing (Identity Verification)", "description": "Mechanisms exist to verify the identity of a user before issuing authenticators or modifying access permissions.", "justification": "Identity Proofing (Identity Verification) (IAC-28) provides access control enforcement that compensates for the absence of Identity Evidence (IAC-28.2) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-28.3", "risk_if_not_implemented": "Without Identity Evidence Validation & Verification, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "IAC-02", "name": "Identification & Authentication for Organizational Users", "description": "Mechanisms exist to uniquely identify and centrally Authenticate, Authorize and Audit (AAA) organizational users and processes acting on behalf of organizational users.", "justification": "Identification & Authentication for Organizational Users (IAC-02) provides access control enforcement that compensates for the absence of Identity Evidence Validation & Verification (IAC-28.3) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-28", "name": "Identity Proofing (Identity Verification)", "description": "Mechanisms exist to verify the identity of a user before issuing authenticators or modifying access permissions.", "justification": "Identity Proofing (Identity Verification) (IAC-28) provides access control enforcement that compensates for the absence of Identity Evidence Validation & Verification (IAC-28.3) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-28.4", "risk_if_not_implemented": "Without In-Person Validation & Verification, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IAC-06", "name": "Multi-Factor Authentication (MFA)", "description": "Automated mechanisms exist to enforce Multi-Factor Authentication (MFA) for:\n(1) Remote network access; \n(2) Third-party Technology Assets, Applications and/or Services (TAAS); and/ or\n(3) Non-console access to critical TAAS that store, transmit and/or process sensitive/regulated data.", "justification": "Multi-Factor Authentication (MFA) (IAC-06) provides access control enforcement that compensates for the absence of In-Person Validation & Verification (IAC-28.4) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-02", "name": "Identification & Authentication for Organizational Users", "description": "Mechanisms exist to uniquely identify and centrally Authenticate, Authorize and Audit (AAA) organizational users and processes acting on behalf of organizational users.", "justification": "Identification & Authentication for Organizational Users (IAC-02) provides access control enforcement that compensates for the absence of In-Person Validation & Verification (IAC-28.4) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-28.5", "risk_if_not_implemented": "Without Address Confirmation, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IAC-02", "name": "Identification & Authentication for Organizational Users", "description": "Mechanisms exist to uniquely identify and centrally Authenticate, Authorize and Audit (AAA) organizational users and processes acting on behalf of organizational users.", "justification": "Identification & Authentication for Organizational Users (IAC-02) provides access control enforcement that compensates for the absence of Address Confirmation (IAC-28.5) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-06", "name": "Multi-Factor Authentication (MFA)", "description": "Automated mechanisms exist to enforce Multi-Factor Authentication (MFA) for:\n(1) Remote network access; \n(2) Third-party Technology Assets, Applications and/or Services (TAAS); and/ or\n(3) Non-console access to critical TAAS that store, transmit and/or process sensitive/regulated data.", "justification": "Multi-Factor Authentication (MFA) (IAC-06) provides access control enforcement that compensates for the absence of Address Confirmation (IAC-28.5) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-29", "risk_if_not_implemented": "Without Attribute-Based Access Control (ABAC), unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "IAC-08", "name": "Role-Based Access Control (RBAC)", "description": "Mechanisms exist to enforce Role-Based Access Control (RBAC) for Technology Assets, Applications, Services and/or Data (TAASD) to restrict access to individuals assigned specific roles with legitimate business needs.", "justification": "Role-Based Access Control (RBAC) (IAC-08) provides access control enforcement that compensates for the absence of Attribute-Based Access Control (ABAC) (IAC-29) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-20", "name": "Access Enforcement", "description": "Mechanisms exist to enforce Logical Access Control (LAC) permissions that conform to the principle of \"least privilege.\"", "justification": "Access Enforcement (IAC-20) provides access control enforcement that compensates for the absence of Attribute-Based Access Control (ABAC) (IAC-29) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-29.1", "risk_if_not_implemented": "Without Real-Time Access Decisions, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "IAC-20", "name": "Access Enforcement", "description": "Mechanisms exist to enforce Logical Access Control (LAC) permissions that conform to the principle of \"least privilege.\"", "justification": "Access Enforcement (IAC-20) provides access control enforcement that compensates for the absence of Real-Time Access Decisions (IAC-29.1) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-08", "name": "Role-Based Access Control (RBAC)", "description": "Mechanisms exist to enforce Role-Based Access Control (RBAC) for Technology Assets, Applications, Services and/or Data (TAASD) to restrict access to individuals assigned specific roles with legitimate business needs.", "justification": "Role-Based Access Control (RBAC) (IAC-08) provides access control enforcement that compensates for the absence of Real-Time Access Decisions (IAC-29.1) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-29.2", "risk_if_not_implemented": "Without Access Profile Rules, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "IAC-08", "name": "Role-Based Access Control (RBAC)", "description": "Mechanisms exist to enforce Role-Based Access Control (RBAC) for Technology Assets, Applications, Services and/or Data (TAASD) to restrict access to individuals assigned specific roles with legitimate business needs.", "justification": "Role-Based Access Control (RBAC) (IAC-08) provides access control enforcement that compensates for the absence of Access Profile Rules (IAC-29.2) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-29", "name": "Attribute-Based Access Control (ABAC)", "description": "Mechanisms exist to enforce Attribute-Based Access Control (ABAC) for policy-driven, dynamic authorizations that supports the secure sharing of information.", "justification": "Attribute-Based Access Control (ABAC) (IAC-29) provides access control enforcement that compensates for the absence of Access Profile Rules (IAC-29.2) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAC-30", "risk_if_not_implemented": "Without Mutual Authentication (MA), unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "CRY-02", "name": "Automated Authentication Through Cryptographic Modules", "description": "Automated mechanisms exist to enable systems to authenticate to a cryptographic module.", "justification": "Automated Authentication Through Cryptographic Modules (CRY-02) provides cryptographic protection that compensates for the absence of Mutual Authentication (MA) (IAC-30) by ensuring data confidentiality and integrity through alternative technical means. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-06", "name": "Multi-Factor Authentication (MFA)", "description": "Automated mechanisms exist to enforce Multi-Factor Authentication (MFA) for:\n(1) Remote network access; \n(2) Third-party Technology Assets, Applications and/or Services (TAAS); and/ or\n(3) Non-console access to critical TAAS that store, transmit and/or process sensitive/regulated data.", "justification": "Multi-Factor Authentication (MFA) (IAC-06) provides access control enforcement that compensates for the absence of Mutual Authentication (MA) (IAC-30) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IRO-01", "risk_if_not_implemented": "Without Incident Response Operations, the organization may lack capability to detect, contain, or recover from security incidents effectively.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Incident Response Operations (IRO-01) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "BCD-01", "name": "Business Continuity Management System (BCMS)", "description": "Mechanisms exist to facilitate the implementation of contingency planning controls to help ensure resilient Technology Assets, Applications and/or Services (TAAS) (e.g., Continuity of Operations Plan (COOP) or Business Continuity & Disaster Recovery (BC/DR) playbooks).", "justification": "Business Continuity Management System (BCMS) (BCD-01) provides resilience and recovery capability that compensates for the absence of Incident Response Operations (IRO-01) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IRO-02.1", "risk_if_not_implemented": "Without Automated Incident Handling Processes, the organization may lack capability to detect, contain, or recover from security incidents effectively.", "compensating_control_1": { "control_id": "MON-17", "name": "Event Log Analysis & Triage", "description": "Mechanisms exist to ensure event log reviews include analysis and triage practices that integrate with the organization's established incident response processes.", "justification": "Event Log Analysis & Triage (MON-17) provides detective monitoring capability that compensates for the absence of Automated Incident Handling Processes (IRO-02.1) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IRO-04", "name": "Incident Response Plan (IRP)", "description": "Mechanisms exist to maintain and make available a current and viable Incident Response Plan (IRP) to all stakeholders.", "justification": "Incident Response Plan (IRP) (IRO-04) provides incident response capability that compensates for the absence of Automated Incident Handling Processes (IRO-02.1) by enabling timely detection, containment, and recovery from security events in the absence of the primary control. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IRO-02.2", "risk_if_not_implemented": "Without Insider Threat Response Capability, the organization may lack capability to detect, contain, or recover from security incidents effectively.", "compensating_control_1": { "control_id": "IRO-13", "name": "Root Cause Analysis (RCA) & Lessons Learned", "description": "Mechanisms exist to incorporate lessons learned from analyzing and resolving cybersecurity and data protection incidents to reduce the likelihood or impact of future incidents.", "justification": "Root Cause Analysis (RCA) & Lessons Learned (IRO-13) provides overlapping security capability that compensates for the absence of Insider Threat Response Capability (IRO-02.2) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IRO-04", "name": "Incident Response Plan (IRP)", "description": "Mechanisms exist to maintain and make available a current and viable Incident Response Plan (IRP) to all stakeholders.", "justification": "Incident Response Plan (IRP) (IRO-04) provides incident response capability that compensates for the absence of Insider Threat Response Capability (IRO-02.2) by enabling timely detection, containment, and recovery from security events in the absence of the primary control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IRO-02.3", "risk_if_not_implemented": "Without Dynamic Reconfiguration, systems may operate with insecure settings or unauthorized changes, expanding the attack surface.", "compensating_control_1": { "control_id": "IRO-04", "name": "Incident Response Plan (IRP)", "description": "Mechanisms exist to maintain and make available a current and viable Incident Response Plan (IRP) to all stakeholders.", "justification": "Incident Response Plan (IRP) (IRO-04) provides incident response capability that compensates for the absence of Dynamic Reconfiguration (IRO-02.3) by enabling timely detection, containment, and recovery from security events in the absence of the primary control. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IRO-02", "name": "Incident Handling", "description": "Mechanisms exist to cover:\n(1) Preparation;\n(2) Automated event detection or manual incident report intake;\n(3) Analysis;\n(4) Containment;\n(5) Eradication; and\n(6) Recovery.", "justification": "Incident Handling (IRO-02) provides incident response capability that compensates for the absence of Dynamic Reconfiguration (IRO-02.3) by enabling timely detection, containment, and recovery from security events in the absence of the primary control. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IRO-02.4", "risk_if_not_implemented": "Without Incident Classification & Prioritization, the organization may lack capability to detect, contain, or recover from security incidents effectively.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Incident Classification & Prioritization (IRO-02.4) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IRO-04", "name": "Incident Response Plan (IRP)", "description": "Mechanisms exist to maintain and make available a current and viable Incident Response Plan (IRP) to all stakeholders.", "justification": "Incident Response Plan (IRP) (IRO-04) provides incident response capability that compensates for the absence of Incident Classification & Prioritization (IRO-02.4) by enabling timely detection, containment, and recovery from security events in the absence of the primary control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IRO-02.5", "risk_if_not_implemented": "Without Correlation with External Organizations, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IRO-02", "name": "Incident Handling", "description": "Mechanisms exist to cover:\n(1) Preparation;\n(2) Automated event detection or manual incident report intake;\n(3) Analysis;\n(4) Containment;\n(5) Eradication; and\n(6) Recovery.", "justification": "Incident Handling (IRO-02) provides incident response capability that compensates for the absence of Correlation with External Organizations (IRO-02.5) by enabling timely detection, containment, and recovery from security events in the absence of the primary control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Correlation with External Organizations (IRO-02.5) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IRO-02.6", "risk_if_not_implemented": "Without Automatic Disabling of Technology Assets, Applications and/or Services (TAAS), security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "IRO-04", "name": "Incident Response Plan (IRP)", "description": "Mechanisms exist to maintain and make available a current and viable Incident Response Plan (IRP) to all stakeholders.", "justification": "Incident Response Plan (IRP) (IRO-04) provides incident response capability that compensates for the absence of Automatic Disabling of Technology Assets, Applications and/or Services (TAAS) (IRO-02.6) by enabling timely detection, containment, and recovery from security events in the absence of the primary control. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-17", "name": "Event Log Analysis & Triage", "description": "Mechanisms exist to ensure event log reviews include analysis and triage practices that integrate with the organization's established incident response processes.", "justification": "Event Log Analysis & Triage (MON-17) provides detective monitoring capability that compensates for the absence of Automatic Disabling of Technology Assets, Applications and/or Services (TAAS) (IRO-02.6) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IRO-03", "risk_if_not_implemented": "Without Indicators of Compromise (IOC), residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "THR-03", "name": "Threat Intelligence Feeds", "description": "Mechanisms exist to maintain situational awareness of vulnerabilities and evolving threats by leveraging the knowledge of attacker tactics, techniques and procedures to facilitate the implementation of preventative and compensating controls.", "justification": "Threat Intelligence Feeds (THR-03) provides overlapping security capability that compensates for the absence of Indicators of Compromise (IOC) (IRO-03) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Indicators of Compromise (IOC) (IRO-03) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IRO-04", "risk_if_not_implemented": "Without Incident Response Plan (IRP), the organization may lack capability to detect, contain, or recover from security incidents effectively.", "compensating_control_1": { "control_id": "IRO-05", "name": "Incident Response Training", "description": "Mechanisms exist to train personnel in their incident response roles and responsibilities.", "justification": "Incident Response Training (IRO-05) provides personnel training and awareness that compensates for the absence of Incident Response Plan (IRP) (IRO-04) by reducing human-factor risk by equipping personnel to recognize and respond to relevant threats. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "BCD-01", "name": "Business Continuity Management System (BCMS)", "description": "Mechanisms exist to facilitate the implementation of contingency planning controls to help ensure resilient Technology Assets, Applications and/or Services (TAAS) (e.g., Continuity of Operations Plan (COOP) or Business Continuity & Disaster Recovery (BC/DR) playbooks).", "justification": "Business Continuity Management System (BCMS) (BCD-01) provides resilience and recovery capability that compensates for the absence of Incident Response Plan (IRP) (IRO-04) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IRO-04.1", "risk_if_not_implemented": "Without Data Breach, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "BCD-06", "name": "Ongoing Contingency Planning", "description": "Mechanisms exist to update contingency plans due to changes affecting:\n(1) People (e.g., personnel changes);\n(2) Processes (e.g., new, altered or decommissioned business practices, including third-party services)\n(3) Technologies (e.g., new, altered or decommissioned technologies);\n(4) Data (e.g., changes to data flows and/or data repositories);\n(5) Facilities (e.g., new, altered or decommissioned physical infrastructure); and/or\n(6) Feedback from contingency plan testing activities.", "justification": "Ongoing Contingency Planning (BCD-06) provides overlapping security capability that compensates for the absence of Data Breach (IRO-04.1) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IRO-04", "name": "Incident Response Plan (IRP)", "description": "Mechanisms exist to maintain and make available a current and viable Incident Response Plan (IRP) to all stakeholders.", "justification": "Incident Response Plan (IRP) (IRO-04) provides incident response capability that compensates for the absence of Data Breach (IRO-04.1) by enabling timely detection, containment, and recovery from security events in the absence of the primary control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IRO-04.2", "risk_if_not_implemented": "Without IRP Update, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IRO-13", "name": "Root Cause Analysis (RCA) & Lessons Learned", "description": "Mechanisms exist to incorporate lessons learned from analyzing and resolving cybersecurity and data protection incidents to reduce the likelihood or impact of future incidents.", "justification": "Root Cause Analysis (RCA) & Lessons Learned (IRO-13) provides overlapping security capability that compensates for the absence of IRP Update (IRO-04.2) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IRO-04", "name": "Incident Response Plan (IRP)", "description": "Mechanisms exist to maintain and make available a current and viable Incident Response Plan (IRP) to all stakeholders.", "justification": "Incident Response Plan (IRP) (IRO-04) provides incident response capability that compensates for the absence of IRP Update (IRO-04.2) by enabling timely detection, containment, and recovery from security events in the absence of the primary control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IRO-04.3", "risk_if_not_implemented": "Without Continuous Incident Response Improvements, the organization may lack capability to detect, contain, or recover from security incidents effectively.", "compensating_control_1": { "control_id": "BCD-01", "name": "Business Continuity Management System (BCMS)", "description": "Mechanisms exist to facilitate the implementation of contingency planning controls to help ensure resilient Technology Assets, Applications and/or Services (TAAS) (e.g., Continuity of Operations Plan (COOP) or Business Continuity & Disaster Recovery (BC/DR) playbooks).", "justification": "Business Continuity Management System (BCMS) (BCD-01) provides resilience and recovery capability that compensates for the absence of Continuous Incident Response Improvements (IRO-04.3) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IRO-04", "name": "Incident Response Plan (IRP)", "description": "Mechanisms exist to maintain and make available a current and viable Incident Response Plan (IRP) to all stakeholders.", "justification": "Incident Response Plan (IRP) (IRO-04) provides incident response capability that compensates for the absence of Continuous Incident Response Improvements (IRO-04.3) by enabling timely detection, containment, and recovery from security events in the absence of the primary control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IRO-05", "risk_if_not_implemented": "Without Incident Response Training, the organization may lack capability to detect, contain, or recover from security incidents effectively.", "compensating_control_1": { "control_id": "SAT-03", "name": "Role-Based Security, Compliance & Resilience Training", "description": "Mechanisms exist to provide role-based security, compliance and resilience-related training: \n(1) Before authorizing access to the system or performing assigned duties; \n(2) When required by system changes; and \n(3) Annually thereafter.", "justification": "Role-Based Security, Compliance & Resilience Training (SAT-03) provides personnel training and awareness that compensates for the absence of Incident Response Training (IRO-05) by reducing human-factor risk by equipping personnel to recognize and respond to relevant threats. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IRO-04", "name": "Incident Response Plan (IRP)", "description": "Mechanisms exist to maintain and make available a current and viable Incident Response Plan (IRP) to all stakeholders.", "justification": "Incident Response Plan (IRP) (IRO-04) provides incident response capability that compensates for the absence of Incident Response Training (IRO-05) by enabling timely detection, containment, and recovery from security events in the absence of the primary control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IRO-05.1", "risk_if_not_implemented": "Without Simulated Incidents, the organization may lack capability to detect, contain, or recover from security incidents effectively.", "compensating_control_1": { "control_id": "IRO-04", "name": "Incident Response Plan (IRP)", "description": "Mechanisms exist to maintain and make available a current and viable Incident Response Plan (IRP) to all stakeholders.", "justification": "Incident Response Plan (IRP) (IRO-04) provides incident response capability that compensates for the absence of Simulated Incidents (IRO-05.1) by enabling timely detection, containment, and recovery from security events in the absence of the primary control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "SAT-03", "name": "Role-Based Security, Compliance & Resilience Training", "description": "Mechanisms exist to provide role-based security, compliance and resilience-related training: \n(1) Before authorizing access to the system or performing assigned duties; \n(2) When required by system changes; and \n(3) Annually thereafter.", "justification": "Role-Based Security, Compliance & Resilience Training (SAT-03) provides personnel training and awareness that compensates for the absence of Simulated Incidents (IRO-05.1) by reducing human-factor risk by equipping personnel to recognize and respond to relevant threats. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IRO-05.2", "risk_if_not_implemented": "Without Automated Incident Response Training Environments, the organization may lack capability to detect, contain, or recover from security incidents effectively.", "compensating_control_1": { "control_id": "SAT-03", "name": "Role-Based Security, Compliance & Resilience Training", "description": "Mechanisms exist to provide role-based security, compliance and resilience-related training: \n(1) Before authorizing access to the system or performing assigned duties; \n(2) When required by system changes; and \n(3) Annually thereafter.", "justification": "Role-Based Security, Compliance & Resilience Training (SAT-03) provides personnel training and awareness that compensates for the absence of Automated Incident Response Training Environments (IRO-05.2) by reducing human-factor risk by equipping personnel to recognize and respond to relevant threats. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IRO-05", "name": "Incident Response Training", "description": "Mechanisms exist to train personnel in their incident response roles and responsibilities.", "justification": "Incident Response Training (IRO-05) provides personnel training and awareness that compensates for the absence of Automated Incident Response Training Environments (IRO-05.2) by reducing human-factor risk by equipping personnel to recognize and respond to relevant threats. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IRO-06", "risk_if_not_implemented": "Without Incident Response Testing, the organization may lack capability to detect, contain, or recover from security incidents effectively.", "compensating_control_1": { "control_id": "BCD-04", "name": "Contingency Plan Testing & Exercises", "description": "Mechanisms exist to conduct tests and/or exercises to evaluate the contingency plan's effectiveness and the organization's readiness to execute the plan.", "justification": "Contingency Plan Testing & Exercises (BCD-04) provides periodic assessment and assurance that compensates for the absence of Incident Response Testing (IRO-06) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IRO-05", "name": "Incident Response Training", "description": "Mechanisms exist to train personnel in their incident response roles and responsibilities.", "justification": "Incident Response Training (IRO-05) provides personnel training and awareness that compensates for the absence of Incident Response Testing (IRO-06) by reducing human-factor risk by equipping personnel to recognize and respond to relevant threats. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IRO-06.1", "risk_if_not_implemented": "Without Coordination with Related Plans, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IRO-05", "name": "Incident Response Training", "description": "Mechanisms exist to train personnel in their incident response roles and responsibilities.", "justification": "Incident Response Training (IRO-05) provides personnel training and awareness that compensates for the absence of Coordination with Related Plans (IRO-06.1) by reducing human-factor risk by equipping personnel to recognize and respond to relevant threats. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "BCD-04", "name": "Contingency Plan Testing & Exercises", "description": "Mechanisms exist to conduct tests and/or exercises to evaluate the contingency plan's effectiveness and the organization's readiness to execute the plan.", "justification": "Contingency Plan Testing & Exercises (BCD-04) provides periodic assessment and assurance that compensates for the absence of Coordination with Related Plans (IRO-06.1) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IRO-07", "risk_if_not_implemented": "Without Integrated Security Incident Response Team (ISIRT), the organization may lack capability to detect, contain, or recover from security incidents effectively.", "compensating_control_1": { "control_id": "IRO-04", "name": "Incident Response Plan (IRP)", "description": "Mechanisms exist to maintain and make available a current and viable Incident Response Plan (IRP) to all stakeholders.", "justification": "Incident Response Plan (IRP) (IRO-04) provides incident response capability that compensates for the absence of Integrated Security Incident Response Team (ISIRT) (IRO-07) by enabling timely detection, containment, and recovery from security events in the absence of the primary control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "HRS-03", "name": "Defined Roles & Responsibilities", "description": "Mechanisms exist to define cybersecurity roles & responsibilities for all personnel.", "justification": "Defined Roles & Responsibilities (HRS-03) provides overlapping security capability that compensates for the absence of Integrated Security Incident Response Team (ISIRT) (IRO-07) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IRO-08", "risk_if_not_implemented": "Without Chain of Custody & Forensics, AI and autonomous technology risks may go ungoverned, leading to unintended outcomes or exploitation.", "compensating_control_1": { "control_id": "MON-09", "name": "Non-Repudiation", "description": "Mechanisms exist to utilize a non-repudiation capability to protect against an individual falsely denying having performed a particular action.", "justification": "Non-Repudiation (MON-09) provides overlapping security capability that compensates for the absence of Chain of Custody & Forensics (IRO-08) by addressing related risk objectives through an alternative control mechanism aligned with Data applicability. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-12", "name": "Session Audit", "description": "Mechanisms exist to provide session audit capabilities that can: \n(1) Capture and log all content related to a user session; and\n(2) Remotely view all content related to an established user session in real time.", "justification": "Session Audit (MON-12) provides detective monitoring capability that compensates for the absence of Chain of Custody & Forensics (IRO-08) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IRO-08.1", "risk_if_not_implemented": "Without Licensed Forensic Investigators, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "MON-12", "name": "Session Audit", "description": "Mechanisms exist to provide session audit capabilities that can: \n(1) Capture and log all content related to a user session; and\n(2) Remotely view all content related to an established user session in real time.", "justification": "Session Audit (MON-12) provides detective monitoring capability that compensates for the absence of Licensed Forensic Investigators (IRO-08.1) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-09", "name": "Non-Repudiation", "description": "Mechanisms exist to utilize a non-repudiation capability to protect against an individual falsely denying having performed a particular action.", "justification": "Non-Repudiation (MON-09) provides overlapping security capability that compensates for the absence of Licensed Forensic Investigators (IRO-08.1) by addressing related risk objectives through an alternative control mechanism aligned with People applicability. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IRO-09", "risk_if_not_implemented": "Without Situational Awareness For Incidents, the organization may lack capability to detect, contain, or recover from security incidents effectively.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Situational Awareness For Incidents (IRO-09) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "THR-03", "name": "Threat Intelligence Feeds", "description": "Mechanisms exist to maintain situational awareness of vulnerabilities and evolving threats by leveraging the knowledge of attacker tactics, techniques and procedures to facilitate the implementation of preventative and compensating controls.", "justification": "Threat Intelligence Feeds (THR-03) provides overlapping security capability that compensates for the absence of Situational Awareness For Incidents (IRO-09) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IRO-09.1", "risk_if_not_implemented": "Without Automated Tracking, Data Collection & Analysis, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "THR-03", "name": "Threat Intelligence Feeds", "description": "Mechanisms exist to maintain situational awareness of vulnerabilities and evolving threats by leveraging the knowledge of attacker tactics, techniques and procedures to facilitate the implementation of preventative and compensating controls.", "justification": "Threat Intelligence Feeds (THR-03) provides overlapping security capability that compensates for the absence of Automated Tracking, Data Collection & Analysis (IRO-09.1) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Automated Tracking, Data Collection & Analysis (IRO-09.1) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IRO-09.2", "risk_if_not_implemented": "Without Recurring Incident Analysis, the organization may lack capability to detect, contain, or recover from security incidents effectively.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Recurring Incident Analysis (IRO-09.2) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IRO-09", "name": "Situational Awareness For Incidents", "description": "Mechanisms exist to document, monitor and report the status of cybersecurity and data protection incidents to internal stakeholders all the way through the resolution of the incident.", "justification": "Situational Awareness For Incidents (IRO-09) provides personnel training and awareness that compensates for the absence of Recurring Incident Analysis (IRO-09.2) by reducing human-factor risk by equipping personnel to recognize and respond to relevant threats. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IRO-09.3", "risk_if_not_implemented": "Without Incident Tracking Repository, the organization may lack capability to detect, contain, or recover from security incidents effectively.", "compensating_control_1": { "control_id": "THR-03", "name": "Threat Intelligence Feeds", "description": "Mechanisms exist to maintain situational awareness of vulnerabilities and evolving threats by leveraging the knowledge of attacker tactics, techniques and procedures to facilitate the implementation of preventative and compensating controls.", "justification": "Threat Intelligence Feeds (THR-03) provides overlapping security capability that compensates for the absence of Incident Tracking Repository (IRO-09.3) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IRO-09", "name": "Situational Awareness For Incidents", "description": "Mechanisms exist to document, monitor and report the status of cybersecurity and data protection incidents to internal stakeholders all the way through the resolution of the incident.", "justification": "Situational Awareness For Incidents (IRO-09) provides personnel training and awareness that compensates for the absence of Incident Tracking Repository (IRO-09.3) by reducing human-factor risk by equipping personnel to recognize and respond to relevant threats. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IRO-09.4", "risk_if_not_implemented": "Without Incident Pattern Analysis, the organization may lack capability to detect, contain, or recover from security incidents effectively.", "compensating_control_1": { "control_id": "IRO-09", "name": "Situational Awareness For Incidents", "description": "Mechanisms exist to document, monitor and report the status of cybersecurity and data protection incidents to internal stakeholders all the way through the resolution of the incident.", "justification": "Situational Awareness For Incidents (IRO-09) provides personnel training and awareness that compensates for the absence of Incident Pattern Analysis (IRO-09.4) by reducing human-factor risk by equipping personnel to recognize and respond to relevant threats. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Incident Pattern Analysis (IRO-09.4) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IRO-10", "risk_if_not_implemented": "Without Incident Stakeholder Reporting, the organization may lack capability to detect, contain, or recover from security incidents effectively.", "compensating_control_1": { "control_id": "GOV-06", "name": "Contacts With Authorities", "description": "Mechanisms exist to identify and document appropriate contacts with relevant law enforcement and regulatory bodies.", "justification": "Contacts With Authorities (GOV-06) provides overlapping security capability that compensates for the absence of Incident Stakeholder Reporting (IRO-10) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IRO-04", "name": "Incident Response Plan (IRP)", "description": "Mechanisms exist to maintain and make available a current and viable Incident Response Plan (IRP) to all stakeholders.", "justification": "Incident Response Plan (IRP) (IRO-04) provides incident response capability that compensates for the absence of Incident Stakeholder Reporting (IRO-10) by enabling timely detection, containment, and recovery from security events in the absence of the primary control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IRO-10.1", "risk_if_not_implemented": "Without Automated Reporting, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IRO-04", "name": "Incident Response Plan (IRP)", "description": "Mechanisms exist to maintain and make available a current and viable Incident Response Plan (IRP) to all stakeholders.", "justification": "Incident Response Plan (IRP) (IRO-04) provides incident response capability that compensates for the absence of Automated Reporting (IRO-10.1) by enabling timely detection, containment, and recovery from security events in the absence of the primary control. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "GOV-06", "name": "Contacts With Authorities", "description": "Mechanisms exist to identify and document appropriate contacts with relevant law enforcement and regulatory bodies.", "justification": "Contacts With Authorities (GOV-06) provides overlapping security capability that compensates for the absence of Automated Reporting (IRO-10.1) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IRO-10.2", "risk_if_not_implemented": "Without Cyber Incident Reporting for Sensitive / Regulated Data, the organization may lack capability to detect, contain, or recover from security incidents effectively.", "compensating_control_1": { "control_id": "GOV-06", "name": "Contacts With Authorities", "description": "Mechanisms exist to identify and document appropriate contacts with relevant law enforcement and regulatory bodies.", "justification": "Contacts With Authorities (GOV-06) provides overlapping security capability that compensates for the absence of Cyber Incident Reporting for Sensitive / Regulated Data (IRO-10.2) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IRO-10", "name": "Incident Stakeholder Reporting", "description": "Mechanisms exist to timely-report incidents to applicable:\n(1) Internal stakeholders; \n(2) Affected clients & third-parties; and\n(3) Regulatory authorities.", "justification": "Incident Stakeholder Reporting (IRO-10) provides incident response capability that compensates for the absence of Cyber Incident Reporting for Sensitive / Regulated Data (IRO-10.2) by enabling timely detection, containment, and recovery from security events in the absence of the primary control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IRO-10.3", "risk_if_not_implemented": "Without Vulnerabilities Related To Incidents, the organization may lack capability to detect, contain, or recover from security incidents effectively.", "compensating_control_1": { "control_id": "IRO-10", "name": "Incident Stakeholder Reporting", "description": "Mechanisms exist to timely-report incidents to applicable:\n(1) Internal stakeholders; \n(2) Affected clients & third-parties; and\n(3) Regulatory authorities.", "justification": "Incident Stakeholder Reporting (IRO-10) provides incident response capability that compensates for the absence of Vulnerabilities Related To Incidents (IRO-10.3) by enabling timely detection, containment, and recovery from security events in the absence of the primary control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "GOV-06", "name": "Contacts With Authorities", "description": "Mechanisms exist to identify and document appropriate contacts with relevant law enforcement and regulatory bodies.", "justification": "Contacts With Authorities (GOV-06) provides overlapping security capability that compensates for the absence of Vulnerabilities Related To Incidents (IRO-10.3) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IRO-10.4", "risk_if_not_implemented": "Without Supply Chain Coordination, third-party risks may go unmanaged, creating supply-chain exposure that compromises the organization.", "compensating_control_1": { "control_id": "IRO-04", "name": "Incident Response Plan (IRP)", "description": "Mechanisms exist to maintain and make available a current and viable Incident Response Plan (IRP) to all stakeholders.", "justification": "Incident Response Plan (IRP) (IRO-04) provides incident response capability that compensates for the absence of Supply Chain Coordination (IRO-10.4) by enabling timely detection, containment, and recovery from security events in the absence of the primary control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IRO-10", "name": "Incident Stakeholder Reporting", "description": "Mechanisms exist to timely-report incidents to applicable:\n(1) Internal stakeholders; \n(2) Affected clients & third-parties; and\n(3) Regulatory authorities.", "justification": "Incident Stakeholder Reporting (IRO-10) provides incident response capability that compensates for the absence of Supply Chain Coordination (IRO-10.4) by enabling timely detection, containment, and recovery from security events in the absence of the primary control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IRO-10.5", "risk_if_not_implemented": "Without Serious Incident Reporting, the organization may lack capability to detect, contain, or recover from security incidents effectively.", "compensating_control_1": { "control_id": "GOV-06", "name": "Contacts With Authorities", "description": "Mechanisms exist to identify and document appropriate contacts with relevant law enforcement and regulatory bodies.", "justification": "Contacts With Authorities (GOV-06) provides overlapping security capability that compensates for the absence of Serious Incident Reporting (IRO-10.5) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IRO-04", "name": "Incident Response Plan (IRP)", "description": "Mechanisms exist to maintain and make available a current and viable Incident Response Plan (IRP) to all stakeholders.", "justification": "Incident Response Plan (IRP) (IRO-04) provides incident response capability that compensates for the absence of Serious Incident Reporting (IRO-10.5) by enabling timely detection, containment, and recovery from security events in the absence of the primary control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IRO-11", "risk_if_not_implemented": "Without Incident Reporting Assistance, the organization may lack capability to detect, contain, or recover from security incidents effectively.", "compensating_control_1": { "control_id": "IRO-04", "name": "Incident Response Plan (IRP)", "description": "Mechanisms exist to maintain and make available a current and viable Incident Response Plan (IRP) to all stakeholders.", "justification": "Incident Response Plan (IRP) (IRO-04) provides incident response capability that compensates for the absence of Incident Reporting Assistance (IRO-11) by enabling timely detection, containment, and recovery from security events in the absence of the primary control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IRO-10", "name": "Incident Stakeholder Reporting", "description": "Mechanisms exist to timely-report incidents to applicable:\n(1) Internal stakeholders; \n(2) Affected clients & third-parties; and\n(3) Regulatory authorities.", "justification": "Incident Stakeholder Reporting (IRO-10) provides incident response capability that compensates for the absence of Incident Reporting Assistance (IRO-11) by enabling timely detection, containment, and recovery from security events in the absence of the primary control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IRO-11.1", "risk_if_not_implemented": "Without Automation Support of Availability of Information / Support, AI and autonomous technology risks may go ungoverned, leading to unintended outcomes or exploitation.", "compensating_control_1": { "control_id": "IRO-10", "name": "Incident Stakeholder Reporting", "description": "Mechanisms exist to timely-report incidents to applicable:\n(1) Internal stakeholders; \n(2) Affected clients & third-parties; and\n(3) Regulatory authorities.", "justification": "Incident Stakeholder Reporting (IRO-10) provides incident response capability that compensates for the absence of Automation Support of Availability of Information / Support (IRO-11.1) by enabling timely detection, containment, and recovery from security events in the absence of the primary control. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IRO-04", "name": "Incident Response Plan (IRP)", "description": "Mechanisms exist to maintain and make available a current and viable Incident Response Plan (IRP) to all stakeholders.", "justification": "Incident Response Plan (IRP) (IRO-04) provides incident response capability that compensates for the absence of Automation Support of Availability of Information / Support (IRO-11.1) by enabling timely detection, containment, and recovery from security events in the absence of the primary control. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IRO-11.2", "risk_if_not_implemented": "Without Coordination With External Providers, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IRO-04", "name": "Incident Response Plan (IRP)", "description": "Mechanisms exist to maintain and make available a current and viable Incident Response Plan (IRP) to all stakeholders.", "justification": "Incident Response Plan (IRP) (IRO-04) provides incident response capability that compensates for the absence of Coordination With External Providers (IRO-11.2) by enabling timely detection, containment, and recovery from security events in the absence of the primary control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IRO-11", "name": "Incident Reporting Assistance", "description": "Mechanisms exist to provide incident response advice and assistance to users of Technology Assets, Applications and/or Services (TAAS) for the handling and reporting of actual and potential cybersecurity and data protection incidents.", "justification": "Incident Reporting Assistance (IRO-11) provides incident response capability that compensates for the absence of Coordination With External Providers (IRO-11.2) by enabling timely detection, containment, and recovery from security events in the absence of the primary control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IRO-12", "risk_if_not_implemented": "Without Sensitive / Regulated Data Spill Response, the organization may lack capability to detect, contain, or recover from security incidents effectively.", "compensating_control_1": { "control_id": "DCH-01", "name": "Data Protection", "description": "Mechanisms exist to facilitate the implementation of data protection controls.", "justification": "Data Protection (DCH-01) provides overlapping security capability that compensates for the absence of Sensitive / Regulated Data Spill Response (IRO-12) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IRO-04", "name": "Incident Response Plan (IRP)", "description": "Mechanisms exist to maintain and make available a current and viable Incident Response Plan (IRP) to all stakeholders.", "justification": "Incident Response Plan (IRP) (IRO-04) provides incident response capability that compensates for the absence of Sensitive / Regulated Data Spill Response (IRO-12) by enabling timely detection, containment, and recovery from security events in the absence of the primary control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IRO-12.1", "risk_if_not_implemented": "Without Sensitive / Regulated Data Spill Responsible Personnel, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IRO-04", "name": "Incident Response Plan (IRP)", "description": "Mechanisms exist to maintain and make available a current and viable Incident Response Plan (IRP) to all stakeholders.", "justification": "Incident Response Plan (IRP) (IRO-04) provides incident response capability that compensates for the absence of Sensitive / Regulated Data Spill Responsible Personnel (IRO-12.1) by enabling timely detection, containment, and recovery from security events in the absence of the primary control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "DCH-01", "name": "Data Protection", "description": "Mechanisms exist to facilitate the implementation of data protection controls.", "justification": "Data Protection (DCH-01) provides overlapping security capability that compensates for the absence of Sensitive / Regulated Data Spill Responsible Personnel (IRO-12.1) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IRO-12.2", "risk_if_not_implemented": "Without Sensitive / Regulated Data Spill Training, personnel may lack knowledge to recognize threats, increasing susceptibility to phishing and social engineering.", "compensating_control_1": { "control_id": "DCH-01", "name": "Data Protection", "description": "Mechanisms exist to facilitate the implementation of data protection controls.", "justification": "Data Protection (DCH-01) provides overlapping security capability that compensates for the absence of Sensitive / Regulated Data Spill Training (IRO-12.2) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IRO-12", "name": "Sensitive / Regulated Data Spill Response", "description": "Mechanisms exist to respond to sensitive/regulated data spills.", "justification": "Sensitive / Regulated Data Spill Response (IRO-12) provides incident response capability that compensates for the absence of Sensitive / Regulated Data Spill Training (IRO-12.2) by enabling timely detection, containment, and recovery from security events in the absence of the primary control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IRO-12.3", "risk_if_not_implemented": "Without Post-Sensitive / Regulated Data Spill Operations, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IRO-04", "name": "Incident Response Plan (IRP)", "description": "Mechanisms exist to maintain and make available a current and viable Incident Response Plan (IRP) to all stakeholders.", "justification": "Incident Response Plan (IRP) (IRO-04) provides incident response capability that compensates for the absence of Post-Sensitive / Regulated Data Spill Operations (IRO-12.3) by enabling timely detection, containment, and recovery from security events in the absence of the primary control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IRO-12", "name": "Sensitive / Regulated Data Spill Response", "description": "Mechanisms exist to respond to sensitive/regulated data spills.", "justification": "Sensitive / Regulated Data Spill Response (IRO-12) provides incident response capability that compensates for the absence of Post-Sensitive / Regulated Data Spill Operations (IRO-12.3) by enabling timely detection, containment, and recovery from security events in the absence of the primary control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IRO-12.4", "risk_if_not_implemented": "Without Sensitive / Regulated Data Exposure to Unauthorized Personnel, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IRO-12", "name": "Sensitive / Regulated Data Spill Response", "description": "Mechanisms exist to respond to sensitive/regulated data spills.", "justification": "Sensitive / Regulated Data Spill Response (IRO-12) provides incident response capability that compensates for the absence of Sensitive / Regulated Data Exposure to Unauthorized Personnel (IRO-12.4) by enabling timely detection, containment, and recovery from security events in the absence of the primary control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "DCH-01", "name": "Data Protection", "description": "Mechanisms exist to facilitate the implementation of data protection controls.", "justification": "Data Protection (DCH-01) provides overlapping security capability that compensates for the absence of Sensitive / Regulated Data Exposure to Unauthorized Personnel (IRO-12.4) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IRO-13", "risk_if_not_implemented": "Without Root Cause Analysis (RCA) & Lessons Learned, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "BCD-05", "name": "Contingency Plan Root Cause Analysis (RCA) & Lessons Learned", "description": "Mechanisms exist to conduct a Root Cause Analysis (RCA) and \"lessons learned\" activity every time the contingency plan is activated.", "justification": "Contingency Plan Root Cause Analysis (RCA) & Lessons Learned (BCD-05) provides overlapping security capability that compensates for the absence of Root Cause Analysis (RCA) & Lessons Learned (IRO-13) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IRO-04", "name": "Incident Response Plan (IRP)", "description": "Mechanisms exist to maintain and make available a current and viable Incident Response Plan (IRP) to all stakeholders.", "justification": "Incident Response Plan (IRP) (IRO-04) provides incident response capability that compensates for the absence of Root Cause Analysis (RCA) & Lessons Learned (IRO-13) by enabling timely detection, containment, and recovery from security events in the absence of the primary control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IRO-14", "risk_if_not_implemented": "Without Regulatory & Law Enforcement Contacts, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "GOV-06", "name": "Contacts With Authorities", "description": "Mechanisms exist to identify and document appropriate contacts with relevant law enforcement and regulatory bodies.", "justification": "Contacts With Authorities (GOV-06) provides overlapping security capability that compensates for the absence of Regulatory & Law Enforcement Contacts (IRO-14) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IRO-10", "name": "Incident Stakeholder Reporting", "description": "Mechanisms exist to timely-report incidents to applicable:\n(1) Internal stakeholders; \n(2) Affected clients & third-parties; and\n(3) Regulatory authorities.", "justification": "Incident Stakeholder Reporting (IRO-10) provides incident response capability that compensates for the absence of Regulatory & Law Enforcement Contacts (IRO-14) by enabling timely detection, containment, and recovery from security events in the absence of the primary control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IRO-15", "risk_if_not_implemented": "Without Detonation Chambers (Sandboxes), residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "NET-06", "name": "Network Segmentation (macrosegementation)", "description": "Mechanisms exist to ensure network architecture utilizes network segmentation to isolate Technology Assets, Applications and/or Services (TAAS) to protect from other network resources.", "justification": "Network Segmentation (macrosegementation) (NET-06) provides network-level access restriction that compensates for the absence of Detonation Chambers (Sandboxes) (IRO-15) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "END-04", "name": "Malicious Code Protection (Anti-Malware)", "description": "Mechanisms exist to utilize antimalware technologies to detect and eradicate malicious code.", "justification": "Malicious Code Protection (Anti-Malware) (END-04) provides overlapping security capability that compensates for the absence of Detonation Chambers (Sandboxes) (IRO-15) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IRO-16", "risk_if_not_implemented": "Without Public Relations & Reputation Repair, AI and autonomous technology risks may go ungoverned, leading to unintended outcomes or exploitation.", "compensating_control_1": { "control_id": "GOV-06", "name": "Contacts With Authorities", "description": "Mechanisms exist to identify and document appropriate contacts with relevant law enforcement and regulatory bodies.", "justification": "Contacts With Authorities (GOV-06) provides overlapping security capability that compensates for the absence of Public Relations & Reputation Repair (IRO-16) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Public Relations & Reputation Repair (IRO-16) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAO-01.1", "risk_if_not_implemented": "Without Assessment Boundaries, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Assessment Boundaries (IAO-01.1) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of Assessment Boundaries (IAO-01.1) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAO-02.1", "risk_if_not_implemented": "Without Assessor Independence, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "VPM-07", "name": "Penetration Testing", "description": "Mechanisms exist to conduct penetration testing on Technology Assets, Applications and/or Services (TAAS).", "justification": "Penetration Testing (VPM-07) provides periodic assessment and assurance that compensates for the absence of Assessor Independence (IAO-02.1) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of Assessor Independence (IAO-02.1) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAO-02.2", "risk_if_not_implemented": "Without Specialized Assessments, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of Specialized Assessments (IAO-02.2) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAO-02", "name": "Assessments", "description": "Mechanisms exist to formally assess the security, compliance and resilience controls in Technology Assets, Applications and/or Services (TAAS) through Information Assurance Program (IAP) activities to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting expected requirements.", "justification": "Assessments (IAO-02) provides periodic assessment and assurance that compensates for the absence of Specialized Assessments (IAO-02.2) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAO-02.3", "risk_if_not_implemented": "Without Third-Party Assessment Reciprocity, third-party risks may go unmanaged, creating supply-chain exposure that compromises the organization.", "compensating_control_1": { "control_id": "IAO-02", "name": "Assessments", "description": "Mechanisms exist to formally assess the security, compliance and resilience controls in Technology Assets, Applications and/or Services (TAAS) through Information Assurance Program (IAP) activities to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting expected requirements.", "justification": "Assessments (IAO-02) provides periodic assessment and assurance that compensates for the absence of Third-Party Assessment Reciprocity (IAO-02.3) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "VPM-07", "name": "Penetration Testing", "description": "Mechanisms exist to conduct penetration testing on Technology Assets, Applications and/or Services (TAAS).", "justification": "Penetration Testing (VPM-07) provides periodic assessment and assurance that compensates for the absence of Third-Party Assessment Reciprocity (IAO-02.3) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAO-02.4", "risk_if_not_implemented": "Without Security Assessment Report (SAR), residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "VPM-07", "name": "Penetration Testing", "description": "Mechanisms exist to conduct penetration testing on Technology Assets, Applications and/or Services (TAAS).", "justification": "Penetration Testing (VPM-07) provides periodic assessment and assurance that compensates for the absence of Security Assessment Report (SAR) (IAO-02.4) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAO-02", "name": "Assessments", "description": "Mechanisms exist to formally assess the security, compliance and resilience controls in Technology Assets, Applications and/or Services (TAAS) through Information Assurance Program (IAP) activities to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting expected requirements.", "justification": "Assessments (IAO-02) provides periodic assessment and assurance that compensates for the absence of Security Assessment Report (SAR) (IAO-02.4) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAO-03", "risk_if_not_implemented": "Without Applied Security, Compliance and Resilience Controls Documentation, the organization may be unable to recover from disruptions, resulting in data loss and extended downtime.", "compensating_control_1": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of Applied Security, Compliance and Resilience Controls Documentation (IAO-03) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "GOV-02", "name": "Publishing Security, Compliance & Resilience Documentation", "description": "Mechanisms exist to establish, maintain and disseminate policies, standards and procedures necessary for secure, compliant and resilient capabilities.", "justification": "Publishing Security, Compliance & Resilience Documentation (GOV-02) provides resilience and recovery capability that compensates for the absence of Applied Security, Compliance and Resilience Controls Documentation (IAO-03) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAO-03.1", "risk_if_not_implemented": "Without Plan / Coordinate with Other Organizational Entities, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "GOV-02", "name": "Publishing Security, Compliance & Resilience Documentation", "description": "Mechanisms exist to establish, maintain and disseminate policies, standards and procedures necessary for secure, compliant and resilient capabilities.", "justification": "Publishing Security, Compliance & Resilience Documentation (GOV-02) provides resilience and recovery capability that compensates for the absence of Plan / Coordinate with Other Organizational Entities (IAO-03.1) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of Plan / Coordinate with Other Organizational Entities (IAO-03.1) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAO-03.2", "risk_if_not_implemented": "Without Adequate Security for Sensitive / Regulated Data In Support of Contracts, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of Adequate Security for Sensitive / Regulated Data In Support of Contracts (IAO-03.2) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAO-03", "name": "Applied Security, Compliance and Resilience Controls Documentation", "description": "Mechanisms exist to generate authoritative documentation (e.g., System Security Plan (SSP)) that:\n(1) Identifies key architectural and implementation information on in-scope Technology Assets, Applications and/or Services (TAAS);\n(2) Reflects the current state of applied security, compliance and resilience controls on applicable People, Processes, Technologies, Data and/or Facilities (PPTDF) that are contained within the system boundary; and\n(3) Provides a historical record of applied security controls, including changes.", "justification": "Applied Security, Compliance and Resilience Controls Documentation (IAO-03) provides resilience and recovery capability that compensates for the absence of Adequate Security for Sensitive / Regulated Data In Support of Contracts (IAO-03.2) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAO-05", "risk_if_not_implemented": "Without Capabilities Deficiency Tracking, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "VPM-02", "name": "Vulnerability Remediation Process", "description": "Mechanisms exist to ensure that vulnerabilities are properly identified, tracked and remediated.", "justification": "Vulnerability Remediation Process (VPM-02) provides vulnerability management that compensates for the absence of Capabilities Deficiency Tracking (IAO-05) by reducing the exploitable attack surface by addressing known weaknesses before they are leveraged. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "RSK-06", "name": "Risk Remediation", "description": "Mechanisms exist to remediate risks to an acceptable level.", "justification": "Risk Remediation (RSK-06) provides vulnerability management that compensates for the absence of Capabilities Deficiency Tracking (IAO-05) by reducing the exploitable attack surface by addressing known weaknesses before they are leveraged. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAO-05.1", "risk_if_not_implemented": "Without Deficiency Tracking Automation, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "RSK-06", "name": "Risk Remediation", "description": "Mechanisms exist to remediate risks to an acceptable level.", "justification": "Risk Remediation (RSK-06) provides vulnerability management that compensates for the absence of Deficiency Tracking Automation (IAO-05.1) by reducing the exploitable attack surface by addressing known weaknesses before they are leveraged. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "VPM-02", "name": "Vulnerability Remediation Process", "description": "Mechanisms exist to ensure that vulnerabilities are properly identified, tracked and remediated.", "justification": "Vulnerability Remediation Process (VPM-02) provides vulnerability management that compensates for the absence of Deficiency Tracking Automation (IAO-05.1) by reducing the exploitable attack surface by addressing known weaknesses before they are leveraged. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "IAO-06", "risk_if_not_implemented": "Without Technical Verification, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of Technical Verification (IAO-06) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "TDA-09", "name": "Security, Compliance & Resilience Testing Throughout Development", "description": "Mechanisms exist to require system developers/integrators consult with security, compliance and/or resilience personnel to: \n(1) Create and implement a Security Testing and Evaluation (ST&E) plan, or similar capability;\n(2) Implement a verifiable flaw remediation process to correct weaknesses and deficiencies identified during the control testing and evaluation process; and\n(3) Document the results.", "justification": "Security, Compliance & Resilience Testing Throughout Development (TDA-09) provides periodic assessment and assurance that compensates for the absence of Technical Verification (IAO-06) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MNT-01", "risk_if_not_implemented": "Without Maintenance Operations, AI and autonomous technology risks may go ungoverned, leading to unintended outcomes or exploitation.", "compensating_control_1": { "control_id": "CHG-01", "name": "Change Management Program", "description": "Mechanisms exist to facilitate the implementation of a change management program.", "justification": "Change Management Program (CHG-01) provides policy-level governance that compensates for the absence of Maintenance Operations (MNT-01) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Maintenance Operations (MNT-01) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MNT-02.1", "risk_if_not_implemented": "Without Automated Maintenance Activities, AI and autonomous technology risks may go ungoverned, leading to unintended outcomes or exploitation.", "compensating_control_1": { "control_id": "MON-12", "name": "Session Audit", "description": "Mechanisms exist to provide session audit capabilities that can: \n(1) Capture and log all content related to a user session; and\n(2) Remotely view all content related to an established user session in real time.", "justification": "Session Audit (MON-12) provides detective monitoring capability that compensates for the absence of Automated Maintenance Activities (MNT-02.1) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-21", "name": "Least Privilege", "description": "Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.", "justification": "Least Privilege (IAC-21) provides access control enforcement that compensates for the absence of Automated Maintenance Activities (MNT-02.1) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MNT-03", "risk_if_not_implemented": "Without Timely Maintenance, AI and autonomous technology risks may go ungoverned, leading to unintended outcomes or exploitation.", "compensating_control_1": { "control_id": "VPM-05", "name": "Software & Firmware Patching", "description": "Mechanisms exist to conduct software patching for all deployed Technology Assets, Applications and/or Services (TAAS), including firmware.", "justification": "Software & Firmware Patching (VPM-05) provides vulnerability management that compensates for the absence of Timely Maintenance (MNT-03) by reducing the exploitable attack surface by addressing known weaknesses before they are leveraged. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CHG-01", "name": "Change Management Program", "description": "Mechanisms exist to facilitate the implementation of a change management program.", "justification": "Change Management Program (CHG-01) provides policy-level governance that compensates for the absence of Timely Maintenance (MNT-03) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MNT-03.1", "risk_if_not_implemented": "Without Preventative Maintenance, AI and autonomous technology risks may go ungoverned, leading to unintended outcomes or exploitation.", "compensating_control_1": { "control_id": "CHG-01", "name": "Change Management Program", "description": "Mechanisms exist to facilitate the implementation of a change management program.", "justification": "Change Management Program (CHG-01) provides policy-level governance that compensates for the absence of Preventative Maintenance (MNT-03.1) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "VPM-05", "name": "Software & Firmware Patching", "description": "Mechanisms exist to conduct software patching for all deployed Technology Assets, Applications and/or Services (TAAS), including firmware.", "justification": "Software & Firmware Patching (VPM-05) provides vulnerability management that compensates for the absence of Preventative Maintenance (MNT-03.1) by reducing the exploitable attack surface by addressing known weaknesses before they are leveraged. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MNT-03.2", "risk_if_not_implemented": "Without Predictive Maintenance, AI and autonomous technology risks may go ungoverned, leading to unintended outcomes or exploitation.", "compensating_control_1": { "control_id": "VPM-05", "name": "Software & Firmware Patching", "description": "Mechanisms exist to conduct software patching for all deployed Technology Assets, Applications and/or Services (TAAS), including firmware.", "justification": "Software & Firmware Patching (VPM-05) provides vulnerability management that compensates for the absence of Predictive Maintenance (MNT-03.2) by reducing the exploitable attack surface by addressing known weaknesses before they are leveraged. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MNT-03", "name": "Timely Maintenance", "description": "Mechanisms exist to obtain maintenance support and/or spare parts for Technology Assets, Applications and/or Services (TAAS) within a defined Recovery Time Objective (RTO).", "justification": "Timely Maintenance (MNT-03) provides overlapping security capability that compensates for the absence of Predictive Maintenance (MNT-03.2) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MNT-03.3", "risk_if_not_implemented": "Without Automated Support For Predictive Maintenance, AI and autonomous technology risks may go ungoverned, leading to unintended outcomes or exploitation.", "compensating_control_1": { "control_id": "CHG-01", "name": "Change Management Program", "description": "Mechanisms exist to facilitate the implementation of a change management program.", "justification": "Change Management Program (CHG-01) provides policy-level governance that compensates for the absence of Automated Support For Predictive Maintenance (MNT-03.3) by establishing documented expectations, accountability structures, and organizational guardrails. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MNT-03", "name": "Timely Maintenance", "description": "Mechanisms exist to obtain maintenance support and/or spare parts for Technology Assets, Applications and/or Services (TAAS) within a defined Recovery Time Objective (RTO).", "justification": "Timely Maintenance (MNT-03) provides overlapping security capability that compensates for the absence of Automated Support For Predictive Maintenance (MNT-03.3) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MNT-04", "risk_if_not_implemented": "Without Maintenance Tools, AI and autonomous technology risks may go ungoverned, leading to unintended outcomes or exploitation.", "compensating_control_1": { "control_id": "CFG-06", "name": "Configuration Enforcement", "description": "Automated mechanisms exist to monitor, enforce and report on configurations for endpoint devices.", "justification": "Configuration Enforcement (CFG-06) provides configuration hardening that compensates for the absence of Maintenance Tools (MNT-04) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Maintenance Tools (MNT-04) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MNT-04.1", "risk_if_not_implemented": "Without Inspect Tools, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Inspect Tools (MNT-04.1) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CFG-06", "name": "Configuration Enforcement", "description": "Automated mechanisms exist to monitor, enforce and report on configurations for endpoint devices.", "justification": "Configuration Enforcement (CFG-06) provides configuration hardening that compensates for the absence of Inspect Tools (MNT-04.1) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MNT-04.2", "risk_if_not_implemented": "Without Inspect Media, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CFG-06", "name": "Configuration Enforcement", "description": "Automated mechanisms exist to monitor, enforce and report on configurations for endpoint devices.", "justification": "Configuration Enforcement (CFG-06) provides configuration hardening that compensates for the absence of Inspect Media (MNT-04.2) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MNT-04", "name": "Maintenance Tools", "description": "Mechanisms exist to control and monitor the use of system maintenance tools.", "justification": "Maintenance Tools (MNT-04) provides overlapping security capability that compensates for the absence of Inspect Media (MNT-04.2) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MNT-04.3", "risk_if_not_implemented": "Without Prevent Unauthorized Removal, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Prevent Unauthorized Removal (MNT-04.3) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MNT-04", "name": "Maintenance Tools", "description": "Mechanisms exist to control and monitor the use of system maintenance tools.", "justification": "Maintenance Tools (MNT-04) provides overlapping security capability that compensates for the absence of Prevent Unauthorized Removal (MNT-04.3) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MNT-04.4", "risk_if_not_implemented": "Without Restrict Tool Usage, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CFG-06", "name": "Configuration Enforcement", "description": "Automated mechanisms exist to monitor, enforce and report on configurations for endpoint devices.", "justification": "Configuration Enforcement (CFG-06) provides configuration hardening that compensates for the absence of Restrict Tool Usage (MNT-04.4) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Restrict Tool Usage (MNT-04.4) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MNT-05", "risk_if_not_implemented": "Without Remote Maintenance, AI and autonomous technology risks may go ungoverned, leading to unintended outcomes or exploitation.", "compensating_control_1": { "control_id": "IAC-06", "name": "Multi-Factor Authentication (MFA)", "description": "Automated mechanisms exist to enforce Multi-Factor Authentication (MFA) for:\n(1) Remote network access; \n(2) Third-party Technology Assets, Applications and/or Services (TAAS); and/ or\n(3) Non-console access to critical TAAS that store, transmit and/or process sensitive/regulated data.", "justification": "Multi-Factor Authentication (MFA) (IAC-06) provides access control enforcement that compensates for the absence of Remote Maintenance (MNT-05) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CRY-06", "name": "Non-Console Administrative Access", "description": "Cryptographic mechanisms exist to protect the confidentiality and integrity of non-console administrative access.", "justification": "Non-Console Administrative Access (CRY-06) provides access control enforcement that compensates for the absence of Remote Maintenance (MNT-05) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MNT-05.1", "risk_if_not_implemented": "Without Auditing Remote Maintenance, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "CRY-06", "name": "Non-Console Administrative Access", "description": "Cryptographic mechanisms exist to protect the confidentiality and integrity of non-console administrative access.", "justification": "Non-Console Administrative Access (CRY-06) provides access control enforcement that compensates for the absence of Auditing Remote Maintenance (MNT-05.1) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-06", "name": "Multi-Factor Authentication (MFA)", "description": "Automated mechanisms exist to enforce Multi-Factor Authentication (MFA) for:\n(1) Remote network access; \n(2) Third-party Technology Assets, Applications and/or Services (TAAS); and/ or\n(3) Non-console access to critical TAAS that store, transmit and/or process sensitive/regulated data.", "justification": "Multi-Factor Authentication (MFA) (IAC-06) provides access control enforcement that compensates for the absence of Auditing Remote Maintenance (MNT-05.1) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MNT-05.2", "risk_if_not_implemented": "Without Remote Maintenance Notifications, AI and autonomous technology risks may go ungoverned, leading to unintended outcomes or exploitation.", "compensating_control_1": { "control_id": "IAC-06", "name": "Multi-Factor Authentication (MFA)", "description": "Automated mechanisms exist to enforce Multi-Factor Authentication (MFA) for:\n(1) Remote network access; \n(2) Third-party Technology Assets, Applications and/or Services (TAAS); and/ or\n(3) Non-console access to critical TAAS that store, transmit and/or process sensitive/regulated data.", "justification": "Multi-Factor Authentication (MFA) (IAC-06) provides access control enforcement that compensates for the absence of Remote Maintenance Notifications (MNT-05.2) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MNT-05", "name": "Remote Maintenance", "description": "Mechanisms exist to authorize, monitor and control remote, non-local maintenance and diagnostic activities.", "justification": "Remote Maintenance (MNT-05) provides overlapping security capability that compensates for the absence of Remote Maintenance Notifications (MNT-05.2) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MNT-05.3", "risk_if_not_implemented": "Without Remote Maintenance Cryptographic Protection, sensitive data may be exposed to interception or unauthorized disclosure, resulting in confidentiality breaches.", "compensating_control_1": { "control_id": "CRY-06", "name": "Non-Console Administrative Access", "description": "Cryptographic mechanisms exist to protect the confidentiality and integrity of non-console administrative access.", "justification": "Non-Console Administrative Access (CRY-06) provides access control enforcement that compensates for the absence of Remote Maintenance Cryptographic Protection (MNT-05.3) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MNT-05", "name": "Remote Maintenance", "description": "Mechanisms exist to authorize, monitor and control remote, non-local maintenance and diagnostic activities.", "justification": "Remote Maintenance (MNT-05) provides overlapping security capability that compensates for the absence of Remote Maintenance Cryptographic Protection (MNT-05.3) by addressing related risk objectives through an alternative control mechanism aligned with Data applicability. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MNT-05.4", "risk_if_not_implemented": "Without Remote Maintenance Disconnect Verification, AI and autonomous technology risks may go ungoverned, leading to unintended outcomes or exploitation.", "compensating_control_1": { "control_id": "IAC-06", "name": "Multi-Factor Authentication (MFA)", "description": "Automated mechanisms exist to enforce Multi-Factor Authentication (MFA) for:\n(1) Remote network access; \n(2) Third-party Technology Assets, Applications and/or Services (TAAS); and/ or\n(3) Non-console access to critical TAAS that store, transmit and/or process sensitive/regulated data.", "justification": "Multi-Factor Authentication (MFA) (IAC-06) provides access control enforcement that compensates for the absence of Remote Maintenance Disconnect Verification (MNT-05.4) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CRY-06", "name": "Non-Console Administrative Access", "description": "Cryptographic mechanisms exist to protect the confidentiality and integrity of non-console administrative access.", "justification": "Non-Console Administrative Access (CRY-06) provides access control enforcement that compensates for the absence of Remote Maintenance Disconnect Verification (MNT-05.4) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MNT-05.5", "risk_if_not_implemented": "Without Remote Maintenance Pre-Approval, AI and autonomous technology risks may go ungoverned, leading to unintended outcomes or exploitation.", "compensating_control_1": { "control_id": "CRY-06", "name": "Non-Console Administrative Access", "description": "Cryptographic mechanisms exist to protect the confidentiality and integrity of non-console administrative access.", "justification": "Non-Console Administrative Access (CRY-06) provides access control enforcement that compensates for the absence of Remote Maintenance Pre-Approval (MNT-05.5) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-06", "name": "Multi-Factor Authentication (MFA)", "description": "Automated mechanisms exist to enforce Multi-Factor Authentication (MFA) for:\n(1) Remote network access; \n(2) Third-party Technology Assets, Applications and/or Services (TAAS); and/ or\n(3) Non-console access to critical TAAS that store, transmit and/or process sensitive/regulated data.", "justification": "Multi-Factor Authentication (MFA) (IAC-06) provides access control enforcement that compensates for the absence of Remote Maintenance Pre-Approval (MNT-05.5) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MNT-05.6", "risk_if_not_implemented": "Without Remote Maintenance Comparable Security & Sanitization, AI and autonomous technology risks may go ungoverned, leading to unintended outcomes or exploitation.", "compensating_control_1": { "control_id": "MNT-05", "name": "Remote Maintenance", "description": "Mechanisms exist to authorize, monitor and control remote, non-local maintenance and diagnostic activities.", "justification": "Remote Maintenance (MNT-05) provides overlapping security capability that compensates for the absence of Remote Maintenance Comparable Security & Sanitization (MNT-05.6) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-06", "name": "Multi-Factor Authentication (MFA)", "description": "Automated mechanisms exist to enforce Multi-Factor Authentication (MFA) for:\n(1) Remote network access; \n(2) Third-party Technology Assets, Applications and/or Services (TAAS); and/ or\n(3) Non-console access to critical TAAS that store, transmit and/or process sensitive/regulated data.", "justification": "Multi-Factor Authentication (MFA) (IAC-06) provides access control enforcement that compensates for the absence of Remote Maintenance Comparable Security & Sanitization (MNT-05.6) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MNT-05.7", "risk_if_not_implemented": "Without Separation of Maintenance Sessions, AI and autonomous technology risks may go ungoverned, leading to unintended outcomes or exploitation.", "compensating_control_1": { "control_id": "IAC-06", "name": "Multi-Factor Authentication (MFA)", "description": "Automated mechanisms exist to enforce Multi-Factor Authentication (MFA) for:\n(1) Remote network access; \n(2) Third-party Technology Assets, Applications and/or Services (TAAS); and/ or\n(3) Non-console access to critical TAAS that store, transmit and/or process sensitive/regulated data.", "justification": "Multi-Factor Authentication (MFA) (IAC-06) provides access control enforcement that compensates for the absence of Separation of Maintenance Sessions (MNT-05.7) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CRY-06", "name": "Non-Console Administrative Access", "description": "Cryptographic mechanisms exist to protect the confidentiality and integrity of non-console administrative access.", "justification": "Non-Console Administrative Access (CRY-06) provides access control enforcement that compensates for the absence of Separation of Maintenance Sessions (MNT-05.7) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MNT-06", "risk_if_not_implemented": "Without Authorized Maintenance Personnel, AI and autonomous technology risks may go ungoverned, leading to unintended outcomes or exploitation.", "compensating_control_1": { "control_id": "IAC-21", "name": "Least Privilege", "description": "Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.", "justification": "Least Privilege (IAC-21) provides access control enforcement that compensates for the absence of Authorized Maintenance Personnel (MNT-06) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MNT-01", "name": "Maintenance Operations", "description": "Mechanisms exist to develop, disseminate, review & update procedures to facilitate the implementation of maintenance controls across the enterprise.", "justification": "Maintenance Operations (MNT-01) provides overlapping security capability that compensates for the absence of Authorized Maintenance Personnel (MNT-06) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MNT-06.1", "risk_if_not_implemented": "Without Maintenance Personnel Without Appropriate Access, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "MNT-01", "name": "Maintenance Operations", "description": "Mechanisms exist to develop, disseminate, review & update procedures to facilitate the implementation of maintenance controls across the enterprise.", "justification": "Maintenance Operations (MNT-01) provides overlapping security capability that compensates for the absence of Maintenance Personnel Without Appropriate Access (MNT-06.1) by addressing related risk objectives through an alternative control mechanism aligned with People applicability. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-21", "name": "Least Privilege", "description": "Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.", "justification": "Least Privilege (IAC-21) provides access control enforcement that compensates for the absence of Maintenance Personnel Without Appropriate Access (MNT-06.1) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MNT-06.2", "risk_if_not_implemented": "Without Non-System Related Maintenance, AI and autonomous technology risks may go ungoverned, leading to unintended outcomes or exploitation.", "compensating_control_1": { "control_id": "IAC-21", "name": "Least Privilege", "description": "Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.", "justification": "Least Privilege (IAC-21) provides access control enforcement that compensates for the absence of Non-System Related Maintenance (MNT-06.2) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MNT-06", "name": "Authorized Maintenance Personnel", "description": "Mechanisms exist to maintain a current list of authorized maintenance organizations or personnel.", "justification": "Authorized Maintenance Personnel (MNT-06) provides overlapping security capability that compensates for the absence of Non-System Related Maintenance (MNT-06.2) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MNT-07", "risk_if_not_implemented": "Without Maintain Configuration Control During Maintenance, systems may operate with insecure settings or unauthorized changes, expanding the attack surface.", "compensating_control_1": { "control_id": "CFG-06", "name": "Configuration Enforcement", "description": "Automated mechanisms exist to monitor, enforce and report on configurations for endpoint devices.", "justification": "Configuration Enforcement (CFG-06) provides configuration hardening that compensates for the absence of Maintain Configuration Control During Maintenance (MNT-07) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CHG-02", "name": "Configuration Change Control", "description": "Mechanisms exist to govern the technical configuration change control processes.", "justification": "Configuration Change Control (CHG-02) provides configuration hardening that compensates for the absence of Maintain Configuration Control During Maintenance (MNT-07) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MNT-08", "risk_if_not_implemented": "Without Field Maintenance, AI and autonomous technology risks may go ungoverned, leading to unintended outcomes or exploitation.", "compensating_control_1": { "control_id": "PES-10", "name": "Delivery & Removal", "description": "Physical security mechanisms exist to isolate information processing facilities from points such as delivery and loading areas and other points to avoid unauthorized access.", "justification": "Delivery & Removal (PES-10) provides overlapping security capability that compensates for the absence of Field Maintenance (MNT-08) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MNT-01", "name": "Maintenance Operations", "description": "Mechanisms exist to develop, disseminate, review & update procedures to facilitate the implementation of maintenance controls across the enterprise.", "justification": "Maintenance Operations (MNT-01) provides overlapping security capability that compensates for the absence of Field Maintenance (MNT-08) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MNT-09", "risk_if_not_implemented": "Without Off-Site Maintenance, AI and autonomous technology risks may go ungoverned, leading to unintended outcomes or exploitation.", "compensating_control_1": { "control_id": "MNT-05", "name": "Remote Maintenance", "description": "Mechanisms exist to authorize, monitor and control remote, non-local maintenance and diagnostic activities.", "justification": "Remote Maintenance (MNT-05) provides overlapping security capability that compensates for the absence of Off-Site Maintenance (MNT-09) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-06", "name": "Multi-Factor Authentication (MFA)", "description": "Automated mechanisms exist to enforce Multi-Factor Authentication (MFA) for:\n(1) Remote network access; \n(2) Third-party Technology Assets, Applications and/or Services (TAAS); and/ or\n(3) Non-console access to critical TAAS that store, transmit and/or process sensitive/regulated data.", "justification": "Multi-Factor Authentication (MFA) (IAC-06) provides access control enforcement that compensates for the absence of Off-Site Maintenance (MNT-09) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MNT-10", "risk_if_not_implemented": "Without Maintenance Validation, AI and autonomous technology risks may go ungoverned, leading to unintended outcomes or exploitation.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Maintenance Validation (MNT-10) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CHG-06", "name": "Control Functionality Verification", "description": "Mechanisms exist to verify the functionality of security, compliance and resilience controls following implemented changes to ensure applicable controls operate as designed.", "justification": "Control Functionality Verification (CHG-06) provides overlapping security capability that compensates for the absence of Maintenance Validation (MNT-10) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MNT-11", "risk_if_not_implemented": "Without Maintenance Monitoring, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Maintenance Monitoring (MNT-11) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CHG-06", "name": "Control Functionality Verification", "description": "Mechanisms exist to verify the functionality of security, compliance and resilience controls following implemented changes to ensure applicable controls operate as designed.", "justification": "Control Functionality Verification (CHG-06) provides overlapping security capability that compensates for the absence of Maintenance Monitoring (MNT-11) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MDM-02", "risk_if_not_implemented": "Without Access Control For Mobile Devices, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "IAC-20", "name": "Access Enforcement", "description": "Mechanisms exist to enforce Logical Access Control (LAC) permissions that conform to the principle of \"least privilege.\"", "justification": "Access Enforcement (IAC-20) provides access control enforcement that compensates for the absence of Access Control For Mobile Devices (MDM-02) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-14", "name": "Remote Access", "description": "Mechanisms exist to define, control and review organization-approved, secure remote access methods.", "justification": "Remote Access (NET-14) provides access control enforcement that compensates for the absence of Access Control For Mobile Devices (MDM-02) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MDM-03", "risk_if_not_implemented": "Without Full Device & Container-Based Encryption, sensitive data may be exposed to interception or unauthorized disclosure, resulting in confidentiality breaches.", "compensating_control_1": { "control_id": "CRY-05", "name": "Encrypting Data At Rest", "description": "Cryptographic mechanisms exist to prevent unauthorized disclosure of data at rest.", "justification": "Encrypting Data At Rest (CRY-05) provides cryptographic protection that compensates for the absence of Full Device & Container-Based Encryption (MDM-03) by ensuring data confidentiality and integrity through alternative technical means. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-21", "name": "Least Privilege", "description": "Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.", "justification": "Least Privilege (IAC-21) provides access control enforcement that compensates for the absence of Full Device & Container-Based Encryption (MDM-03) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MDM-04", "risk_if_not_implemented": "Without Mobile Device Tampering, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Mobile Device Tampering (MDM-04) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PES-05", "name": "Monitoring Physical Access", "description": "Physical access control mechanisms exist to monitor for, detect and respond to physical security incidents.", "justification": "Monitoring Physical Access (PES-05) provides detective monitoring capability that compensates for the absence of Mobile Device Tampering (MDM-04) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MDM-05", "risk_if_not_implemented": "Without Remote Purging, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "MDM-01", "name": "Centralized Management Of Mobile Devices", "description": "Mechanisms exist to implement and govern Mobile Device Management (MDM) controls.", "justification": "Centralized Management Of Mobile Devices (MDM-01) provides overlapping security capability that compensates for the absence of Remote Purging (MDM-05) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-01", "name": "Identity & Access Management (IAM)", "description": "Mechanisms exist to facilitate the implementation of identification and access management controls.", "justification": "Identity & Access Management (IAM) (IAC-01) provides access control enforcement that compensates for the absence of Remote Purging (MDM-05) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MDM-06", "risk_if_not_implemented": "Without Personally-Owned Mobile Devices, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "MDM-01", "name": "Centralized Management Of Mobile Devices", "description": "Mechanisms exist to implement and govern Mobile Device Management (MDM) controls.", "justification": "Centralized Management Of Mobile Devices (MDM-01) provides overlapping security capability that compensates for the absence of Personally-Owned Mobile Devices (MDM-06) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CFG-04", "name": "Software Usage Restrictions", "description": "Mechanisms exist to enforce software usage restrictions to comply with applicable contract agreements and copyright laws.", "justification": "Software Usage Restrictions (CFG-04) provides overlapping security capability that compensates for the absence of Personally-Owned Mobile Devices (MDM-06) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MDM-07", "risk_if_not_implemented": "Without Organization-Owned Mobile Devices, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "MDM-01", "name": "Centralized Management Of Mobile Devices", "description": "Mechanisms exist to implement and govern Mobile Device Management (MDM) controls.", "justification": "Centralized Management Of Mobile Devices (MDM-01) provides overlapping security capability that compensates for the absence of Organization-Owned Mobile Devices (MDM-07) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CFG-02", "name": "Secure Baseline Configurations", "description": "Mechanisms exist to develop, document and maintain secure baseline configurations for Technology Assets, Applications and/or Services (TAAS) that are consistent with industry-accepted system hardening standards.", "justification": "Secure Baseline Configurations (CFG-02) provides configuration hardening that compensates for the absence of Organization-Owned Mobile Devices (MDM-07) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MDM-08", "risk_if_not_implemented": "Without Mobile Device Data Retention Limitations, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "DCH-18", "name": "Media & Data Retention", "description": "Mechanisms exist to retain media and data in accordance with applicable statutory, regulatory and contractual obligations.", "justification": "Media & Data Retention (DCH-18) provides overlapping security capability that compensates for the absence of Mobile Device Data Retention Limitations (MDM-08) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "DCH-09", "name": "System Media Sanitization", "description": "Mechanisms exist to sanitize system media with the strength and integrity commensurate with the classification or sensitivity of the information prior to disposal, release out of organizational control or release for reuse.", "justification": "System Media Sanitization (DCH-09) provides overlapping security capability that compensates for the absence of Mobile Device Data Retention Limitations (MDM-08) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MDM-09", "risk_if_not_implemented": "Without Mobile Device Geofencing, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "NET-15", "name": "Wireless Networking", "description": "Mechanisms exist to control authorized wireless usage and monitor for unauthorized wireless access.", "justification": "Wireless Networking (NET-15) provides network-level access restriction that compensates for the absence of Mobile Device Geofencing (MDM-09) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PES-01", "name": "Physical & Environmental Protections", "description": "Mechanisms exist to facilitate the operation of physical and environmental protection controls.", "justification": "Physical & Environmental Protections (PES-01) provides physical access control that compensates for the absence of Mobile Device Geofencing (MDM-09) by preventing unauthorized physical interaction with systems and infrastructure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MDM-10", "risk_if_not_implemented": "Without Separate Mobile Device Profiles, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CFG-03", "name": "Least Functionality", "description": "Mechanisms exist to configure systems to provide only essential capabilities by specifically prohibiting or restricting the use of ports, protocols, and/or services.", "justification": "Least Functionality (CFG-03) provides configuration hardening that compensates for the absence of Separate Mobile Device Profiles (MDM-10) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MDM-01", "name": "Centralized Management Of Mobile Devices", "description": "Mechanisms exist to implement and govern Mobile Device Management (MDM) controls.", "justification": "Centralized Management Of Mobile Devices (MDM-01) provides overlapping security capability that compensates for the absence of Separate Mobile Device Profiles (MDM-10) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "MDM-11", "risk_if_not_implemented": "Without Restricting Access To Authorized Technology Assets, Applications and/or Services (TAAS), security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "CFG-04", "name": "Software Usage Restrictions", "description": "Mechanisms exist to enforce software usage restrictions to comply with applicable contract agreements and copyright laws.", "justification": "Software Usage Restrictions (CFG-04) provides overlapping security capability that compensates for the absence of Restricting Access To Authorized Technology Assets, Applications and/or Services (TAAS) (MDM-11) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-03", "name": "Boundary Protection", "description": "Mechanisms exist to monitor and control communications at the external network boundary and at key internal boundaries within the network.", "justification": "Boundary Protection (NET-03) provides network-level access restriction that compensates for the absence of Restricting Access To Authorized Technology Assets, Applications and/or Services (TAAS) (MDM-11) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-01.1", "risk_if_not_implemented": "Without Zero Trust Architecture (ZTA), residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "NET-03", "name": "Boundary Protection", "description": "Mechanisms exist to monitor and control communications at the external network boundary and at key internal boundaries within the network.", "justification": "Boundary Protection (NET-03) provides network-level access restriction that compensates for the absence of Zero Trust Architecture (ZTA) (NET-01.1) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Zero Trust Architecture (ZTA) (NET-01.1) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-02", "risk_if_not_implemented": "Without Layered Network Defenses, network defenses are weakened, enabling lateral movement and exploitation of unprotected pathways.", "compensating_control_1": { "control_id": "NET-03", "name": "Boundary Protection", "description": "Mechanisms exist to monitor and control communications at the external network boundary and at key internal boundaries within the network.", "justification": "Boundary Protection (NET-03) provides network-level access restriction that compensates for the absence of Layered Network Defenses (NET-02) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "END-02", "name": "Endpoint Protection Measures", "description": "Mechanisms exist to protect the confidentiality, integrity, availability and safety of endpoint devices.", "justification": "Endpoint Protection Measures (END-02) provides overlapping security capability that compensates for the absence of Layered Network Defenses (NET-02) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-02.1", "risk_if_not_implemented": "Without Denial of Service (DoS) Protection, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "SEA-03", "name": "Defense-In-Depth (DiD) Architecture", "description": "Mechanisms exist to implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.", "justification": "Defense-In-Depth (DiD) Architecture (SEA-03) provides overlapping security capability that compensates for the absence of Denial of Service (DoS) Protection (NET-02.1) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-03", "name": "Boundary Protection", "description": "Mechanisms exist to monitor and control communications at the external network boundary and at key internal boundaries within the network.", "justification": "Boundary Protection (NET-03) provides network-level access restriction that compensates for the absence of Denial of Service (DoS) Protection (NET-02.1) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-02.2", "risk_if_not_implemented": "Without Guest Networks, network defenses are weakened, enabling lateral movement and exploitation of unprotected pathways.", "compensating_control_1": { "control_id": "NET-03", "name": "Boundary Protection", "description": "Mechanisms exist to monitor and control communications at the external network boundary and at key internal boundaries within the network.", "justification": "Boundary Protection (NET-03) provides network-level access restriction that compensates for the absence of Guest Networks (NET-02.2) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-02", "name": "Layered Network Defenses", "description": "Mechanisms exist to implement security functions as a layered structure that minimizes interactions between layers of the design and avoids any dependence by lower layers on the functionality or correctness of higher layers.", "justification": "Layered Network Defenses (NET-02) provides network-level access restriction that compensates for the absence of Guest Networks (NET-02.2) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-02.3", "risk_if_not_implemented": "Without Cross Domain Solution (CDS), AI and autonomous technology risks may go ungoverned, leading to unintended outcomes or exploitation.", "compensating_control_1": { "control_id": "END-02", "name": "Endpoint Protection Measures", "description": "Mechanisms exist to protect the confidentiality, integrity, availability and safety of endpoint devices.", "justification": "Endpoint Protection Measures (END-02) provides overlapping security capability that compensates for the absence of Cross Domain Solution (CDS) (NET-02.3) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-03", "name": "Boundary Protection", "description": "Mechanisms exist to monitor and control communications at the external network boundary and at key internal boundaries within the network.", "justification": "Boundary Protection (NET-03) provides network-level access restriction that compensates for the absence of Cross Domain Solution (CDS) (NET-02.3) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-03.1", "risk_if_not_implemented": "Without Limit Network Connections, network defenses are weakened, enabling lateral movement and exploitation of unprotected pathways.", "compensating_control_1": { "control_id": "NET-06", "name": "Network Segmentation (macrosegementation)", "description": "Mechanisms exist to ensure network architecture utilizes network segmentation to isolate Technology Assets, Applications and/or Services (TAAS) to protect from other network resources.", "justification": "Network Segmentation (macrosegementation) (NET-06) provides network-level access restriction that compensates for the absence of Limit Network Connections (NET-03.1) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "END-05", "name": "Software Firewall", "description": "Mechanisms exist to utilize host-based firewall software, or a similar technology, on all endpoint devices, where technically feasible.", "justification": "Software Firewall (END-05) provides network-level access restriction that compensates for the absence of Limit Network Connections (NET-03.1) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-03.2", "risk_if_not_implemented": "Without External Telecommunications Services, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "NET-04", "name": "Data Flow Enforcement – Access Control Lists (ACLs)", "description": "Mechanisms exist to implement and govern Access Control Lists (ACLs) to provide data flow enforcement that explicitly restrict network traffic to only what is authorized.", "justification": "Data Flow Enforcement – Access Control Lists (ACLs) (NET-04) provides access control enforcement that compensates for the absence of External Telecommunications Services (NET-03.2) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-06", "name": "Network Segmentation (macrosegementation)", "description": "Mechanisms exist to ensure network architecture utilizes network segmentation to isolate Technology Assets, Applications and/or Services (TAAS) to protect from other network resources.", "justification": "Network Segmentation (macrosegementation) (NET-06) provides network-level access restriction that compensates for the absence of External Telecommunications Services (NET-03.2) by limiting attacker reach and lateral movement opportunities across the environment. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-03.3", "risk_if_not_implemented": "Without Prevent Discovery of Internal Information, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "NET-06", "name": "Network Segmentation (macrosegementation)", "description": "Mechanisms exist to ensure network architecture utilizes network segmentation to isolate Technology Assets, Applications and/or Services (TAAS) to protect from other network resources.", "justification": "Network Segmentation (macrosegementation) (NET-06) provides network-level access restriction that compensates for the absence of Prevent Discovery of Internal Information (NET-03.3) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Prevent Discovery of Internal Information (NET-03.3) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-03.4", "risk_if_not_implemented": "Without Personal Data (PD), personal data may be processed without appropriate safeguards, increasing regulatory and reputational risk.", "compensating_control_1": { "control_id": "NET-08", "name": "Network Intrusion Detection / Prevention Systems (NIDS / NIPS)", "description": "Mechanisms exist to employ Network Intrusion Detection / Prevention Systems (NIDS/NIPS) to detect and/or prevent intrusions into the network.", "justification": "Network Intrusion Detection / Prevention Systems (NIDS / NIPS) (NET-08) provides detective monitoring capability that compensates for the absence of Personal Data (PD) (NET-03.4) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Personal Data (PD) (NET-03.4) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-03.5", "risk_if_not_implemented": "Without Prevent Unauthorized Exfiltration, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Prevent Unauthorized Exfiltration (NET-03.5) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-06", "name": "Network Segmentation (macrosegementation)", "description": "Mechanisms exist to ensure network architecture utilizes network segmentation to isolate Technology Assets, Applications and/or Services (TAAS) to protect from other network resources.", "justification": "Network Segmentation (macrosegementation) (NET-06) provides network-level access restriction that compensates for the absence of Prevent Unauthorized Exfiltration (NET-03.5) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-03.6", "risk_if_not_implemented": "Without Dynamic Isolation & Segregation (Sandboxing), residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "NET-06", "name": "Network Segmentation (macrosegementation)", "description": "Mechanisms exist to ensure network architecture utilizes network segmentation to isolate Technology Assets, Applications and/or Services (TAAS) to protect from other network resources.", "justification": "Network Segmentation (macrosegementation) (NET-06) provides network-level access restriction that compensates for the absence of Dynamic Isolation & Segregation (Sandboxing) (NET-03.6) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-08", "name": "Network Intrusion Detection / Prevention Systems (NIDS / NIPS)", "description": "Mechanisms exist to employ Network Intrusion Detection / Prevention Systems (NIDS/NIPS) to detect and/or prevent intrusions into the network.", "justification": "Network Intrusion Detection / Prevention Systems (NIDS / NIPS) (NET-08) provides detective monitoring capability that compensates for the absence of Dynamic Isolation & Segregation (Sandboxing) (NET-03.6) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-03.7", "risk_if_not_implemented": "Without Isolation of System Components, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "END-05", "name": "Software Firewall", "description": "Mechanisms exist to utilize host-based firewall software, or a similar technology, on all endpoint devices, where technically feasible.", "justification": "Software Firewall (END-05) provides network-level access restriction that compensates for the absence of Isolation of System Components (NET-03.7) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-06", "name": "Network Segmentation (macrosegementation)", "description": "Mechanisms exist to ensure network architecture utilizes network segmentation to isolate Technology Assets, Applications and/or Services (TAAS) to protect from other network resources.", "justification": "Network Segmentation (macrosegementation) (NET-06) provides network-level access restriction that compensates for the absence of Isolation of System Components (NET-03.7) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-03.8", "risk_if_not_implemented": "Without Separate Subnet for Connecting to Different Security Domains, AI and autonomous technology risks may go ungoverned, leading to unintended outcomes or exploitation.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Separate Subnet for Connecting to Different Security Domains (NET-03.8) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-03", "name": "Boundary Protection", "description": "Mechanisms exist to monitor and control communications at the external network boundary and at key internal boundaries within the network.", "justification": "Boundary Protection (NET-03) provides network-level access restriction that compensates for the absence of Separate Subnet for Connecting to Different Security Domains (NET-03.8) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-04.2", "risk_if_not_implemented": "Without Object Security Attributes, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Object Security Attributes (NET-04.2) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-04", "name": "Data Flow Enforcement – Access Control Lists (ACLs)", "description": "Mechanisms exist to implement and govern Access Control Lists (ACLs) to provide data flow enforcement that explicitly restrict network traffic to only what is authorized.", "justification": "Data Flow Enforcement – Access Control Lists (ACLs) (NET-04) provides access control enforcement that compensates for the absence of Object Security Attributes (NET-04.2) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-04.3", "risk_if_not_implemented": "Without Content Check for Encrypted Data, sensitive data may be exposed to interception or unauthorized disclosure, resulting in confidentiality breaches.", "compensating_control_1": { "control_id": "NET-04", "name": "Data Flow Enforcement – Access Control Lists (ACLs)", "description": "Mechanisms exist to implement and govern Access Control Lists (ACLs) to provide data flow enforcement that explicitly restrict network traffic to only what is authorized.", "justification": "Data Flow Enforcement – Access Control Lists (ACLs) (NET-04) provides access control enforcement that compensates for the absence of Content Check for Encrypted Data (NET-04.3) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-03", "name": "Boundary Protection", "description": "Mechanisms exist to monitor and control communications at the external network boundary and at key internal boundaries within the network.", "justification": "Boundary Protection (NET-03) provides network-level access restriction that compensates for the absence of Content Check for Encrypted Data (NET-04.3) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-04.4", "risk_if_not_implemented": "Without Embedded Data Types, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "NET-03", "name": "Boundary Protection", "description": "Mechanisms exist to monitor and control communications at the external network boundary and at key internal boundaries within the network.", "justification": "Boundary Protection (NET-03) provides network-level access restriction that compensates for the absence of Embedded Data Types (NET-04.4) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Embedded Data Types (NET-04.4) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-04.5", "risk_if_not_implemented": "Without Metadata, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Metadata (NET-04.5) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-03", "name": "Boundary Protection", "description": "Mechanisms exist to monitor and control communications at the external network boundary and at key internal boundaries within the network.", "justification": "Boundary Protection (NET-03) provides network-level access restriction that compensates for the absence of Metadata (NET-04.5) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-04.6", "risk_if_not_implemented": "Without Human Reviews, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "NET-04", "name": "Data Flow Enforcement – Access Control Lists (ACLs)", "description": "Mechanisms exist to implement and govern Access Control Lists (ACLs) to provide data flow enforcement that explicitly restrict network traffic to only what is authorized.", "justification": "Data Flow Enforcement – Access Control Lists (ACLs) (NET-04) provides access control enforcement that compensates for the absence of Human Reviews (NET-04.6) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Human Reviews (NET-04.6) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-04.7", "risk_if_not_implemented": "Without Policy Decision Point (PDP), residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "NET-03", "name": "Boundary Protection", "description": "Mechanisms exist to monitor and control communications at the external network boundary and at key internal boundaries within the network.", "justification": "Boundary Protection (NET-03) provides network-level access restriction that compensates for the absence of Policy Decision Point (PDP) (NET-04.7) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-04", "name": "Data Flow Enforcement – Access Control Lists (ACLs)", "description": "Mechanisms exist to implement and govern Access Control Lists (ACLs) to provide data flow enforcement that explicitly restrict network traffic to only what is authorized.", "justification": "Data Flow Enforcement – Access Control Lists (ACLs) (NET-04) provides access control enforcement that compensates for the absence of Policy Decision Point (PDP) (NET-04.7) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-04.8", "risk_if_not_implemented": "Without Data Type Identifiers, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Data Type Identifiers (NET-04.8) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-04", "name": "Data Flow Enforcement – Access Control Lists (ACLs)", "description": "Mechanisms exist to implement and govern Access Control Lists (ACLs) to provide data flow enforcement that explicitly restrict network traffic to only what is authorized.", "justification": "Data Flow Enforcement – Access Control Lists (ACLs) (NET-04) provides access control enforcement that compensates for the absence of Data Type Identifiers (NET-04.8) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-04.9", "risk_if_not_implemented": "Without Decomposition Into Policy-Related Subcomponents, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "NET-04", "name": "Data Flow Enforcement – Access Control Lists (ACLs)", "description": "Mechanisms exist to implement and govern Access Control Lists (ACLs) to provide data flow enforcement that explicitly restrict network traffic to only what is authorized.", "justification": "Data Flow Enforcement – Access Control Lists (ACLs) (NET-04) provides access control enforcement that compensates for the absence of Decomposition Into Policy-Related Subcomponents (NET-04.9) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-03", "name": "Boundary Protection", "description": "Mechanisms exist to monitor and control communications at the external network boundary and at key internal boundaries within the network.", "justification": "Boundary Protection (NET-03) provides network-level access restriction that compensates for the absence of Decomposition Into Policy-Related Subcomponents (NET-04.9) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-04.10", "risk_if_not_implemented": "Without Detection of Unsanctioned Information, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "NET-03", "name": "Boundary Protection", "description": "Mechanisms exist to monitor and control communications at the external network boundary and at key internal boundaries within the network.", "justification": "Boundary Protection (NET-03) provides network-level access restriction that compensates for the absence of Detection of Unsanctioned Information (NET-04.10) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Detection of Unsanctioned Information (NET-04.10) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-04.11", "risk_if_not_implemented": "Without Approved Solutions, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Approved Solutions (NET-04.11) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-04", "name": "Data Flow Enforcement – Access Control Lists (ACLs)", "description": "Mechanisms exist to implement and govern Access Control Lists (ACLs) to provide data flow enforcement that explicitly restrict network traffic to only what is authorized.", "justification": "Data Flow Enforcement – Access Control Lists (ACLs) (NET-04) provides access control enforcement that compensates for the absence of Approved Solutions (NET-04.11) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-04.12", "risk_if_not_implemented": "Without Cross Domain Authentication, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "NET-04", "name": "Data Flow Enforcement – Access Control Lists (ACLs)", "description": "Mechanisms exist to implement and govern Access Control Lists (ACLs) to provide data flow enforcement that explicitly restrict network traffic to only what is authorized.", "justification": "Data Flow Enforcement – Access Control Lists (ACLs) (NET-04) provides access control enforcement that compensates for the absence of Cross Domain Authentication (NET-04.12) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-03", "name": "Boundary Protection", "description": "Mechanisms exist to monitor and control communications at the external network boundary and at key internal boundaries within the network.", "justification": "Boundary Protection (NET-03) provides network-level access restriction that compensates for the absence of Cross Domain Authentication (NET-04.12) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-04.13", "risk_if_not_implemented": "Without Metadata Validation, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "NET-03", "name": "Boundary Protection", "description": "Mechanisms exist to monitor and control communications at the external network boundary and at key internal boundaries within the network.", "justification": "Boundary Protection (NET-03) provides network-level access restriction that compensates for the absence of Metadata Validation (NET-04.13) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-04", "name": "Data Flow Enforcement – Access Control Lists (ACLs)", "description": "Mechanisms exist to implement and govern Access Control Lists (ACLs) to provide data flow enforcement that explicitly restrict network traffic to only what is authorized.", "justification": "Data Flow Enforcement – Access Control Lists (ACLs) (NET-04) provides access control enforcement that compensates for the absence of Metadata Validation (NET-04.13) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-04.14", "risk_if_not_implemented": "Without Application Proxy, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Application Proxy (NET-04.14) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-03", "name": "Boundary Protection", "description": "Mechanisms exist to monitor and control communications at the external network boundary and at key internal boundaries within the network.", "justification": "Boundary Protection (NET-03) provides network-level access restriction that compensates for the absence of Application Proxy (NET-04.14) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-05", "risk_if_not_implemented": "Without Interconnection Security Agreements (ISAs), residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "TPM-01", "name": "Third-Party Management", "description": "Mechanisms exist to facilitate the implementation of third-party management controls.", "justification": "Third-Party Management (TPM-01) provides third-party oversight that compensates for the absence of Interconnection Security Agreements (ISAs) (NET-05) by extending security obligations contractually and monitoring third-party risk in lieu of direct control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Interconnection Security Agreements (ISAs) (NET-05) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-05.1", "risk_if_not_implemented": "Without External System Connections, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of External System Connections (NET-05.1) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "TPM-01", "name": "Third-Party Management", "description": "Mechanisms exist to facilitate the implementation of third-party management controls.", "justification": "Third-Party Management (TPM-01) provides third-party oversight that compensates for the absence of External System Connections (NET-05.1) by extending security obligations contractually and monitoring third-party risk in lieu of direct control. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-05.2", "risk_if_not_implemented": "Without Internal System Connections, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "TPM-01", "name": "Third-Party Management", "description": "Mechanisms exist to facilitate the implementation of third-party management controls.", "justification": "Third-Party Management (TPM-01) provides third-party oversight that compensates for the absence of Internal System Connections (NET-05.2) by extending security obligations contractually and monitoring third-party risk in lieu of direct control. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-05", "name": "Interconnection Security Agreements (ISAs)", "description": "Mechanisms exist to authorize connections from systems to other systems using Interconnection Security Agreements (ISAs), or similar methods, that document, for each interconnection:\n(1) Interface characteristics;\n(2) Security, compliance and resilience requirements; and;\n(3) The nature of the information communicated.", "justification": "Interconnection Security Agreements (ISAs) (NET-05) provides overlapping security capability that compensates for the absence of Internal System Connections (NET-05.2) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-06.1", "risk_if_not_implemented": "Without Security Management Subnets, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "NET-03", "name": "Boundary Protection", "description": "Mechanisms exist to monitor and control communications at the external network boundary and at key internal boundaries within the network.", "justification": "Boundary Protection (NET-03) provides network-level access restriction that compensates for the absence of Security Management Subnets (NET-06.1) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-08", "name": "Protection of Event Logs", "description": "Mechanisms exist to protect event logs and audit tools from unauthorized access, modification and deletion.", "justification": "Protection of Event Logs (MON-08) provides detective monitoring capability that compensates for the absence of Security Management Subnets (NET-06.1) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-06.2", "risk_if_not_implemented": "Without Virtual Local Area Network (VLAN) Separation, network defenses are weakened, enabling lateral movement and exploitation of unprotected pathways.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Virtual Local Area Network (VLAN) Separation (NET-06.2) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-06", "name": "Network Segmentation (macrosegementation)", "description": "Mechanisms exist to ensure network architecture utilizes network segmentation to isolate Technology Assets, Applications and/or Services (TAAS) to protect from other network resources.", "justification": "Network Segmentation (macrosegementation) (NET-06) provides network-level access restriction that compensates for the absence of Virtual Local Area Network (VLAN) Separation (NET-06.2) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-06.4", "risk_if_not_implemented": "Without Segregation From Enterprise Services, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "MON-08", "name": "Protection of Event Logs", "description": "Mechanisms exist to protect event logs and audit tools from unauthorized access, modification and deletion.", "justification": "Protection of Event Logs (MON-08) provides detective monitoring capability that compensates for the absence of Segregation From Enterprise Services (NET-06.4) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-06", "name": "Network Segmentation (macrosegementation)", "description": "Mechanisms exist to ensure network architecture utilizes network segmentation to isolate Technology Assets, Applications and/or Services (TAAS) to protect from other network resources.", "justification": "Network Segmentation (macrosegementation) (NET-06) provides network-level access restriction that compensates for the absence of Segregation From Enterprise Services (NET-06.4) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-06.5", "risk_if_not_implemented": "Without Direct Internet Access Restrictions, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "NET-03", "name": "Boundary Protection", "description": "Mechanisms exist to monitor and control communications at the external network boundary and at key internal boundaries within the network.", "justification": "Boundary Protection (NET-03) provides network-level access restriction that compensates for the absence of Direct Internet Access Restrictions (NET-06.5) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-06", "name": "Network Segmentation (macrosegementation)", "description": "Mechanisms exist to ensure network architecture utilizes network segmentation to isolate Technology Assets, Applications and/or Services (TAAS) to protect from other network resources.", "justification": "Network Segmentation (macrosegementation) (NET-06) provides network-level access restriction that compensates for the absence of Direct Internet Access Restrictions (NET-06.5) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-06.6", "risk_if_not_implemented": "Without Microsegmentation, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "NET-06", "name": "Network Segmentation (macrosegementation)", "description": "Mechanisms exist to ensure network architecture utilizes network segmentation to isolate Technology Assets, Applications and/or Services (TAAS) to protect from other network resources.", "justification": "Network Segmentation (macrosegementation) (NET-06) provides network-level access restriction that compensates for the absence of Microsegmentation (NET-06.6) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Microsegmentation (NET-06.6) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-06.7", "risk_if_not_implemented": "Without Software Defined Networking (SDN), network defenses are weakened, enabling lateral movement and exploitation of unprotected pathways.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Software Defined Networking (SDN) (NET-06.7) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-03", "name": "Boundary Protection", "description": "Mechanisms exist to monitor and control communications at the external network boundary and at key internal boundaries within the network.", "justification": "Boundary Protection (NET-03) provides network-level access restriction that compensates for the absence of Software Defined Networking (SDN) (NET-06.7) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-07", "risk_if_not_implemented": "Without Network Connection Termination, network defenses are weakened, enabling lateral movement and exploitation of unprotected pathways.", "compensating_control_1": { "control_id": "IAC-25", "name": "Session Termination", "description": "Automated mechanisms exist to log out users, both locally on the network and for remote sessions, at the end of the session or after an organization-defined period of inactivity.", "justification": "Session Termination (IAC-25) provides overlapping security capability that compensates for the absence of Network Connection Termination (NET-07) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-03", "name": "Boundary Protection", "description": "Mechanisms exist to monitor and control communications at the external network boundary and at key internal boundaries within the network.", "justification": "Boundary Protection (NET-03) provides network-level access restriction that compensates for the absence of Network Connection Termination (NET-07) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-08", "risk_if_not_implemented": "Without Network Intrusion Detection / Prevention Systems (NIDS / NIPS), security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Network Intrusion Detection / Prevention Systems (NIDS / NIPS) (NET-08) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-03", "name": "Boundary Protection", "description": "Mechanisms exist to monitor and control communications at the external network boundary and at key internal boundaries within the network.", "justification": "Boundary Protection (NET-03) provides network-level access restriction that compensates for the absence of Network Intrusion Detection / Prevention Systems (NIDS / NIPS) (NET-08) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-08.1", "risk_if_not_implemented": "Without DMZ Networks, network defenses are weakened, enabling lateral movement and exploitation of unprotected pathways.", "compensating_control_1": { "control_id": "MON-17", "name": "Event Log Analysis & Triage", "description": "Mechanisms exist to ensure event log reviews include analysis and triage practices that integrate with the organization's established incident response processes.", "justification": "Event Log Analysis & Triage (MON-17) provides detective monitoring capability that compensates for the absence of DMZ Networks (NET-08.1) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-08", "name": "Network Intrusion Detection / Prevention Systems (NIDS / NIPS)", "description": "Mechanisms exist to employ Network Intrusion Detection / Prevention Systems (NIDS/NIPS) to detect and/or prevent intrusions into the network.", "justification": "Network Intrusion Detection / Prevention Systems (NIDS / NIPS) (NET-08) provides detective monitoring capability that compensates for the absence of DMZ Networks (NET-08.1) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-08.2", "risk_if_not_implemented": "Without Wireless Intrusion Detection / Prevention Systems (WIDS / WIPS) Deployment, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "NET-03", "name": "Boundary Protection", "description": "Mechanisms exist to monitor and control communications at the external network boundary and at key internal boundaries within the network.", "justification": "Boundary Protection (NET-03) provides network-level access restriction that compensates for the absence of Wireless Intrusion Detection / Prevention Systems (WIDS / WIPS) Deployment (NET-08.2) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-08", "name": "Network Intrusion Detection / Prevention Systems (NIDS / NIPS)", "description": "Mechanisms exist to employ Network Intrusion Detection / Prevention Systems (NIDS/NIPS) to detect and/or prevent intrusions into the network.", "justification": "Network Intrusion Detection / Prevention Systems (NIDS / NIPS) (NET-08) provides detective monitoring capability that compensates for the absence of Wireless Intrusion Detection / Prevention Systems (WIDS / WIPS) Deployment (NET-08.2) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-08.3", "risk_if_not_implemented": "Without Host Containment, AI and autonomous technology risks may go ungoverned, leading to unintended outcomes or exploitation.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Host Containment (NET-08.3) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-08", "name": "Network Intrusion Detection / Prevention Systems (NIDS / NIPS)", "description": "Mechanisms exist to employ Network Intrusion Detection / Prevention Systems (NIDS/NIPS) to detect and/or prevent intrusions into the network.", "justification": "Network Intrusion Detection / Prevention Systems (NIDS / NIPS) (NET-08) provides detective monitoring capability that compensates for the absence of Host Containment (NET-08.3) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-08.4", "risk_if_not_implemented": "Without Resource Containment, AI and autonomous technology risks may go ungoverned, leading to unintended outcomes or exploitation.", "compensating_control_1": { "control_id": "NET-08", "name": "Network Intrusion Detection / Prevention Systems (NIDS / NIPS)", "description": "Mechanisms exist to employ Network Intrusion Detection / Prevention Systems (NIDS/NIPS) to detect and/or prevent intrusions into the network.", "justification": "Network Intrusion Detection / Prevention Systems (NIDS / NIPS) (NET-08) provides detective monitoring capability that compensates for the absence of Resource Containment (NET-08.4) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-03", "name": "Boundary Protection", "description": "Mechanisms exist to monitor and control communications at the external network boundary and at key internal boundaries within the network.", "justification": "Boundary Protection (NET-03) provides network-level access restriction that compensates for the absence of Resource Containment (NET-08.4) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-09", "risk_if_not_implemented": "Without Session Integrity, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CRY-04", "name": "Transmission Integrity", "description": "Cryptographic mechanisms exist to protect the integrity of data being transmitted.", "justification": "Transmission Integrity (CRY-04) provides cryptographic protection that compensates for the absence of Session Integrity (NET-09) by ensuring data confidentiality and integrity through alternative technical means. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-09", "name": "Non-Repudiation", "description": "Mechanisms exist to utilize a non-repudiation capability to protect against an individual falsely denying having performed a particular action.", "justification": "Non-Repudiation (MON-09) provides overlapping security capability that compensates for the absence of Session Integrity (NET-09) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-09.1", "risk_if_not_implemented": "Without Invalidate Session Identifiers at Logout, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "MON-09", "name": "Non-Repudiation", "description": "Mechanisms exist to utilize a non-repudiation capability to protect against an individual falsely denying having performed a particular action.", "justification": "Non-Repudiation (MON-09) provides overlapping security capability that compensates for the absence of Invalidate Session Identifiers at Logout (NET-09.1) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CRY-04", "name": "Transmission Integrity", "description": "Cryptographic mechanisms exist to protect the integrity of data being transmitted.", "justification": "Transmission Integrity (CRY-04) provides cryptographic protection that compensates for the absence of Invalidate Session Identifiers at Logout (NET-09.1) by ensuring data confidentiality and integrity through alternative technical means. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-09.2", "risk_if_not_implemented": "Without Unique System-Generated Session Identifiers, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CRY-04", "name": "Transmission Integrity", "description": "Cryptographic mechanisms exist to protect the integrity of data being transmitted.", "justification": "Transmission Integrity (CRY-04) provides cryptographic protection that compensates for the absence of Unique System-Generated Session Identifiers (NET-09.2) by ensuring data confidentiality and integrity through alternative technical means. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-09", "name": "Session Integrity", "description": "Mechanisms exist to protect the authenticity and integrity of communications sessions.", "justification": "Session Integrity (NET-09) provides cryptographic protection that compensates for the absence of Unique System-Generated Session Identifiers (NET-09.2) by ensuring data confidentiality and integrity through alternative technical means. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-10.1", "risk_if_not_implemented": "Without Architecture & Provisioning for Name / Address Resolution Service, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CRY-03", "name": "Transmission Confidentiality", "description": "Cryptographic mechanisms exist to protect the confidentiality of data being transmitted.", "justification": "Transmission Confidentiality (CRY-03) provides cryptographic protection that compensates for the absence of Architecture & Provisioning for Name / Address Resolution Service (NET-10.1) by ensuring data confidentiality and integrity through alternative technical means. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-10", "name": "Domain Name Service (DNS) Resolution", "description": "Mechanisms exist to ensure Domain Name Service (DNS) resolution is designed, implemented and managed to protect the security of name / address resolution.", "justification": "Domain Name Service (DNS) Resolution (NET-10) provides overlapping security capability that compensates for the absence of Architecture & Provisioning for Name / Address Resolution Service (NET-10.1) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-10.2", "risk_if_not_implemented": "Without Secure Name / Address Resolution Service (Recursive or Caching Resolver), residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "NET-10", "name": "Domain Name Service (DNS) Resolution", "description": "Mechanisms exist to ensure Domain Name Service (DNS) resolution is designed, implemented and managed to protect the security of name / address resolution.", "justification": "Domain Name Service (DNS) Resolution (NET-10) provides overlapping security capability that compensates for the absence of Secure Name / Address Resolution Service (Recursive or Caching Resolver) (NET-10.2) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-03", "name": "Boundary Protection", "description": "Mechanisms exist to monitor and control communications at the external network boundary and at key internal boundaries within the network.", "justification": "Boundary Protection (NET-03) provides network-level access restriction that compensates for the absence of Secure Name / Address Resolution Service (Recursive or Caching Resolver) (NET-10.2) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-10.3", "risk_if_not_implemented": "Without Sender Policy Framework (SPF), residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CRY-03", "name": "Transmission Confidentiality", "description": "Cryptographic mechanisms exist to protect the confidentiality of data being transmitted.", "justification": "Transmission Confidentiality (CRY-03) provides cryptographic protection that compensates for the absence of Sender Policy Framework (SPF) (NET-10.3) by ensuring data confidentiality and integrity through alternative technical means. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-03", "name": "Boundary Protection", "description": "Mechanisms exist to monitor and control communications at the external network boundary and at key internal boundaries within the network.", "justification": "Boundary Protection (NET-03) provides network-level access restriction that compensates for the absence of Sender Policy Framework (SPF) (NET-10.3) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-10.4", "risk_if_not_implemented": "Without Domain Registrar Security, AI and autonomous technology risks may go ungoverned, leading to unintended outcomes or exploitation.", "compensating_control_1": { "control_id": "NET-03", "name": "Boundary Protection", "description": "Mechanisms exist to monitor and control communications at the external network boundary and at key internal boundaries within the network.", "justification": "Boundary Protection (NET-03) provides network-level access restriction that compensates for the absence of Domain Registrar Security (NET-10.4) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-10", "name": "Domain Name Service (DNS) Resolution", "description": "Mechanisms exist to ensure Domain Name Service (DNS) resolution is designed, implemented and managed to protect the security of name / address resolution.", "justification": "Domain Name Service (DNS) Resolution (NET-10) provides overlapping security capability that compensates for the absence of Domain Registrar Security (NET-10.4) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-11", "risk_if_not_implemented": "Without Out-of-Band Channels, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "BCD-10", "name": "Telecommunications Services Availability", "description": "Mechanisms exist to reduce the likelihood of a single point of failure with primary telecommunications services.", "justification": "Telecommunications Services Availability (BCD-10) provides overlapping security capability that compensates for the absence of Out-of-Band Channels (NET-11) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-14", "name": "Remote Access", "description": "Mechanisms exist to define, control and review organization-approved, secure remote access methods.", "justification": "Remote Access (NET-14) provides access control enforcement that compensates for the absence of Out-of-Band Channels (NET-11) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-12", "risk_if_not_implemented": "Without Safeguarding Data Over Open Networks, network defenses are weakened, enabling lateral movement and exploitation of unprotected pathways.", "compensating_control_1": { "control_id": "CRY-03", "name": "Transmission Confidentiality", "description": "Cryptographic mechanisms exist to protect the confidentiality of data being transmitted.", "justification": "Transmission Confidentiality (CRY-03) provides cryptographic protection that compensates for the absence of Safeguarding Data Over Open Networks (NET-12) by ensuring data confidentiality and integrity through alternative technical means. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-03", "name": "Boundary Protection", "description": "Mechanisms exist to monitor and control communications at the external network boundary and at key internal boundaries within the network.", "justification": "Boundary Protection (NET-03) provides network-level access restriction that compensates for the absence of Safeguarding Data Over Open Networks (NET-12) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-12.1", "risk_if_not_implemented": "Without Wireless Link Protection, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CRY-03", "name": "Transmission Confidentiality", "description": "Cryptographic mechanisms exist to protect the confidentiality of data being transmitted.", "justification": "Transmission Confidentiality (CRY-03) provides cryptographic protection that compensates for the absence of Wireless Link Protection (NET-12.1) by ensuring data confidentiality and integrity through alternative technical means. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-03", "name": "Boundary Protection", "description": "Mechanisms exist to monitor and control communications at the external network boundary and at key internal boundaries within the network.", "justification": "Boundary Protection (NET-03) provides network-level access restriction that compensates for the absence of Wireless Link Protection (NET-12.1) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-12.2", "risk_if_not_implemented": "Without End-User Messaging Technologies, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "NET-03", "name": "Boundary Protection", "description": "Mechanisms exist to monitor and control communications at the external network boundary and at key internal boundaries within the network.", "justification": "Boundary Protection (NET-03) provides network-level access restriction that compensates for the absence of End-User Messaging Technologies (NET-12.2) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CRY-07", "name": "Wireless Access Authentication & Encryption", "description": "Mechanisms exist to protect the confidentiality and integrity of wireless networking technologies by implementing authentication and strong encryption.", "justification": "Wireless Access Authentication & Encryption (CRY-07) provides cryptographic protection that compensates for the absence of End-User Messaging Technologies (NET-12.2) by ensuring data confidentiality and integrity through alternative technical means. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-14.1", "risk_if_not_implemented": "Without Automated Monitoring & Control, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "IAC-06", "name": "Multi-Factor Authentication (MFA)", "description": "Automated mechanisms exist to enforce Multi-Factor Authentication (MFA) for:\n(1) Remote network access; \n(2) Third-party Technology Assets, Applications and/or Services (TAAS); and/ or\n(3) Non-console access to critical TAAS that store, transmit and/or process sensitive/regulated data.", "justification": "Multi-Factor Authentication (MFA) (IAC-06) provides access control enforcement that compensates for the absence of Automated Monitoring & Control (NET-14.1) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CRY-06", "name": "Non-Console Administrative Access", "description": "Cryptographic mechanisms exist to protect the confidentiality and integrity of non-console administrative access.", "justification": "Non-Console Administrative Access (CRY-06) provides access control enforcement that compensates for the absence of Automated Monitoring & Control (NET-14.1) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-14.2", "risk_if_not_implemented": "Without Protection of Confidentiality / Integrity Using Encryption, sensitive data may be exposed to interception or unauthorized disclosure, resulting in confidentiality breaches.", "compensating_control_1": { "control_id": "NET-03", "name": "Boundary Protection", "description": "Mechanisms exist to monitor and control communications at the external network boundary and at key internal boundaries within the network.", "justification": "Boundary Protection (NET-03) provides network-level access restriction that compensates for the absence of Protection of Confidentiality / Integrity Using Encryption (NET-14.2) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-06", "name": "Multi-Factor Authentication (MFA)", "description": "Automated mechanisms exist to enforce Multi-Factor Authentication (MFA) for:\n(1) Remote network access; \n(2) Third-party Technology Assets, Applications and/or Services (TAAS); and/ or\n(3) Non-console access to critical TAAS that store, transmit and/or process sensitive/regulated data.", "justification": "Multi-Factor Authentication (MFA) (IAC-06) provides access control enforcement that compensates for the absence of Protection of Confidentiality / Integrity Using Encryption (NET-14.2) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-14.3", "risk_if_not_implemented": "Without Managed Access Control Points, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "IAC-06", "name": "Multi-Factor Authentication (MFA)", "description": "Automated mechanisms exist to enforce Multi-Factor Authentication (MFA) for:\n(1) Remote network access; \n(2) Third-party Technology Assets, Applications and/or Services (TAAS); and/ or\n(3) Non-console access to critical TAAS that store, transmit and/or process sensitive/regulated data.", "justification": "Multi-Factor Authentication (MFA) (IAC-06) provides access control enforcement that compensates for the absence of Managed Access Control Points (NET-14.3) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-14", "name": "Remote Access", "description": "Mechanisms exist to define, control and review organization-approved, secure remote access methods.", "justification": "Remote Access (NET-14) provides access control enforcement that compensates for the absence of Managed Access Control Points (NET-14.3) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-14.4", "risk_if_not_implemented": "Without Remote Privileged Commands & Sensitive Data Access, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "NET-03", "name": "Boundary Protection", "description": "Mechanisms exist to monitor and control communications at the external network boundary and at key internal boundaries within the network.", "justification": "Boundary Protection (NET-03) provides network-level access restriction that compensates for the absence of Remote Privileged Commands & Sensitive Data Access (NET-14.4) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-06", "name": "Multi-Factor Authentication (MFA)", "description": "Automated mechanisms exist to enforce Multi-Factor Authentication (MFA) for:\n(1) Remote network access; \n(2) Third-party Technology Assets, Applications and/or Services (TAAS); and/ or\n(3) Non-console access to critical TAAS that store, transmit and/or process sensitive/regulated data.", "justification": "Multi-Factor Authentication (MFA) (IAC-06) provides access control enforcement that compensates for the absence of Remote Privileged Commands & Sensitive Data Access (NET-14.4) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-14.6", "risk_if_not_implemented": "Without Third-Party Remote Access Governance, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "NET-14", "name": "Remote Access", "description": "Mechanisms exist to define, control and review organization-approved, secure remote access methods.", "justification": "Remote Access (NET-14) provides access control enforcement that compensates for the absence of Third-Party Remote Access Governance (NET-14.6) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-06", "name": "Multi-Factor Authentication (MFA)", "description": "Automated mechanisms exist to enforce Multi-Factor Authentication (MFA) for:\n(1) Remote network access; \n(2) Third-party Technology Assets, Applications and/or Services (TAAS); and/ or\n(3) Non-console access to critical TAAS that store, transmit and/or process sensitive/regulated data.", "justification": "Multi-Factor Authentication (MFA) (IAC-06) provides access control enforcement that compensates for the absence of Third-Party Remote Access Governance (NET-14.6) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-14.7", "risk_if_not_implemented": "Without Endpoint Security Validation, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CRY-06", "name": "Non-Console Administrative Access", "description": "Cryptographic mechanisms exist to protect the confidentiality and integrity of non-console administrative access.", "justification": "Non-Console Administrative Access (CRY-06) provides access control enforcement that compensates for the absence of Endpoint Security Validation (NET-14.7) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-14", "name": "Remote Access", "description": "Mechanisms exist to define, control and review organization-approved, secure remote access methods.", "justification": "Remote Access (NET-14) provides access control enforcement that compensates for the absence of Endpoint Security Validation (NET-14.7) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-14.8", "risk_if_not_implemented": "Without Expeditious Disconnect / Disable Capability, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IAC-06", "name": "Multi-Factor Authentication (MFA)", "description": "Automated mechanisms exist to enforce Multi-Factor Authentication (MFA) for:\n(1) Remote network access; \n(2) Third-party Technology Assets, Applications and/or Services (TAAS); and/ or\n(3) Non-console access to critical TAAS that store, transmit and/or process sensitive/regulated data.", "justification": "Multi-Factor Authentication (MFA) (IAC-06) provides access control enforcement that compensates for the absence of Expeditious Disconnect / Disable Capability (NET-14.8) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-14", "name": "Remote Access", "description": "Mechanisms exist to define, control and review organization-approved, secure remote access methods.", "justification": "Remote Access (NET-14) provides access control enforcement that compensates for the absence of Expeditious Disconnect / Disable Capability (NET-14.8) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-15", "risk_if_not_implemented": "Without Wireless Networking, network defenses are weakened, enabling lateral movement and exploitation of unprotected pathways.", "compensating_control_1": { "control_id": "CRY-07", "name": "Wireless Access Authentication & Encryption", "description": "Mechanisms exist to protect the confidentiality and integrity of wireless networking technologies by implementing authentication and strong encryption.", "justification": "Wireless Access Authentication & Encryption (CRY-07) provides cryptographic protection that compensates for the absence of Wireless Networking (NET-15) by ensuring data confidentiality and integrity through alternative technical means. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-06", "name": "Multi-Factor Authentication (MFA)", "description": "Automated mechanisms exist to enforce Multi-Factor Authentication (MFA) for:\n(1) Remote network access; \n(2) Third-party Technology Assets, Applications and/or Services (TAAS); and/ or\n(3) Non-console access to critical TAAS that store, transmit and/or process sensitive/regulated data.", "justification": "Multi-Factor Authentication (MFA) (IAC-06) provides access control enforcement that compensates for the absence of Wireless Networking (NET-15) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-15.1", "risk_if_not_implemented": "Without Authentication & Encryption, sensitive data may be exposed to interception or unauthorized disclosure, resulting in confidentiality breaches.", "compensating_control_1": { "control_id": "CRY-07", "name": "Wireless Access Authentication & Encryption", "description": "Mechanisms exist to protect the confidentiality and integrity of wireless networking technologies by implementing authentication and strong encryption.", "justification": "Wireless Access Authentication & Encryption (CRY-07) provides cryptographic protection that compensates for the absence of Authentication & Encryption (NET-15.1) by ensuring data confidentiality and integrity through alternative technical means. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-15", "name": "Wireless Networking", "description": "Mechanisms exist to control authorized wireless usage and monitor for unauthorized wireless access.", "justification": "Wireless Networking (NET-15) provides network-level access restriction that compensates for the absence of Authentication & Encryption (NET-15.1) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-15.2", "risk_if_not_implemented": "Without Disable Wireless Networking, network defenses are weakened, enabling lateral movement and exploitation of unprotected pathways.", "compensating_control_1": { "control_id": "IAC-06", "name": "Multi-Factor Authentication (MFA)", "description": "Automated mechanisms exist to enforce Multi-Factor Authentication (MFA) for:\n(1) Remote network access; \n(2) Third-party Technology Assets, Applications and/or Services (TAAS); and/ or\n(3) Non-console access to critical TAAS that store, transmit and/or process sensitive/regulated data.", "justification": "Multi-Factor Authentication (MFA) (IAC-06) provides access control enforcement that compensates for the absence of Disable Wireless Networking (NET-15.2) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-15", "name": "Wireless Networking", "description": "Mechanisms exist to control authorized wireless usage and monitor for unauthorized wireless access.", "justification": "Wireless Networking (NET-15) provides network-level access restriction that compensates for the absence of Disable Wireless Networking (NET-15.2) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-15.3", "risk_if_not_implemented": "Without Restrict Configuration By Users, systems may operate with insecure settings or unauthorized changes, expanding the attack surface.", "compensating_control_1": { "control_id": "NET-15", "name": "Wireless Networking", "description": "Mechanisms exist to control authorized wireless usage and monitor for unauthorized wireless access.", "justification": "Wireless Networking (NET-15) provides network-level access restriction that compensates for the absence of Restrict Configuration By Users (NET-15.3) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-22", "name": "Account Lockout", "description": "Mechanisms exist to enforce a limit for consecutive invalid login attempts by a user during an organization-defined time period and automatically locks the account when the maximum number of unsuccessful attempts is exceeded.", "justification": "Account Lockout (IAC-22) provides access control enforcement that compensates for the absence of Restrict Configuration By Users (NET-15.3) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-15.4", "risk_if_not_implemented": "Without Wireless Boundaries, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IAC-22", "name": "Account Lockout", "description": "Mechanisms exist to enforce a limit for consecutive invalid login attempts by a user during an organization-defined time period and automatically locks the account when the maximum number of unsuccessful attempts is exceeded.", "justification": "Account Lockout (IAC-22) provides access control enforcement that compensates for the absence of Wireless Boundaries (NET-15.4) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-15", "name": "Wireless Networking", "description": "Mechanisms exist to control authorized wireless usage and monitor for unauthorized wireless access.", "justification": "Wireless Networking (NET-15) provides network-level access restriction that compensates for the absence of Wireless Boundaries (NET-15.4) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-15.5", "risk_if_not_implemented": "Without Rogue Wireless Detection, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "NET-15", "name": "Wireless Networking", "description": "Mechanisms exist to control authorized wireless usage and monitor for unauthorized wireless access.", "justification": "Wireless Networking (NET-15) provides network-level access restriction that compensates for the absence of Rogue Wireless Detection (NET-15.5) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-06", "name": "Multi-Factor Authentication (MFA)", "description": "Automated mechanisms exist to enforce Multi-Factor Authentication (MFA) for:\n(1) Remote network access; \n(2) Third-party Technology Assets, Applications and/or Services (TAAS); and/ or\n(3) Non-console access to critical TAAS that store, transmit and/or process sensitive/regulated data.", "justification": "Multi-Factor Authentication (MFA) (IAC-06) provides access control enforcement that compensates for the absence of Rogue Wireless Detection (NET-15.5) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-16", "risk_if_not_implemented": "Without Intranets, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "NET-06", "name": "Network Segmentation (macrosegementation)", "description": "Mechanisms exist to ensure network architecture utilizes network segmentation to isolate Technology Assets, Applications and/or Services (TAAS) to protect from other network resources.", "justification": "Network Segmentation (macrosegementation) (NET-06) provides network-level access restriction that compensates for the absence of Intranets (NET-16) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-20", "name": "Access Enforcement", "description": "Mechanisms exist to enforce Logical Access Control (LAC) permissions that conform to the principle of \"least privilege.\"", "justification": "Access Enforcement (IAC-20) provides access control enforcement that compensates for the absence of Intranets (NET-16) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-17", "risk_if_not_implemented": "Without Data Loss Prevention (DLP), residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "MON-11", "name": "Monitoring For Information Disclosure", "description": "Mechanisms exist to monitor for evidence of unauthorized exfiltration or disclosure of non-public information.", "justification": "Monitoring For Information Disclosure (MON-11) provides detective monitoring capability that compensates for the absence of Data Loss Prevention (DLP) (NET-17) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-20", "name": "Access Enforcement", "description": "Mechanisms exist to enforce Logical Access Control (LAC) permissions that conform to the principle of \"least privilege.\"", "justification": "Access Enforcement (IAC-20) provides access control enforcement that compensates for the absence of Data Loss Prevention (DLP) (NET-17) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-18", "risk_if_not_implemented": "Without DNS & Content Filtering, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "NET-03", "name": "Boundary Protection", "description": "Mechanisms exist to monitor and control communications at the external network boundary and at key internal boundaries within the network.", "justification": "Boundary Protection (NET-03) provides network-level access restriction that compensates for the absence of DNS & Content Filtering (NET-18) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "END-08", "name": "Phishing & Spam Protection", "description": "Mechanisms exist to utilize anti-phishing and spam protection technologies to detect and take action on unsolicited messages transported by electronic mail.", "justification": "Phishing & Spam Protection (END-08) provides overlapping security capability that compensates for the absence of DNS & Content Filtering (NET-18) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-18.1", "risk_if_not_implemented": "Without Route Internal Traffic to Proxy Servers, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "END-08", "name": "Phishing & Spam Protection", "description": "Mechanisms exist to utilize anti-phishing and spam protection technologies to detect and take action on unsolicited messages transported by electronic mail.", "justification": "Phishing & Spam Protection (END-08) provides overlapping security capability that compensates for the absence of Route Internal Traffic to Proxy Servers (NET-18.1) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-03", "name": "Boundary Protection", "description": "Mechanisms exist to monitor and control communications at the external network boundary and at key internal boundaries within the network.", "justification": "Boundary Protection (NET-03) provides network-level access restriction that compensates for the absence of Route Internal Traffic to Proxy Servers (NET-18.1) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-18.2", "risk_if_not_implemented": "Without Visibility of Encrypted Communications, sensitive data may be exposed to interception or unauthorized disclosure, resulting in confidentiality breaches.", "compensating_control_1": { "control_id": "NET-03", "name": "Boundary Protection", "description": "Mechanisms exist to monitor and control communications at the external network boundary and at key internal boundaries within the network.", "justification": "Boundary Protection (NET-03) provides network-level access restriction that compensates for the absence of Visibility of Encrypted Communications (NET-18.2) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-18", "name": "DNS & Content Filtering", "description": "Mechanisms exist to force Internet-bound network traffic through a proxy device (e.g., Policy Enforcement Point (PEP)) for URL content filtering and DNS filtering to limit a user's ability to connect to dangerous or prohibited Internet sites.", "justification": "DNS & Content Filtering (NET-18) provides network-level access restriction that compensates for the absence of Visibility of Encrypted Communications (NET-18.2) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-18.3", "risk_if_not_implemented": "Without Route Privileged Network Access, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "END-08", "name": "Phishing & Spam Protection", "description": "Mechanisms exist to utilize anti-phishing and spam protection technologies to detect and take action on unsolicited messages transported by electronic mail.", "justification": "Phishing & Spam Protection (END-08) provides overlapping security capability that compensates for the absence of Route Privileged Network Access (NET-18.3) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-18", "name": "DNS & Content Filtering", "description": "Mechanisms exist to force Internet-bound network traffic through a proxy device (e.g., Policy Enforcement Point (PEP)) for URL content filtering and DNS filtering to limit a user's ability to connect to dangerous or prohibited Internet sites.", "justification": "DNS & Content Filtering (NET-18) provides network-level access restriction that compensates for the absence of Route Privileged Network Access (NET-18.3) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-18.4", "risk_if_not_implemented": "Without Protocol Compliance Enforcement, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "NET-18", "name": "DNS & Content Filtering", "description": "Mechanisms exist to force Internet-bound network traffic through a proxy device (e.g., Policy Enforcement Point (PEP)) for URL content filtering and DNS filtering to limit a user's ability to connect to dangerous or prohibited Internet sites.", "justification": "DNS & Content Filtering (NET-18) provides network-level access restriction that compensates for the absence of Protocol Compliance Enforcement (NET-18.4) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-03", "name": "Boundary Protection", "description": "Mechanisms exist to monitor and control communications at the external network boundary and at key internal boundaries within the network.", "justification": "Boundary Protection (NET-03) provides network-level access restriction that compensates for the absence of Protocol Compliance Enforcement (NET-18.4) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-18.5", "risk_if_not_implemented": "Without Domain Name Verification, AI and autonomous technology risks may go ungoverned, leading to unintended outcomes or exploitation.", "compensating_control_1": { "control_id": "NET-03", "name": "Boundary Protection", "description": "Mechanisms exist to monitor and control communications at the external network boundary and at key internal boundaries within the network.", "justification": "Boundary Protection (NET-03) provides network-level access restriction that compensates for the absence of Domain Name Verification (NET-18.5) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "END-08", "name": "Phishing & Spam Protection", "description": "Mechanisms exist to utilize anti-phishing and spam protection technologies to detect and take action on unsolicited messages transported by electronic mail.", "justification": "Phishing & Spam Protection (END-08) provides overlapping security capability that compensates for the absence of Domain Name Verification (NET-18.5) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-18.6", "risk_if_not_implemented": "Without Internet Address Denylisting, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "END-08", "name": "Phishing & Spam Protection", "description": "Mechanisms exist to utilize anti-phishing and spam protection technologies to detect and take action on unsolicited messages transported by electronic mail.", "justification": "Phishing & Spam Protection (END-08) provides overlapping security capability that compensates for the absence of Internet Address Denylisting (NET-18.6) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-03", "name": "Boundary Protection", "description": "Mechanisms exist to monitor and control communications at the external network boundary and at key internal boundaries within the network.", "justification": "Boundary Protection (NET-03) provides network-level access restriction that compensates for the absence of Internet Address Denylisting (NET-18.6) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-18.7", "risk_if_not_implemented": "Without Bandwidth Control, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "NET-18", "name": "DNS & Content Filtering", "description": "Mechanisms exist to force Internet-bound network traffic through a proxy device (e.g., Policy Enforcement Point (PEP)) for URL content filtering and DNS filtering to limit a user's ability to connect to dangerous or prohibited Internet sites.", "justification": "DNS & Content Filtering (NET-18) provides network-level access restriction that compensates for the absence of Bandwidth Control (NET-18.7) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "END-08", "name": "Phishing & Spam Protection", "description": "Mechanisms exist to utilize anti-phishing and spam protection technologies to detect and take action on unsolicited messages transported by electronic mail.", "justification": "Phishing & Spam Protection (END-08) provides overlapping security capability that compensates for the absence of Bandwidth Control (NET-18.7) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-18.8", "risk_if_not_implemented": "Without Authenticated Proxy, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "NET-03", "name": "Boundary Protection", "description": "Mechanisms exist to monitor and control communications at the external network boundary and at key internal boundaries within the network.", "justification": "Boundary Protection (NET-03) provides network-level access restriction that compensates for the absence of Authenticated Proxy (NET-18.8) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-08", "name": "Network Intrusion Detection / Prevention Systems (NIDS / NIPS)", "description": "Mechanisms exist to employ Network Intrusion Detection / Prevention Systems (NIDS/NIPS) to detect and/or prevent intrusions into the network.", "justification": "Network Intrusion Detection / Prevention Systems (NIDS / NIPS) (NET-08) provides detective monitoring capability that compensates for the absence of Authenticated Proxy (NET-18.8) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-18.9", "risk_if_not_implemented": "Without Certificate Denylisting, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "NET-08", "name": "Network Intrusion Detection / Prevention Systems (NIDS / NIPS)", "description": "Mechanisms exist to employ Network Intrusion Detection / Prevention Systems (NIDS/NIPS) to detect and/or prevent intrusions into the network.", "justification": "Network Intrusion Detection / Prevention Systems (NIDS / NIPS) (NET-08) provides detective monitoring capability that compensates for the absence of Certificate Denylisting (NET-18.9) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-18", "name": "DNS & Content Filtering", "description": "Mechanisms exist to force Internet-bound network traffic through a proxy device (e.g., Policy Enforcement Point (PEP)) for URL content filtering and DNS filtering to limit a user's ability to connect to dangerous or prohibited Internet sites.", "justification": "DNS & Content Filtering (NET-18) provides network-level access restriction that compensates for the absence of Certificate Denylisting (NET-18.9) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-19", "risk_if_not_implemented": "Without Content Disarm and Reconstruction (CDR), residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "END-08", "name": "Phishing & Spam Protection", "description": "Mechanisms exist to utilize anti-phishing and spam protection technologies to detect and take action on unsolicited messages transported by electronic mail.", "justification": "Phishing & Spam Protection (END-08) provides overlapping security capability that compensates for the absence of Content Disarm and Reconstruction (CDR) (NET-19) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-20", "name": "Email Content Protections", "description": "Mechanisms exist to implement an email filtering security service to detect malicious attachments in emails and prevent users from accessing them.", "justification": "Email Content Protections (NET-20) provides overlapping security capability that compensates for the absence of Content Disarm and Reconstruction (CDR) (NET-19) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-20.1", "risk_if_not_implemented": "Without Email Domain Reputation Protections, AI and autonomous technology risks may go ungoverned, leading to unintended outcomes or exploitation.", "compensating_control_1": { "control_id": "CRY-03", "name": "Transmission Confidentiality", "description": "Cryptographic mechanisms exist to protect the confidentiality of data being transmitted.", "justification": "Transmission Confidentiality (CRY-03) provides cryptographic protection that compensates for the absence of Email Domain Reputation Protections (NET-20.1) by ensuring data confidentiality and integrity through alternative technical means. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-08", "name": "Network Intrusion Detection / Prevention Systems (NIDS / NIPS)", "description": "Mechanisms exist to employ Network Intrusion Detection / Prevention Systems (NIDS/NIPS) to detect and/or prevent intrusions into the network.", "justification": "Network Intrusion Detection / Prevention Systems (NIDS / NIPS) (NET-08) provides detective monitoring capability that compensates for the absence of Email Domain Reputation Protections (NET-20.1) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-20.2", "risk_if_not_implemented": "Without Sender Denylisting, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "NET-08", "name": "Network Intrusion Detection / Prevention Systems (NIDS / NIPS)", "description": "Mechanisms exist to employ Network Intrusion Detection / Prevention Systems (NIDS/NIPS) to detect and/or prevent intrusions into the network.", "justification": "Network Intrusion Detection / Prevention Systems (NIDS / NIPS) (NET-08) provides detective monitoring capability that compensates for the absence of Sender Denylisting (NET-20.2) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CRY-03", "name": "Transmission Confidentiality", "description": "Cryptographic mechanisms exist to protect the confidentiality of data being transmitted.", "justification": "Transmission Confidentiality (CRY-03) provides cryptographic protection that compensates for the absence of Sender Denylisting (NET-20.2) by ensuring data confidentiality and integrity through alternative technical means. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-20.3", "risk_if_not_implemented": "Without Authenticated Received Chain (ARC), unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "CRY-03", "name": "Transmission Confidentiality", "description": "Cryptographic mechanisms exist to protect the confidentiality of data being transmitted.", "justification": "Transmission Confidentiality (CRY-03) provides cryptographic protection that compensates for the absence of Authenticated Received Chain (ARC) (NET-20.3) by ensuring data confidentiality and integrity through alternative technical means. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-20", "name": "Email Content Protections", "description": "Mechanisms exist to implement an email filtering security service to detect malicious attachments in emails and prevent users from accessing them.", "justification": "Email Content Protections (NET-20) provides overlapping security capability that compensates for the absence of Authenticated Received Chain (ARC) (NET-20.3) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-20.4", "risk_if_not_implemented": "Without Domain-Based Message Authentication Reporting and Conformance (DMARC), unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "NET-20", "name": "Email Content Protections", "description": "Mechanisms exist to implement an email filtering security service to detect malicious attachments in emails and prevent users from accessing them.", "justification": "Email Content Protections (NET-20) provides overlapping security capability that compensates for the absence of Domain-Based Message Authentication Reporting and Conformance (DMARC) (NET-20.4) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "END-08", "name": "Phishing & Spam Protection", "description": "Mechanisms exist to utilize anti-phishing and spam protection technologies to detect and take action on unsolicited messages transported by electronic mail.", "justification": "Phishing & Spam Protection (END-08) provides overlapping security capability that compensates for the absence of Domain-Based Message Authentication Reporting and Conformance (DMARC) (NET-20.4) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-20.5", "risk_if_not_implemented": "Without User Digital Signatures for Outgoing Email, AI and autonomous technology risks may go ungoverned, leading to unintended outcomes or exploitation.", "compensating_control_1": { "control_id": "END-08", "name": "Phishing & Spam Protection", "description": "Mechanisms exist to utilize anti-phishing and spam protection technologies to detect and take action on unsolicited messages transported by electronic mail.", "justification": "Phishing & Spam Protection (END-08) provides overlapping security capability that compensates for the absence of User Digital Signatures for Outgoing Email (NET-20.5) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-20", "name": "Email Content Protections", "description": "Mechanisms exist to implement an email filtering security service to detect malicious attachments in emails and prevent users from accessing them.", "justification": "Email Content Protections (NET-20) provides overlapping security capability that compensates for the absence of User Digital Signatures for Outgoing Email (NET-20.5) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-20.6", "risk_if_not_implemented": "Without Encryption for Outgoing Email, sensitive data may be exposed to interception or unauthorized disclosure, resulting in confidentiality breaches.", "compensating_control_1": { "control_id": "NET-20", "name": "Email Content Protections", "description": "Mechanisms exist to implement an email filtering security service to detect malicious attachments in emails and prevent users from accessing them.", "justification": "Email Content Protections (NET-20) provides overlapping security capability that compensates for the absence of Encryption for Outgoing Email (NET-20.6) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CRY-03", "name": "Transmission Confidentiality", "description": "Cryptographic mechanisms exist to protect the confidentiality of data being transmitted.", "justification": "Transmission Confidentiality (CRY-03) provides cryptographic protection that compensates for the absence of Encryption for Outgoing Email (NET-20.6) by ensuring data confidentiality and integrity through alternative technical means. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-20.7", "risk_if_not_implemented": "Without Adaptive Email Protections, AI and autonomous technology risks may go ungoverned, leading to unintended outcomes or exploitation.", "compensating_control_1": { "control_id": "CRY-03", "name": "Transmission Confidentiality", "description": "Cryptographic mechanisms exist to protect the confidentiality of data being transmitted.", "justification": "Transmission Confidentiality (CRY-03) provides cryptographic protection that compensates for the absence of Adaptive Email Protections (NET-20.7) by ensuring data confidentiality and integrity through alternative technical means. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-08", "name": "Network Intrusion Detection / Prevention Systems (NIDS / NIPS)", "description": "Mechanisms exist to employ Network Intrusion Detection / Prevention Systems (NIDS/NIPS) to detect and/or prevent intrusions into the network.", "justification": "Network Intrusion Detection / Prevention Systems (NIDS / NIPS) (NET-08) provides detective monitoring capability that compensates for the absence of Adaptive Email Protections (NET-20.7) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-20.8", "risk_if_not_implemented": "Without Email Labeling, AI and autonomous technology risks may go ungoverned, leading to unintended outcomes or exploitation.", "compensating_control_1": { "control_id": "NET-08", "name": "Network Intrusion Detection / Prevention Systems (NIDS / NIPS)", "description": "Mechanisms exist to employ Network Intrusion Detection / Prevention Systems (NIDS/NIPS) to detect and/or prevent intrusions into the network.", "justification": "Network Intrusion Detection / Prevention Systems (NIDS / NIPS) (NET-08) provides detective monitoring capability that compensates for the absence of Email Labeling (NET-20.8) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-20", "name": "Email Content Protections", "description": "Mechanisms exist to implement an email filtering security service to detect malicious attachments in emails and prevent users from accessing them.", "justification": "Email Content Protections (NET-20) provides overlapping security capability that compensates for the absence of Email Labeling (NET-20.8) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "NET-20.9", "risk_if_not_implemented": "Without User Threat Reporting, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "NET-20", "name": "Email Content Protections", "description": "Mechanisms exist to implement an email filtering security service to detect malicious attachments in emails and prevent users from accessing them.", "justification": "Email Content Protections (NET-20) provides overlapping security capability that compensates for the absence of User Threat Reporting (NET-20.9) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-08", "name": "Network Intrusion Detection / Prevention Systems (NIDS / NIPS)", "description": "Mechanisms exist to employ Network Intrusion Detection / Prevention Systems (NIDS/NIPS) to detect and/or prevent intrusions into the network.", "justification": "Network Intrusion Detection / Prevention Systems (NIDS / NIPS) (NET-08) provides detective monitoring capability that compensates for the absence of User Threat Reporting (NET-20.9) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PES-01", "risk_if_not_implemented": "Without Physical & Environmental Protections, unauthorized physical access to facilities may enable theft, tampering, or direct attacks on infrastructure.", "compensating_control_1": { "control_id": "PES-03", "name": "Physical Access Control", "description": "Physical access control mechanisms exist to enforce physical access authorizations for all physical access points (including designated entry/exit points) to facilities (excluding those areas within the facility officially designated as publicly accessible).", "justification": "Physical Access Control (PES-03) provides access control enforcement that compensates for the absence of Physical & Environmental Protections (PES-01) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Physical & Environmental Protections (PES-01) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PES-01.1", "risk_if_not_implemented": "Without Physical Security Plan (PSP), unauthorized physical access to facilities may enable theft, tampering, or direct attacks on infrastructure.", "compensating_control_1": { "control_id": "PES-05", "name": "Monitoring Physical Access", "description": "Physical access control mechanisms exist to monitor for, detect and respond to physical security incidents.", "justification": "Monitoring Physical Access (PES-05) provides detective monitoring capability that compensates for the absence of Physical Security Plan (PSP) (PES-01.1) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Physical Security Plan (PSP) (PES-01.1) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PES-01.2", "risk_if_not_implemented": "Without Zone-Based Physical Security, unauthorized physical access to facilities may enable theft, tampering, or direct attacks on infrastructure.", "compensating_control_1": { "control_id": "PES-03", "name": "Physical Access Control", "description": "Physical access control mechanisms exist to enforce physical access authorizations for all physical access points (including designated entry/exit points) to facilities (excluding those areas within the facility officially designated as publicly accessible).", "justification": "Physical Access Control (PES-03) provides access control enforcement that compensates for the absence of Zone-Based Physical Security (PES-01.2) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PES-05", "name": "Monitoring Physical Access", "description": "Physical access control mechanisms exist to monitor for, detect and respond to physical security incidents.", "justification": "Monitoring Physical Access (PES-05) provides detective monitoring capability that compensates for the absence of Zone-Based Physical Security (PES-01.2) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PES-02", "risk_if_not_implemented": "Without Physical Access Authorizations, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "IAC-20", "name": "Access Enforcement", "description": "Mechanisms exist to enforce Logical Access Control (LAC) permissions that conform to the principle of \"least privilege.\"", "justification": "Access Enforcement (IAC-20) provides access control enforcement that compensates for the absence of Physical Access Authorizations (PES-02) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PES-05", "name": "Monitoring Physical Access", "description": "Physical access control mechanisms exist to monitor for, detect and respond to physical security incidents.", "justification": "Monitoring Physical Access (PES-05) provides detective monitoring capability that compensates for the absence of Physical Access Authorizations (PES-02) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PES-02.1", "risk_if_not_implemented": "Without Role-Based Physical Access, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "PES-05", "name": "Monitoring Physical Access", "description": "Physical access control mechanisms exist to monitor for, detect and respond to physical security incidents.", "justification": "Monitoring Physical Access (PES-05) provides detective monitoring capability that compensates for the absence of Role-Based Physical Access (PES-02.1) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-20", "name": "Access Enforcement", "description": "Mechanisms exist to enforce Logical Access Control (LAC) permissions that conform to the principle of \"least privilege.\"", "justification": "Access Enforcement (IAC-20) provides access control enforcement that compensates for the absence of Role-Based Physical Access (PES-02.1) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PES-02.2", "risk_if_not_implemented": "Without Dual Authorization for Physical Access, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "IAC-20", "name": "Access Enforcement", "description": "Mechanisms exist to enforce Logical Access Control (LAC) permissions that conform to the principle of \"least privilege.\"", "justification": "Access Enforcement (IAC-20) provides access control enforcement that compensates for the absence of Dual Authorization for Physical Access (PES-02.2) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PES-02", "name": "Physical Access Authorizations", "description": "Physical access control mechanisms exist to maintain a current list of personnel with authorized access to organizational facilities (except for those areas within the facility officially designated as publicly accessible).", "justification": "Physical Access Authorizations (PES-02) provides access control enforcement that compensates for the absence of Dual Authorization for Physical Access (PES-02.2) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PES-03.1", "risk_if_not_implemented": "Without Controlled Ingress & Egress Points, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "PES-05", "name": "Monitoring Physical Access", "description": "Physical access control mechanisms exist to monitor for, detect and respond to physical security incidents.", "justification": "Monitoring Physical Access (PES-05) provides detective monitoring capability that compensates for the absence of Controlled Ingress & Egress Points (PES-03.1) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-12", "name": "Session Audit", "description": "Mechanisms exist to provide session audit capabilities that can: \n(1) Capture and log all content related to a user session; and\n(2) Remotely view all content related to an established user session in real time.", "justification": "Session Audit (MON-12) provides detective monitoring capability that compensates for the absence of Controlled Ingress & Egress Points (PES-03.1) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PES-03.2", "risk_if_not_implemented": "Without Lockable Physical Casings, unauthorized physical access to facilities may enable theft, tampering, or direct attacks on infrastructure.", "compensating_control_1": { "control_id": "PES-05", "name": "Monitoring Physical Access", "description": "Physical access control mechanisms exist to monitor for, detect and respond to physical security incidents.", "justification": "Monitoring Physical Access (PES-05) provides detective monitoring capability that compensates for the absence of Lockable Physical Casings (PES-03.2) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PES-03", "name": "Physical Access Control", "description": "Physical access control mechanisms exist to enforce physical access authorizations for all physical access points (including designated entry/exit points) to facilities (excluding those areas within the facility officially designated as publicly accessible).", "justification": "Physical Access Control (PES-03) provides access control enforcement that compensates for the absence of Lockable Physical Casings (PES-03.2) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PES-03.3", "risk_if_not_implemented": "Without Physical Access Logs, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Physical Access Logs (PES-03.3) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PES-05", "name": "Monitoring Physical Access", "description": "Physical access control mechanisms exist to monitor for, detect and respond to physical security incidents.", "justification": "Monitoring Physical Access (PES-05) provides detective monitoring capability that compensates for the absence of Physical Access Logs (PES-03.3) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PES-03.4", "risk_if_not_implemented": "Without Access To Critical Systems, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "PES-03", "name": "Physical Access Control", "description": "Physical access control mechanisms exist to enforce physical access authorizations for all physical access points (including designated entry/exit points) to facilities (excluding those areas within the facility officially designated as publicly accessible).", "justification": "Physical Access Control (PES-03) provides access control enforcement that compensates for the absence of Access To Critical Systems (PES-03.4) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PES-05", "name": "Monitoring Physical Access", "description": "Physical access control mechanisms exist to monitor for, detect and respond to physical security incidents.", "justification": "Monitoring Physical Access (PES-05) provides detective monitoring capability that compensates for the absence of Access To Critical Systems (PES-03.4) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PES-04.2", "risk_if_not_implemented": "Without Searches, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "PES-04", "name": "Physical Security of Offices, Rooms & Facilities", "description": "Mechanisms exist to identify systems, equipment and respective operating environments that require limited physical access so that appropriate physical access controls are designed and implemented for offices, rooms and facilities.", "justification": "Physical Security of Offices, Rooms & Facilities (PES-04) provides physical access control that compensates for the absence of Searches (PES-04.2) by preventing unauthorized physical interaction with systems and infrastructure. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PES-03", "name": "Physical Access Control", "description": "Physical access control mechanisms exist to enforce physical access authorizations for all physical access points (including designated entry/exit points) to facilities (excluding those areas within the facility officially designated as publicly accessible).", "justification": "Physical Access Control (PES-03) provides access control enforcement that compensates for the absence of Searches (PES-04.2) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PES-04.3", "risk_if_not_implemented": "Without Temporary Storage, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "PES-03", "name": "Physical Access Control", "description": "Physical access control mechanisms exist to enforce physical access authorizations for all physical access points (including designated entry/exit points) to facilities (excluding those areas within the facility officially designated as publicly accessible).", "justification": "Physical Access Control (PES-03) provides access control enforcement that compensates for the absence of Temporary Storage (PES-04.3) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PES-04", "name": "Physical Security of Offices, Rooms & Facilities", "description": "Mechanisms exist to identify systems, equipment and respective operating environments that require limited physical access so that appropriate physical access controls are designed and implemented for offices, rooms and facilities.", "justification": "Physical Security of Offices, Rooms & Facilities (PES-04) provides physical access control that compensates for the absence of Temporary Storage (PES-04.3) by preventing unauthorized physical interaction with systems and infrastructure. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PES-05", "risk_if_not_implemented": "Without Monitoring Physical Access, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Monitoring Physical Access (PES-05) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PES-02", "name": "Physical Access Authorizations", "description": "Physical access control mechanisms exist to maintain a current list of personnel with authorized access to organizational facilities (except for those areas within the facility officially designated as publicly accessible).", "justification": "Physical Access Authorizations (PES-02) provides access control enforcement that compensates for the absence of Monitoring Physical Access (PES-05) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PES-05.1", "risk_if_not_implemented": "Without Intrusion Alarms / Surveillance Equipment, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "PES-02", "name": "Physical Access Authorizations", "description": "Physical access control mechanisms exist to maintain a current list of personnel with authorized access to organizational facilities (except for those areas within the facility officially designated as publicly accessible).", "justification": "Physical Access Authorizations (PES-02) provides access control enforcement that compensates for the absence of Intrusion Alarms / Surveillance Equipment (PES-05.1) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Intrusion Alarms / Surveillance Equipment (PES-05.1) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PES-05.2", "risk_if_not_implemented": "Without Monitoring Physical Access To Critical Systems, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Monitoring Physical Access To Critical Systems (PES-05.2) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PES-05", "name": "Monitoring Physical Access", "description": "Physical access control mechanisms exist to monitor for, detect and respond to physical security incidents.", "justification": "Monitoring Physical Access (PES-05) provides detective monitoring capability that compensates for the absence of Monitoring Physical Access To Critical Systems (PES-05.2) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PES-06", "risk_if_not_implemented": "Without Visitor Control, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "PES-03", "name": "Physical Access Control", "description": "Physical access control mechanisms exist to enforce physical access authorizations for all physical access points (including designated entry/exit points) to facilities (excluding those areas within the facility officially designated as publicly accessible).", "justification": "Physical Access Control (PES-03) provides access control enforcement that compensates for the absence of Visitor Control (PES-06) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PES-05", "name": "Monitoring Physical Access", "description": "Physical access control mechanisms exist to monitor for, detect and respond to physical security incidents.", "justification": "Monitoring Physical Access (PES-05) provides detective monitoring capability that compensates for the absence of Visitor Control (PES-06) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PES-06.1", "risk_if_not_implemented": "Without Distinguish Visitors from On-Site Personnel, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IAC-20", "name": "Access Enforcement", "description": "Mechanisms exist to enforce Logical Access Control (LAC) permissions that conform to the principle of \"least privilege.\"", "justification": "Access Enforcement (IAC-20) provides access control enforcement that compensates for the absence of Distinguish Visitors from On-Site Personnel (PES-06.1) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PES-06", "name": "Visitor Control", "description": "Physical access control mechanisms exist to identify, authorize and monitor visitors before allowing access to the facility (other than areas designated as publicly accessible).", "justification": "Visitor Control (PES-06) provides physical access control that compensates for the absence of Distinguish Visitors from On-Site Personnel (PES-06.1) by preventing unauthorized physical interaction with systems and infrastructure. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PES-06.2", "risk_if_not_implemented": "Without Identification Requirement, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "PES-05", "name": "Monitoring Physical Access", "description": "Physical access control mechanisms exist to monitor for, detect and respond to physical security incidents.", "justification": "Monitoring Physical Access (PES-05) provides detective monitoring capability that compensates for the absence of Identification Requirement (PES-06.2) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PES-06", "name": "Visitor Control", "description": "Physical access control mechanisms exist to identify, authorize and monitor visitors before allowing access to the facility (other than areas designated as publicly accessible).", "justification": "Visitor Control (PES-06) provides physical access control that compensates for the absence of Identification Requirement (PES-06.2) by preventing unauthorized physical interaction with systems and infrastructure. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PES-06.4", "risk_if_not_implemented": "Without Automated Records Management & Review, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "PES-03", "name": "Physical Access Control", "description": "Physical access control mechanisms exist to enforce physical access authorizations for all physical access points (including designated entry/exit points) to facilities (excluding those areas within the facility officially designated as publicly accessible).", "justification": "Physical Access Control (PES-03) provides access control enforcement that compensates for the absence of Automated Records Management & Review (PES-06.4) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PES-06", "name": "Visitor Control", "description": "Physical access control mechanisms exist to identify, authorize and monitor visitors before allowing access to the facility (other than areas designated as publicly accessible).", "justification": "Visitor Control (PES-06) provides physical access control that compensates for the absence of Automated Records Management & Review (PES-06.4) by preventing unauthorized physical interaction with systems and infrastructure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PES-06.5", "risk_if_not_implemented": "Without Minimize Visitor Personal Data (PD), personal data may be processed without appropriate safeguards, increasing regulatory and reputational risk.", "compensating_control_1": { "control_id": "PES-05", "name": "Monitoring Physical Access", "description": "Physical access control mechanisms exist to monitor for, detect and respond to physical security incidents.", "justification": "Monitoring Physical Access (PES-05) provides detective monitoring capability that compensates for the absence of Minimize Visitor Personal Data (PD) (PES-06.5) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PES-03", "name": "Physical Access Control", "description": "Physical access control mechanisms exist to enforce physical access authorizations for all physical access points (including designated entry/exit points) to facilities (excluding those areas within the facility officially designated as publicly accessible).", "justification": "Physical Access Control (PES-03) provides access control enforcement that compensates for the absence of Minimize Visitor Personal Data (PD) (PES-06.5) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PES-06.6", "risk_if_not_implemented": "Without Visitor Access Revocation, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "PES-06", "name": "Visitor Control", "description": "Physical access control mechanisms exist to identify, authorize and monitor visitors before allowing access to the facility (other than areas designated as publicly accessible).", "justification": "Visitor Control (PES-06) provides physical access control that compensates for the absence of Visitor Access Revocation (PES-06.6) by preventing unauthorized physical interaction with systems and infrastructure. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PES-05", "name": "Monitoring Physical Access", "description": "Physical access control mechanisms exist to monitor for, detect and respond to physical security incidents.", "justification": "Monitoring Physical Access (PES-05) provides detective monitoring capability that compensates for the absence of Visitor Access Revocation (PES-06.6) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PES-07", "risk_if_not_implemented": "Without Supporting Utilities, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "BCD-01", "name": "Business Continuity Management System (BCMS)", "description": "Mechanisms exist to facilitate the implementation of contingency planning controls to help ensure resilient Technology Assets, Applications and/or Services (TAAS) (e.g., Continuity of Operations Plan (COOP) or Business Continuity & Disaster Recovery (BC/DR) playbooks).", "justification": "Business Continuity Management System (BCMS) (BCD-01) provides resilience and recovery capability that compensates for the absence of Supporting Utilities (PES-07) by ensuring the organization can restore operations and data when the primary control is absent. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Supporting Utilities (PES-07) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PES-07.1", "risk_if_not_implemented": "Without Automatic Voltage Controls, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Automatic Voltage Controls (PES-07.1) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PES-07", "name": "Supporting Utilities", "description": "Facility security mechanisms exist to protect power equipment and power cabling for the system from damage and destruction.", "justification": "Supporting Utilities (PES-07) provides overlapping security capability that compensates for the absence of Automatic Voltage Controls (PES-07.1) by addressing related risk objectives through an alternative control mechanism aligned with Facility applicability. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PES-07.2", "risk_if_not_implemented": "Without Emergency Shutoff, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "BCD-01", "name": "Business Continuity Management System (BCMS)", "description": "Mechanisms exist to facilitate the implementation of contingency planning controls to help ensure resilient Technology Assets, Applications and/or Services (TAAS) (e.g., Continuity of Operations Plan (COOP) or Business Continuity & Disaster Recovery (BC/DR) playbooks).", "justification": "Business Continuity Management System (BCMS) (BCD-01) provides resilience and recovery capability that compensates for the absence of Emergency Shutoff (PES-07.2) by ensuring the organization can restore operations and data when the primary control is absent. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PES-07", "name": "Supporting Utilities", "description": "Facility security mechanisms exist to protect power equipment and power cabling for the system from damage and destruction.", "justification": "Supporting Utilities (PES-07) provides overlapping security capability that compensates for the absence of Emergency Shutoff (PES-07.2) by addressing related risk objectives through an alternative control mechanism aligned with Facility applicability. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PES-07.3", "risk_if_not_implemented": "Without Emergency Power, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "PES-07", "name": "Supporting Utilities", "description": "Facility security mechanisms exist to protect power equipment and power cabling for the system from damage and destruction.", "justification": "Supporting Utilities (PES-07) provides overlapping security capability that compensates for the absence of Emergency Power (PES-07.3) by addressing related risk objectives through an alternative control mechanism aligned with Facility applicability. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "BCD-01", "name": "Business Continuity Management System (BCMS)", "description": "Mechanisms exist to facilitate the implementation of contingency planning controls to help ensure resilient Technology Assets, Applications and/or Services (TAAS) (e.g., Continuity of Operations Plan (COOP) or Business Continuity & Disaster Recovery (BC/DR) playbooks).", "justification": "Business Continuity Management System (BCMS) (BCD-01) provides resilience and recovery capability that compensates for the absence of Emergency Power (PES-07.3) by ensuring the organization can restore operations and data when the primary control is absent. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PES-07.4", "risk_if_not_implemented": "Without Emergency Lighting, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Emergency Lighting (PES-07.4) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "BCD-01", "name": "Business Continuity Management System (BCMS)", "description": "Mechanisms exist to facilitate the implementation of contingency planning controls to help ensure resilient Technology Assets, Applications and/or Services (TAAS) (e.g., Continuity of Operations Plan (COOP) or Business Continuity & Disaster Recovery (BC/DR) playbooks).", "justification": "Business Continuity Management System (BCMS) (BCD-01) provides resilience and recovery capability that compensates for the absence of Emergency Lighting (PES-07.4) by ensuring the organization can restore operations and data when the primary control is absent. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PES-07.5", "risk_if_not_implemented": "Without Water Damage Protection, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "BCD-01", "name": "Business Continuity Management System (BCMS)", "description": "Mechanisms exist to facilitate the implementation of contingency planning controls to help ensure resilient Technology Assets, Applications and/or Services (TAAS) (e.g., Continuity of Operations Plan (COOP) or Business Continuity & Disaster Recovery (BC/DR) playbooks).", "justification": "Business Continuity Management System (BCMS) (BCD-01) provides resilience and recovery capability that compensates for the absence of Water Damage Protection (PES-07.5) by ensuring the organization can restore operations and data when the primary control is absent. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Water Damage Protection (PES-07.5) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PES-07.6", "risk_if_not_implemented": "Without Automation Support for Water Damage Protection, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "PES-07", "name": "Supporting Utilities", "description": "Facility security mechanisms exist to protect power equipment and power cabling for the system from damage and destruction.", "justification": "Supporting Utilities (PES-07) provides overlapping security capability that compensates for the absence of Automation Support for Water Damage Protection (PES-07.6) by addressing related risk objectives through an alternative control mechanism aligned with Facility applicability. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Automation Support for Water Damage Protection (PES-07.6) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PES-07.7", "risk_if_not_implemented": "Without Redundant Cabling, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "BCD-01", "name": "Business Continuity Management System (BCMS)", "description": "Mechanisms exist to facilitate the implementation of contingency planning controls to help ensure resilient Technology Assets, Applications and/or Services (TAAS) (e.g., Continuity of Operations Plan (COOP) or Business Continuity & Disaster Recovery (BC/DR) playbooks).", "justification": "Business Continuity Management System (BCMS) (BCD-01) provides resilience and recovery capability that compensates for the absence of Redundant Cabling (PES-07.7) by ensuring the organization can restore operations and data when the primary control is absent. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PES-07", "name": "Supporting Utilities", "description": "Facility security mechanisms exist to protect power equipment and power cabling for the system from damage and destruction.", "justification": "Supporting Utilities (PES-07) provides overlapping security capability that compensates for the absence of Redundant Cabling (PES-07.7) by addressing related risk objectives through an alternative control mechanism aligned with Facility applicability. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PES-08", "risk_if_not_implemented": "Without Fire Protection, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "PES-07", "name": "Supporting Utilities", "description": "Facility security mechanisms exist to protect power equipment and power cabling for the system from damage and destruction.", "justification": "Supporting Utilities (PES-07) provides overlapping security capability that compensates for the absence of Fire Protection (PES-08) by addressing related risk objectives through an alternative control mechanism aligned with Facility applicability. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Fire Protection (PES-08) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PES-08.1", "risk_if_not_implemented": "Without Fire Detection Devices, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Fire Detection Devices (PES-08.1) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PES-08", "name": "Fire Protection", "description": "Facility security mechanisms exist to utilize and maintain fire suppression and detection devices/systems for the system that are supported by an independent energy source.", "justification": "Fire Protection (PES-08) provides overlapping security capability that compensates for the absence of Fire Detection Devices (PES-08.1) by addressing related risk objectives through an alternative control mechanism aligned with Facility applicability. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PES-08.2", "risk_if_not_implemented": "Without Fire Suppression Devices, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "PES-08", "name": "Fire Protection", "description": "Facility security mechanisms exist to utilize and maintain fire suppression and detection devices/systems for the system that are supported by an independent energy source.", "justification": "Fire Protection (PES-08) provides overlapping security capability that compensates for the absence of Fire Suppression Devices (PES-08.2) by addressing related risk objectives through an alternative control mechanism aligned with Facility applicability. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PES-07", "name": "Supporting Utilities", "description": "Facility security mechanisms exist to protect power equipment and power cabling for the system from damage and destruction.", "justification": "Supporting Utilities (PES-07) provides overlapping security capability that compensates for the absence of Fire Suppression Devices (PES-08.2) by addressing related risk objectives through an alternative control mechanism aligned with Facility applicability. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PES-08.3", "risk_if_not_implemented": "Without Automatic Fire Suppression, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "PES-07", "name": "Supporting Utilities", "description": "Facility security mechanisms exist to protect power equipment and power cabling for the system from damage and destruction.", "justification": "Supporting Utilities (PES-07) provides overlapping security capability that compensates for the absence of Automatic Fire Suppression (PES-08.3) by addressing related risk objectives through an alternative control mechanism aligned with Facility applicability. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PES-08", "name": "Fire Protection", "description": "Facility security mechanisms exist to utilize and maintain fire suppression and detection devices/systems for the system that are supported by an independent energy source.", "justification": "Fire Protection (PES-08) provides overlapping security capability that compensates for the absence of Automatic Fire Suppression (PES-08.3) by addressing related risk objectives through an alternative control mechanism aligned with Facility applicability. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PES-09", "risk_if_not_implemented": "Without Temperature & Humidity Controls, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "PES-07", "name": "Supporting Utilities", "description": "Facility security mechanisms exist to protect power equipment and power cabling for the system from damage and destruction.", "justification": "Supporting Utilities (PES-07) provides overlapping security capability that compensates for the absence of Temperature & Humidity Controls (PES-09) by addressing related risk objectives through an alternative control mechanism aligned with Facility applicability. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Temperature & Humidity Controls (PES-09) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PES-09.1", "risk_if_not_implemented": "Without Monitoring with Alarms / Notifications, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Monitoring with Alarms / Notifications (PES-09.1) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PES-09", "name": "Temperature & Humidity Controls", "description": "Facility security mechanisms exist to maintain and monitor temperature and humidity levels within the facility.", "justification": "Temperature & Humidity Controls (PES-09) provides overlapping security capability that compensates for the absence of Monitoring with Alarms / Notifications (PES-09.1) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PES-10", "risk_if_not_implemented": "Without Delivery & Removal, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "PES-03", "name": "Physical Access Control", "description": "Physical access control mechanisms exist to enforce physical access authorizations for all physical access points (including designated entry/exit points) to facilities (excluding those areas within the facility officially designated as publicly accessible).", "justification": "Physical Access Control (PES-03) provides access control enforcement that compensates for the absence of Delivery & Removal (PES-10) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PES-05", "name": "Monitoring Physical Access", "description": "Physical access control mechanisms exist to monitor for, detect and respond to physical security incidents.", "justification": "Monitoring Physical Access (PES-05) provides detective monitoring capability that compensates for the absence of Delivery & Removal (PES-10) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PES-11", "risk_if_not_implemented": "Without Alternate Work Site, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "NET-14", "name": "Remote Access", "description": "Mechanisms exist to define, control and review organization-approved, secure remote access methods.", "justification": "Remote Access (NET-14) provides access control enforcement that compensates for the absence of Alternate Work Site (PES-11) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PES-01", "name": "Physical & Environmental Protections", "description": "Mechanisms exist to facilitate the operation of physical and environmental protection controls.", "justification": "Physical & Environmental Protections (PES-01) provides physical access control that compensates for the absence of Alternate Work Site (PES-11) by preventing unauthorized physical interaction with systems and infrastructure. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PES-12", "risk_if_not_implemented": "Without Equipment Siting & Protection, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "PES-03", "name": "Physical Access Control", "description": "Physical access control mechanisms exist to enforce physical access authorizations for all physical access points (including designated entry/exit points) to facilities (excluding those areas within the facility officially designated as publicly accessible).", "justification": "Physical Access Control (PES-03) provides access control enforcement that compensates for the absence of Equipment Siting & Protection (PES-12) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PES-07", "name": "Supporting Utilities", "description": "Facility security mechanisms exist to protect power equipment and power cabling for the system from damage and destruction.", "justification": "Supporting Utilities (PES-07) provides overlapping security capability that compensates for the absence of Equipment Siting & Protection (PES-12) by addressing related risk objectives through an alternative control mechanism aligned with Facility applicability. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PES-12.1", "risk_if_not_implemented": "Without Transmission Medium Security, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "PES-07", "name": "Supporting Utilities", "description": "Facility security mechanisms exist to protect power equipment and power cabling for the system from damage and destruction.", "justification": "Supporting Utilities (PES-07) provides overlapping security capability that compensates for the absence of Transmission Medium Security (PES-12.1) by addressing related risk objectives through an alternative control mechanism aligned with Facility applicability. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PES-03", "name": "Physical Access Control", "description": "Physical access control mechanisms exist to enforce physical access authorizations for all physical access points (including designated entry/exit points) to facilities (excluding those areas within the facility officially designated as publicly accessible).", "justification": "Physical Access Control (PES-03) provides access control enforcement that compensates for the absence of Transmission Medium Security (PES-12.1) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PES-12.2", "risk_if_not_implemented": "Without Access Control for Output Devices, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "PES-03", "name": "Physical Access Control", "description": "Physical access control mechanisms exist to enforce physical access authorizations for all physical access points (including designated entry/exit points) to facilities (excluding those areas within the facility officially designated as publicly accessible).", "justification": "Physical Access Control (PES-03) provides access control enforcement that compensates for the absence of Access Control for Output Devices (PES-12.2) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PES-12", "name": "Equipment Siting & Protection", "description": "Physical security mechanisms exist to locate system components within the facility to minimize potential damage from physical and environmental hazards and to minimize the opportunity for unauthorized access.", "justification": "Equipment Siting & Protection (PES-12) provides overlapping security capability that compensates for the absence of Access Control for Output Devices (PES-12.2) by addressing related risk objectives through an alternative control mechanism aligned with Facility applicability. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PES-13", "risk_if_not_implemented": "Without Information Leakage Due To Electromagnetic Signals Emanations, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "PES-04", "name": "Physical Security of Offices, Rooms & Facilities", "description": "Mechanisms exist to identify systems, equipment and respective operating environments that require limited physical access so that appropriate physical access controls are designed and implemented for offices, rooms and facilities.", "justification": "Physical Security of Offices, Rooms & Facilities (PES-04) provides physical access control that compensates for the absence of Information Leakage Due To Electromagnetic Signals Emanations (PES-13) by preventing unauthorized physical interaction with systems and infrastructure. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-06", "name": "Network Segmentation (macrosegementation)", "description": "Mechanisms exist to ensure network architecture utilizes network segmentation to isolate Technology Assets, Applications and/or Services (TAAS) to protect from other network resources.", "justification": "Network Segmentation (macrosegementation) (NET-06) provides network-level access restriction that compensates for the absence of Information Leakage Due To Electromagnetic Signals Emanations (PES-13) by limiting attacker reach and lateral movement opportunities across the environment. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PES-14", "risk_if_not_implemented": "Without Asset Monitoring and Tracking, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Asset Monitoring and Tracking (PES-14) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "AST-02", "name": "Asset Inventories", "description": "Mechanisms exist to perform inventories of Technology Assets, Applications, Services and/or Data (TAASD) that:\n(1) Accurately reflects the current TAASD in use; \n(2) Identifies authorized software products, including business justification details;\n(3) Is at the level of granularity deemed necessary for tracking and reporting;\n(4) Includes organization-defined information deemed necessary to achieve effective property accountability; and\n(5) Is available for review and audit by designated organizational personnel.", "justification": "Asset Inventories (AST-02) provides overlapping security capability that compensates for the absence of Asset Monitoring and Tracking (PES-14) by addressing related risk objectives through an alternative control mechanism aligned with Facility applicability. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PES-15", "risk_if_not_implemented": "Without Electromagnetic Pulse (EMP) Protection, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "PES-07", "name": "Supporting Utilities", "description": "Facility security mechanisms exist to protect power equipment and power cabling for the system from damage and destruction.", "justification": "Supporting Utilities (PES-07) provides overlapping security capability that compensates for the absence of Electromagnetic Pulse (EMP) Protection (PES-15) by addressing related risk objectives through an alternative control mechanism aligned with Facility applicability. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "BCD-01", "name": "Business Continuity Management System (BCMS)", "description": "Mechanisms exist to facilitate the implementation of contingency planning controls to help ensure resilient Technology Assets, Applications and/or Services (TAAS) (e.g., Continuity of Operations Plan (COOP) or Business Continuity & Disaster Recovery (BC/DR) playbooks).", "justification": "Business Continuity Management System (BCMS) (BCD-01) provides resilience and recovery capability that compensates for the absence of Electromagnetic Pulse (EMP) Protection (PES-15) by ensuring the organization can restore operations and data when the primary control is absent. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PES-16", "risk_if_not_implemented": "Without Component Marking, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "DCH-04", "name": "Media Marking", "description": "Mechanisms exist to mark media in accordance with data protection requirements so that personnel are alerted to distribution limitations, handling caveats and applicable security requirements.", "justification": "Media Marking (DCH-04) provides overlapping security capability that compensates for the absence of Component Marking (PES-16) by addressing related risk objectives through an alternative control mechanism aligned with Facility applicability. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "AST-02", "name": "Asset Inventories", "description": "Mechanisms exist to perform inventories of Technology Assets, Applications, Services and/or Data (TAASD) that:\n(1) Accurately reflects the current TAASD in use; \n(2) Identifies authorized software products, including business justification details;\n(3) Is at the level of granularity deemed necessary for tracking and reporting;\n(4) Includes organization-defined information deemed necessary to achieve effective property accountability; and\n(5) Is available for review and audit by designated organizational personnel.", "justification": "Asset Inventories (AST-02) provides overlapping security capability that compensates for the absence of Component Marking (PES-16) by addressing related risk objectives through an alternative control mechanism aligned with Facility applicability. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PES-17", "risk_if_not_implemented": "Without Proximity Sensor, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "PES-03", "name": "Physical Access Control", "description": "Physical access control mechanisms exist to enforce physical access authorizations for all physical access points (including designated entry/exit points) to facilities (excluding those areas within the facility officially designated as publicly accessible).", "justification": "Physical Access Control (PES-03) provides access control enforcement that compensates for the absence of Proximity Sensor (PES-17) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Proximity Sensor (PES-17) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PES-18", "risk_if_not_implemented": "Without On-Site Client Segregation, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "PES-03", "name": "Physical Access Control", "description": "Physical access control mechanisms exist to enforce physical access authorizations for all physical access points (including designated entry/exit points) to facilities (excluding those areas within the facility officially designated as publicly accessible).", "justification": "Physical Access Control (PES-03) provides access control enforcement that compensates for the absence of On-Site Client Segregation (PES-18) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-06", "name": "Network Segmentation (macrosegementation)", "description": "Mechanisms exist to ensure network architecture utilizes network segmentation to isolate Technology Assets, Applications and/or Services (TAAS) to protect from other network resources.", "justification": "Network Segmentation (macrosegementation) (NET-06) provides network-level access restriction that compensates for the absence of On-Site Client Segregation (PES-18) by limiting attacker reach and lateral movement opportunities across the environment. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PES-19", "risk_if_not_implemented": "Without Physical Access Device Inventories, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "AST-02", "name": "Asset Inventories", "description": "Mechanisms exist to perform inventories of Technology Assets, Applications, Services and/or Data (TAASD) that:\n(1) Accurately reflects the current TAASD in use; \n(2) Identifies authorized software products, including business justification details;\n(3) Is at the level of granularity deemed necessary for tracking and reporting;\n(4) Includes organization-defined information deemed necessary to achieve effective property accountability; and\n(5) Is available for review and audit by designated organizational personnel.", "justification": "Asset Inventories (AST-02) provides overlapping security capability that compensates for the absence of Physical Access Device Inventories (PES-19) by addressing related risk objectives through an alternative control mechanism aligned with Facility applicability. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Physical Access Device Inventories (PES-19) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the facility and physical environment focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-01.1", "risk_if_not_implemented": "Without Chief Privacy Officer (CPO), personal data may be processed without appropriate safeguards, increasing regulatory and reputational risk.", "compensating_control_1": { "control_id": "DCH-02", "name": "Data & Asset Classification", "description": "Mechanisms exist to ensure data and assets are categorized in accordance with applicable statutory, regulatory and contractual requirements.", "justification": "Data & Asset Classification (DCH-02) provides overlapping security capability that compensates for the absence of Chief Privacy Officer (CPO) (PRI-01.1) by addressing related risk objectives through an alternative control mechanism aligned with People applicability. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "GOV-10", "name": "Data Governance", "description": "Mechanisms exist to facilitate data governance to oversee the organization's policies, standards and procedures so that sensitive/regulated data is effectively managed and maintained in accordance with applicable statutory, regulatory and contractual obligations.", "justification": "Data Governance (GOV-10) provides policy-level governance that compensates for the absence of Chief Privacy Officer (CPO) (PRI-01.1) by establishing documented expectations, accountability structures, and organizational guardrails. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-01.2", "risk_if_not_implemented": "Without Privacy Act Statements, personal data may be processed without appropriate safeguards, increasing regulatory and reputational risk.", "compensating_control_1": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Privacy Act Statements (PRI-01.2) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "GOV-10", "name": "Data Governance", "description": "Mechanisms exist to facilitate data governance to oversee the organization's policies, standards and procedures so that sensitive/regulated data is effectively managed and maintained in accordance with applicable statutory, regulatory and contractual obligations.", "justification": "Data Governance (GOV-10) provides policy-level governance that compensates for the absence of Privacy Act Statements (PRI-01.2) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-01.3", "risk_if_not_implemented": "Without Dissemination of Data Privacy Program Information, security risks may go unmanaged, resulting in uncontrolled exposures and misaligned security investments.", "compensating_control_1": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Dissemination of Data Privacy Program Information (PRI-01.3) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PRI-08", "name": "Personal Data (PD) Control Testing, Training & Monitoring", "description": "Mechanisms exist to conduct testing, training and monitoring activities for Personal Data (PD) controls.", "justification": "Personal Data (PD) Control Testing, Training & Monitoring (PRI-08) provides detective monitoring capability that compensates for the absence of Dissemination of Data Privacy Program Information (PRI-01.3) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-01.4", "risk_if_not_implemented": "Without Data Protection Officer (DPO), residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "PRI-08", "name": "Personal Data (PD) Control Testing, Training & Monitoring", "description": "Mechanisms exist to conduct testing, training and monitoring activities for Personal Data (PD) controls.", "justification": "Personal Data (PD) Control Testing, Training & Monitoring (PRI-08) provides detective monitoring capability that compensates for the absence of Data Protection Officer (DPO) (PRI-01.4) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of Data Protection Officer (DPO) (PRI-01.4) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-01.5", "risk_if_not_implemented": "Without Binding Corporate Rules (BCR), residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "HRS-03", "name": "Defined Roles & Responsibilities", "description": "Mechanisms exist to define cybersecurity roles & responsibilities for all personnel.", "justification": "Defined Roles & Responsibilities (HRS-03) provides overlapping security capability that compensates for the absence of Binding Corporate Rules (BCR) (PRI-01.5) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "SAT-03", "name": "Role-Based Security, Compliance & Resilience Training", "description": "Mechanisms exist to provide role-based security, compliance and resilience-related training: \n(1) Before authorizing access to the system or performing assigned duties; \n(2) When required by system changes; and \n(3) Annually thereafter.", "justification": "Role-Based Security, Compliance & Resilience Training (SAT-03) provides personnel training and awareness that compensates for the absence of Binding Corporate Rules (BCR) (PRI-01.5) by reducing human-factor risk by equipping personnel to recognize and respond to relevant threats. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-01.6", "risk_if_not_implemented": "Without Security of Personal Data (PD), personal data may be processed without appropriate safeguards, increasing regulatory and reputational risk.", "compensating_control_1": { "control_id": "PRI-01", "name": "Data Privacy Program", "description": "Mechanisms exist to facilitate the implementation and operation of data protection controls throughout the data lifecycle to ensure all forms of Personal Data (PD) are processed lawfully, fairly and transparently.", "justification": "Data Privacy Program (PRI-01) provides policy-level governance that compensates for the absence of Security of Personal Data (PD) (PRI-01.6) by establishing documented expectations, accountability structures, and organizational guardrails. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of Security of Personal Data (PD) (PRI-01.6) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-01.7", "risk_if_not_implemented": "Without Limiting Personal Data (PD) Disclosures, personal data may be processed without appropriate safeguards, increasing regulatory and reputational risk.", "compensating_control_1": { "control_id": "PRI-01", "name": "Data Privacy Program", "description": "Mechanisms exist to facilitate the implementation and operation of data protection controls throughout the data lifecycle to ensure all forms of Personal Data (PD) are processed lawfully, fairly and transparently.", "justification": "Data Privacy Program (PRI-01) provides policy-level governance that compensates for the absence of Limiting Personal Data (PD) Disclosures (PRI-01.7) by establishing documented expectations, accountability structures, and organizational guardrails. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Limiting Personal Data (PD) Disclosures (PRI-01.7) by addressing related risk objectives through an alternative control mechanism aligned with Data applicability. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-01.8", "risk_if_not_implemented": "Without Data Fiduciary, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of Data Fiduciary (PRI-01.8) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PRI-01", "name": "Data Privacy Program", "description": "Mechanisms exist to facilitate the implementation and operation of data protection controls throughout the data lifecycle to ensure all forms of Personal Data (PD) are processed lawfully, fairly and transparently.", "justification": "Data Privacy Program (PRI-01) provides policy-level governance that compensates for the absence of Data Fiduciary (PRI-01.8) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-01.9", "risk_if_not_implemented": "Without Personal Data (PD) Process Manager, personal data may be processed without appropriate safeguards, increasing regulatory and reputational risk.", "compensating_control_1": { "control_id": "GOV-10", "name": "Data Governance", "description": "Mechanisms exist to facilitate data governance to oversee the organization's policies, standards and procedures so that sensitive/regulated data is effectively managed and maintained in accordance with applicable statutory, regulatory and contractual obligations.", "justification": "Data Governance (GOV-10) provides policy-level governance that compensates for the absence of Personal Data (PD) Process Manager (PRI-01.9) by establishing documented expectations, accountability structures, and organizational guardrails. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PRI-01", "name": "Data Privacy Program", "description": "Mechanisms exist to facilitate the implementation and operation of data protection controls throughout the data lifecycle to ensure all forms of Personal Data (PD) are processed lawfully, fairly and transparently.", "justification": "Data Privacy Program (PRI-01) provides policy-level governance that compensates for the absence of Personal Data (PD) Process Manager (PRI-01.9) by establishing documented expectations, accountability structures, and organizational guardrails. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-01.10", "risk_if_not_implemented": "Without Financial Incentives For Personal Data (PD), personal data may be processed without appropriate safeguards, increasing regulatory and reputational risk.", "compensating_control_1": { "control_id": "PRI-01", "name": "Data Privacy Program", "description": "Mechanisms exist to facilitate the implementation and operation of data protection controls throughout the data lifecycle to ensure all forms of Personal Data (PD) are processed lawfully, fairly and transparently.", "justification": "Data Privacy Program (PRI-01) provides policy-level governance that compensates for the absence of Financial Incentives For Personal Data (PD) (PRI-01.10) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "GOV-10", "name": "Data Governance", "description": "Mechanisms exist to facilitate data governance to oversee the organization's policies, standards and procedures so that sensitive/regulated data is effectively managed and maintained in accordance with applicable statutory, regulatory and contractual obligations.", "justification": "Data Governance (GOV-10) provides policy-level governance that compensates for the absence of Financial Incentives For Personal Data (PD) (PRI-01.10) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-01.11", "risk_if_not_implemented": "Without Reasonable Data Privacy Practices, personal data may be processed without appropriate safeguards, increasing regulatory and reputational risk.", "compensating_control_1": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Reasonable Data Privacy Practices (PRI-01.11) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PRI-01", "name": "Data Privacy Program", "description": "Mechanisms exist to facilitate the implementation and operation of data protection controls throughout the data lifecycle to ensure all forms of Personal Data (PD) are processed lawfully, fairly and transparently.", "justification": "Data Privacy Program (PRI-01) provides policy-level governance that compensates for the absence of Reasonable Data Privacy Practices (PRI-01.11) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-02", "risk_if_not_implemented": "Without Data Privacy Notice, personal data may be processed without appropriate safeguards, increasing regulatory and reputational risk.", "compensating_control_1": { "control_id": "DCH-02", "name": "Data & Asset Classification", "description": "Mechanisms exist to ensure data and assets are categorized in accordance with applicable statutory, regulatory and contractual requirements.", "justification": "Data & Asset Classification (DCH-02) provides overlapping security capability that compensates for the absence of Data Privacy Notice (PRI-02) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Data Privacy Notice (PRI-02) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-02.1", "risk_if_not_implemented": "Without Purpose Specification, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "DCH-05", "name": "Cybersecurity & Data Protection Attributes", "description": "Mechanisms exist to bind cybersecurity and data protection attributes to information as it is stored, transmitted and processed.", "justification": "Cybersecurity & Data Protection Attributes (DCH-05) provides overlapping security capability that compensates for the absence of Purpose Specification (PRI-02.1) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PRI-02", "name": "Data Privacy Notice", "description": "Mechanisms exist to:\n(1) Make data privacy notice(s) available to individuals upon first interacting with an organization and subsequently as necessary; \n(2) Ensure that data privacy notices are clear and easy-to-understand, expressing relevant information about how Personal Data (PD) is collected, received, processed, stored, transmitted, shared, updated and/or disposed;\n(3) Contain all necessary notice-related criteria required by applicable statutory, regulatory and contractual obligations;\n(4) Define the scope of PD processing activities, including the geographic locations and third-party recipients that process the PD within the scope of the data privacy notice;\n(5) Periodically, review and update the content of the privacy notice, as necessary; and\n(6) Retain prior versions of the privacy notice, in accordance with data retention requirements.", "justification": "Data Privacy Notice (PRI-02) provides privacy protection that compensates for the absence of Purpose Specification (PRI-02.1) by applying alternative privacy safeguards to protect personal data and honor data subject rights. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-02.2", "risk_if_not_implemented": "Without Automated Data Management Processes, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Automated Data Management Processes (PRI-02.2) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PRI-02", "name": "Data Privacy Notice", "description": "Mechanisms exist to:\n(1) Make data privacy notice(s) available to individuals upon first interacting with an organization and subsequently as necessary; \n(2) Ensure that data privacy notices are clear and easy-to-understand, expressing relevant information about how Personal Data (PD) is collected, received, processed, stored, transmitted, shared, updated and/or disposed;\n(3) Contain all necessary notice-related criteria required by applicable statutory, regulatory and contractual obligations;\n(4) Define the scope of PD processing activities, including the geographic locations and third-party recipients that process the PD within the scope of the data privacy notice;\n(5) Periodically, review and update the content of the privacy notice, as necessary; and\n(6) Retain prior versions of the privacy notice, in accordance with data retention requirements.", "justification": "Data Privacy Notice (PRI-02) provides privacy protection that compensates for the absence of Automated Data Management Processes (PRI-02.2) by applying alternative privacy safeguards to protect personal data and honor data subject rights. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-02.3", "risk_if_not_implemented": "Without Computer Matching Agreements (CMA), residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "PRI-02", "name": "Data Privacy Notice", "description": "Mechanisms exist to:\n(1) Make data privacy notice(s) available to individuals upon first interacting with an organization and subsequently as necessary; \n(2) Ensure that data privacy notices are clear and easy-to-understand, expressing relevant information about how Personal Data (PD) is collected, received, processed, stored, transmitted, shared, updated and/or disposed;\n(3) Contain all necessary notice-related criteria required by applicable statutory, regulatory and contractual obligations;\n(4) Define the scope of PD processing activities, including the geographic locations and third-party recipients that process the PD within the scope of the data privacy notice;\n(5) Periodically, review and update the content of the privacy notice, as necessary; and\n(6) Retain prior versions of the privacy notice, in accordance with data retention requirements.", "justification": "Data Privacy Notice (PRI-02) provides privacy protection that compensates for the absence of Computer Matching Agreements (CMA) (PRI-02.3) by applying alternative privacy safeguards to protect personal data and honor data subject rights. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "DCH-02", "name": "Data & Asset Classification", "description": "Mechanisms exist to ensure data and assets are categorized in accordance with applicable statutory, regulatory and contractual requirements.", "justification": "Data & Asset Classification (DCH-02) provides overlapping security capability that compensates for the absence of Computer Matching Agreements (CMA) (PRI-02.3) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-02.4", "risk_if_not_implemented": "Without System of Records Notice (SORN), residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "DCH-02", "name": "Data & Asset Classification", "description": "Mechanisms exist to ensure data and assets are categorized in accordance with applicable statutory, regulatory and contractual requirements.", "justification": "Data & Asset Classification (DCH-02) provides overlapping security capability that compensates for the absence of System of Records Notice (SORN) (PRI-02.4) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PRI-02", "name": "Data Privacy Notice", "description": "Mechanisms exist to:\n(1) Make data privacy notice(s) available to individuals upon first interacting with an organization and subsequently as necessary; \n(2) Ensure that data privacy notices are clear and easy-to-understand, expressing relevant information about how Personal Data (PD) is collected, received, processed, stored, transmitted, shared, updated and/or disposed;\n(3) Contain all necessary notice-related criteria required by applicable statutory, regulatory and contractual obligations;\n(4) Define the scope of PD processing activities, including the geographic locations and third-party recipients that process the PD within the scope of the data privacy notice;\n(5) Periodically, review and update the content of the privacy notice, as necessary; and\n(6) Retain prior versions of the privacy notice, in accordance with data retention requirements.", "justification": "Data Privacy Notice (PRI-02) provides privacy protection that compensates for the absence of System of Records Notice (SORN) (PRI-02.4) by applying alternative privacy safeguards to protect personal data and honor data subject rights. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-02.5", "risk_if_not_implemented": "Without System of Records Notice (SORN) Review Process, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of System of Records Notice (SORN) Review Process (PRI-02.5) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "DCH-02", "name": "Data & Asset Classification", "description": "Mechanisms exist to ensure data and assets are categorized in accordance with applicable statutory, regulatory and contractual requirements.", "justification": "Data & Asset Classification (DCH-02) provides overlapping security capability that compensates for the absence of System of Records Notice (SORN) Review Process (PRI-02.5) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-02.6", "risk_if_not_implemented": "Without Privacy Act Exemptions, personal data may be processed without appropriate safeguards, increasing regulatory and reputational risk.", "compensating_control_1": { "control_id": "PRI-02", "name": "Data Privacy Notice", "description": "Mechanisms exist to:\n(1) Make data privacy notice(s) available to individuals upon first interacting with an organization and subsequently as necessary; \n(2) Ensure that data privacy notices are clear and easy-to-understand, expressing relevant information about how Personal Data (PD) is collected, received, processed, stored, transmitted, shared, updated and/or disposed;\n(3) Contain all necessary notice-related criteria required by applicable statutory, regulatory and contractual obligations;\n(4) Define the scope of PD processing activities, including the geographic locations and third-party recipients that process the PD within the scope of the data privacy notice;\n(5) Periodically, review and update the content of the privacy notice, as necessary; and\n(6) Retain prior versions of the privacy notice, in accordance with data retention requirements.", "justification": "Data Privacy Notice (PRI-02) provides privacy protection that compensates for the absence of Privacy Act Exemptions (PRI-02.6) by applying alternative privacy safeguards to protect personal data and honor data subject rights. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Privacy Act Exemptions (PRI-02.6) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-02.7", "risk_if_not_implemented": "Without Real-Time or Layered Notice, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "DCH-05", "name": "Cybersecurity & Data Protection Attributes", "description": "Mechanisms exist to bind cybersecurity and data protection attributes to information as it is stored, transmitted and processed.", "justification": "Cybersecurity & Data Protection Attributes (DCH-05) provides overlapping security capability that compensates for the absence of Real-Time or Layered Notice (PRI-02.7) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Real-Time or Layered Notice (PRI-02.7) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-02.8", "risk_if_not_implemented": "Without Purpose Compatibility, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Purpose Compatibility (PRI-02.8) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "DCH-05", "name": "Cybersecurity & Data Protection Attributes", "description": "Mechanisms exist to bind cybersecurity and data protection attributes to information as it is stored, transmitted and processed.", "justification": "Cybersecurity & Data Protection Attributes (DCH-05) provides overlapping security capability that compensates for the absence of Purpose Compatibility (PRI-02.8) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-02.9", "risk_if_not_implemented": "Without Privacy Notice Formatting, personal data may be processed without appropriate safeguards, increasing regulatory and reputational risk.", "compensating_control_1": { "control_id": "PRI-02", "name": "Data Privacy Notice", "description": "Mechanisms exist to:\n(1) Make data privacy notice(s) available to individuals upon first interacting with an organization and subsequently as necessary; \n(2) Ensure that data privacy notices are clear and easy-to-understand, expressing relevant information about how Personal Data (PD) is collected, received, processed, stored, transmitted, shared, updated and/or disposed;\n(3) Contain all necessary notice-related criteria required by applicable statutory, regulatory and contractual obligations;\n(4) Define the scope of PD processing activities, including the geographic locations and third-party recipients that process the PD within the scope of the data privacy notice;\n(5) Periodically, review and update the content of the privacy notice, as necessary; and\n(6) Retain prior versions of the privacy notice, in accordance with data retention requirements.", "justification": "Data Privacy Notice (PRI-02) provides privacy protection that compensates for the absence of Privacy Notice Formatting (PRI-02.9) by applying alternative privacy safeguards to protect personal data and honor data subject rights. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "DCH-05", "name": "Cybersecurity & Data Protection Attributes", "description": "Mechanisms exist to bind cybersecurity and data protection attributes to information as it is stored, transmitted and processed.", "justification": "Cybersecurity & Data Protection Attributes (DCH-05) provides overlapping security capability that compensates for the absence of Privacy Notice Formatting (PRI-02.9) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-02.10", "risk_if_not_implemented": "Without Symmetry In Choice, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "DCH-02", "name": "Data & Asset Classification", "description": "Mechanisms exist to ensure data and assets are categorized in accordance with applicable statutory, regulatory and contractual requirements.", "justification": "Data & Asset Classification (DCH-02) provides overlapping security capability that compensates for the absence of Symmetry In Choice (PRI-02.10) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "DCH-05", "name": "Cybersecurity & Data Protection Attributes", "description": "Mechanisms exist to bind cybersecurity and data protection attributes to information as it is stored, transmitted and processed.", "justification": "Cybersecurity & Data Protection Attributes (DCH-05) provides overlapping security capability that compensates for the absence of Symmetry In Choice (PRI-02.10) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-02.11", "risk_if_not_implemented": "Without Choice Architecture, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "DCH-05", "name": "Cybersecurity & Data Protection Attributes", "description": "Mechanisms exist to bind cybersecurity and data protection attributes to information as it is stored, transmitted and processed.", "justification": "Cybersecurity & Data Protection Attributes (DCH-05) provides overlapping security capability that compensates for the absence of Choice Architecture (PRI-02.11) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PRI-02", "name": "Data Privacy Notice", "description": "Mechanisms exist to:\n(1) Make data privacy notice(s) available to individuals upon first interacting with an organization and subsequently as necessary; \n(2) Ensure that data privacy notices are clear and easy-to-understand, expressing relevant information about how Personal Data (PD) is collected, received, processed, stored, transmitted, shared, updated and/or disposed;\n(3) Contain all necessary notice-related criteria required by applicable statutory, regulatory and contractual obligations;\n(4) Define the scope of PD processing activities, including the geographic locations and third-party recipients that process the PD within the scope of the data privacy notice;\n(5) Periodically, review and update the content of the privacy notice, as necessary; and\n(6) Retain prior versions of the privacy notice, in accordance with data retention requirements.", "justification": "Data Privacy Notice (PRI-02) provides privacy protection that compensates for the absence of Choice Architecture (PRI-02.11) by applying alternative privacy safeguards to protect personal data and honor data subject rights. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-02.12", "risk_if_not_implemented": "Without Choice Architecture Testing, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "PRI-02", "name": "Data Privacy Notice", "description": "Mechanisms exist to:\n(1) Make data privacy notice(s) available to individuals upon first interacting with an organization and subsequently as necessary; \n(2) Ensure that data privacy notices are clear and easy-to-understand, expressing relevant information about how Personal Data (PD) is collected, received, processed, stored, transmitted, shared, updated and/or disposed;\n(3) Contain all necessary notice-related criteria required by applicable statutory, regulatory and contractual obligations;\n(4) Define the scope of PD processing activities, including the geographic locations and third-party recipients that process the PD within the scope of the data privacy notice;\n(5) Periodically, review and update the content of the privacy notice, as necessary; and\n(6) Retain prior versions of the privacy notice, in accordance with data retention requirements.", "justification": "Data Privacy Notice (PRI-02) provides privacy protection that compensates for the absence of Choice Architecture Testing (PRI-02.12) by applying alternative privacy safeguards to protect personal data and honor data subject rights. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "DCH-02", "name": "Data & Asset Classification", "description": "Mechanisms exist to ensure data and assets are categorized in accordance with applicable statutory, regulatory and contractual requirements.", "justification": "Data & Asset Classification (DCH-02) provides overlapping security capability that compensates for the absence of Choice Architecture Testing (PRI-02.12) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-02.13", "risk_if_not_implemented": "Without Notice of Right To Limit, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Notice of Right To Limit (PRI-02.13) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PRI-02", "name": "Data Privacy Notice", "description": "Mechanisms exist to:\n(1) Make data privacy notice(s) available to individuals upon first interacting with an organization and subsequently as necessary; \n(2) Ensure that data privacy notices are clear and easy-to-understand, expressing relevant information about how Personal Data (PD) is collected, received, processed, stored, transmitted, shared, updated and/or disposed;\n(3) Contain all necessary notice-related criteria required by applicable statutory, regulatory and contractual obligations;\n(4) Define the scope of PD processing activities, including the geographic locations and third-party recipients that process the PD within the scope of the data privacy notice;\n(5) Periodically, review and update the content of the privacy notice, as necessary; and\n(6) Retain prior versions of the privacy notice, in accordance with data retention requirements.", "justification": "Data Privacy Notice (PRI-02) provides privacy protection that compensates for the absence of Notice of Right To Limit (PRI-02.13) by applying alternative privacy safeguards to protect personal data and honor data subject rights. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-02.14", "risk_if_not_implemented": "Without Alternative Means To Deliver Privacy Notice, personal data may be processed without appropriate safeguards, increasing regulatory and reputational risk.", "compensating_control_1": { "control_id": "PRI-02", "name": "Data Privacy Notice", "description": "Mechanisms exist to:\n(1) Make data privacy notice(s) available to individuals upon first interacting with an organization and subsequently as necessary; \n(2) Ensure that data privacy notices are clear and easy-to-understand, expressing relevant information about how Personal Data (PD) is collected, received, processed, stored, transmitted, shared, updated and/or disposed;\n(3) Contain all necessary notice-related criteria required by applicable statutory, regulatory and contractual obligations;\n(4) Define the scope of PD processing activities, including the geographic locations and third-party recipients that process the PD within the scope of the data privacy notice;\n(5) Periodically, review and update the content of the privacy notice, as necessary; and\n(6) Retain prior versions of the privacy notice, in accordance with data retention requirements.", "justification": "Data Privacy Notice (PRI-02) provides privacy protection that compensates for the absence of Alternative Means To Deliver Privacy Notice (PRI-02.14) by applying alternative privacy safeguards to protect personal data and honor data subject rights. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Alternative Means To Deliver Privacy Notice (PRI-02.14) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-03", "risk_if_not_implemented": "Without Choice & Consent, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Choice & Consent (PRI-03) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PRI-02", "name": "Data Privacy Notice", "description": "Mechanisms exist to:\n(1) Make data privacy notice(s) available to individuals upon first interacting with an organization and subsequently as necessary; \n(2) Ensure that data privacy notices are clear and easy-to-understand, expressing relevant information about how Personal Data (PD) is collected, received, processed, stored, transmitted, shared, updated and/or disposed;\n(3) Contain all necessary notice-related criteria required by applicable statutory, regulatory and contractual obligations;\n(4) Define the scope of PD processing activities, including the geographic locations and third-party recipients that process the PD within the scope of the data privacy notice;\n(5) Periodically, review and update the content of the privacy notice, as necessary; and\n(6) Retain prior versions of the privacy notice, in accordance with data retention requirements.", "justification": "Data Privacy Notice (PRI-02) provides privacy protection that compensates for the absence of Choice & Consent (PRI-03) by applying alternative privacy safeguards to protect personal data and honor data subject rights. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-03.1", "risk_if_not_implemented": "Without Tailored Consent, AI and autonomous technology risks may go ungoverned, leading to unintended outcomes or exploitation.", "compensating_control_1": { "control_id": "PRI-02", "name": "Data Privacy Notice", "description": "Mechanisms exist to:\n(1) Make data privacy notice(s) available to individuals upon first interacting with an organization and subsequently as necessary; \n(2) Ensure that data privacy notices are clear and easy-to-understand, expressing relevant information about how Personal Data (PD) is collected, received, processed, stored, transmitted, shared, updated and/or disposed;\n(3) Contain all necessary notice-related criteria required by applicable statutory, regulatory and contractual obligations;\n(4) Define the scope of PD processing activities, including the geographic locations and third-party recipients that process the PD within the scope of the data privacy notice;\n(5) Periodically, review and update the content of the privacy notice, as necessary; and\n(6) Retain prior versions of the privacy notice, in accordance with data retention requirements.", "justification": "Data Privacy Notice (PRI-02) provides privacy protection that compensates for the absence of Tailored Consent (PRI-03.1) by applying alternative privacy safeguards to protect personal data and honor data subject rights. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Tailored Consent (PRI-03.1) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-03.2", "risk_if_not_implemented": "Without Just-In-Time Notice & Updated Consent, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Just-In-Time Notice & Updated Consent (PRI-03.2) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PRI-03", "name": "Choice & Consent", "description": "Mechanisms exist to enable data subjects to authorize the collection, receiving, processing, storage, transmission, sharing, updating and/or disposal of their Personal Data (PD), where prior to collection the data subject is provided with:\n(1) Plain language to illustrate the potential data privacy risks of the authorization; \n(2) A means for users to decline the authorization; and\n(3) All necessary choice and consent-related criteria required by applicable statutory, regulatory and contractual obligations.", "justification": "Choice & Consent (PRI-03) provides privacy protection that compensates for the absence of Just-In-Time Notice & Updated Consent (PRI-03.2) by applying alternative privacy safeguards to protect personal data and honor data subject rights. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-03.3", "risk_if_not_implemented": "Without Prohibition of Selling, Processing and/or Sharing Personal Data (PD), personal data may be processed without appropriate safeguards, increasing regulatory and reputational risk.", "compensating_control_1": { "control_id": "PRI-03", "name": "Choice & Consent", "description": "Mechanisms exist to enable data subjects to authorize the collection, receiving, processing, storage, transmission, sharing, updating and/or disposal of their Personal Data (PD), where prior to collection the data subject is provided with:\n(1) Plain language to illustrate the potential data privacy risks of the authorization; \n(2) A means for users to decline the authorization; and\n(3) All necessary choice and consent-related criteria required by applicable statutory, regulatory and contractual obligations.", "justification": "Choice & Consent (PRI-03) provides privacy protection that compensates for the absence of Prohibition of Selling, Processing and/or Sharing Personal Data (PD) (PRI-03.3) by applying alternative privacy safeguards to protect personal data and honor data subject rights. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Prohibition of Selling, Processing and/or Sharing Personal Data (PD) (PRI-03.3) by addressing related risk objectives through an alternative control mechanism aligned with Data applicability. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-03.4", "risk_if_not_implemented": "Without Revoke Consent, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Revoke Consent (PRI-03.4) by addressing related risk objectives through an alternative control mechanism aligned with Data applicability. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PRI-02", "name": "Data Privacy Notice", "description": "Mechanisms exist to:\n(1) Make data privacy notice(s) available to individuals upon first interacting with an organization and subsequently as necessary; \n(2) Ensure that data privacy notices are clear and easy-to-understand, expressing relevant information about how Personal Data (PD) is collected, received, processed, stored, transmitted, shared, updated and/or disposed;\n(3) Contain all necessary notice-related criteria required by applicable statutory, regulatory and contractual obligations;\n(4) Define the scope of PD processing activities, including the geographic locations and third-party recipients that process the PD within the scope of the data privacy notice;\n(5) Periodically, review and update the content of the privacy notice, as necessary; and\n(6) Retain prior versions of the privacy notice, in accordance with data retention requirements.", "justification": "Data Privacy Notice (PRI-02) provides privacy protection that compensates for the absence of Revoke Consent (PRI-03.4) by applying alternative privacy safeguards to protect personal data and honor data subject rights. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-03.5", "risk_if_not_implemented": "Without Product or Service Delivery Restrictions, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "PRI-02", "name": "Data Privacy Notice", "description": "Mechanisms exist to:\n(1) Make data privacy notice(s) available to individuals upon first interacting with an organization and subsequently as necessary; \n(2) Ensure that data privacy notices are clear and easy-to-understand, expressing relevant information about how Personal Data (PD) is collected, received, processed, stored, transmitted, shared, updated and/or disposed;\n(3) Contain all necessary notice-related criteria required by applicable statutory, regulatory and contractual obligations;\n(4) Define the scope of PD processing activities, including the geographic locations and third-party recipients that process the PD within the scope of the data privacy notice;\n(5) Periodically, review and update the content of the privacy notice, as necessary; and\n(6) Retain prior versions of the privacy notice, in accordance with data retention requirements.", "justification": "Data Privacy Notice (PRI-02) provides privacy protection that compensates for the absence of Product or Service Delivery Restrictions (PRI-03.5) by applying alternative privacy safeguards to protect personal data and honor data subject rights. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PRI-03", "name": "Choice & Consent", "description": "Mechanisms exist to enable data subjects to authorize the collection, receiving, processing, storage, transmission, sharing, updating and/or disposal of their Personal Data (PD), where prior to collection the data subject is provided with:\n(1) Plain language to illustrate the potential data privacy risks of the authorization; \n(2) A means for users to decline the authorization; and\n(3) All necessary choice and consent-related criteria required by applicable statutory, regulatory and contractual obligations.", "justification": "Choice & Consent (PRI-03) provides privacy protection that compensates for the absence of Product or Service Delivery Restrictions (PRI-03.5) by applying alternative privacy safeguards to protect personal data and honor data subject rights. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-03.6", "risk_if_not_implemented": "Without Authorized Agent, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "PRI-03", "name": "Choice & Consent", "description": "Mechanisms exist to enable data subjects to authorize the collection, receiving, processing, storage, transmission, sharing, updating and/or disposal of their Personal Data (PD), where prior to collection the data subject is provided with:\n(1) Plain language to illustrate the potential data privacy risks of the authorization; \n(2) A means for users to decline the authorization; and\n(3) All necessary choice and consent-related criteria required by applicable statutory, regulatory and contractual obligations.", "justification": "Choice & Consent (PRI-03) provides privacy protection that compensates for the absence of Authorized Agent (PRI-03.6) by applying alternative privacy safeguards to protect personal data and honor data subject rights. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PRI-02", "name": "Data Privacy Notice", "description": "Mechanisms exist to:\n(1) Make data privacy notice(s) available to individuals upon first interacting with an organization and subsequently as necessary; \n(2) Ensure that data privacy notices are clear and easy-to-understand, expressing relevant information about how Personal Data (PD) is collected, received, processed, stored, transmitted, shared, updated and/or disposed;\n(3) Contain all necessary notice-related criteria required by applicable statutory, regulatory and contractual obligations;\n(4) Define the scope of PD processing activities, including the geographic locations and third-party recipients that process the PD within the scope of the data privacy notice;\n(5) Periodically, review and update the content of the privacy notice, as necessary; and\n(6) Retain prior versions of the privacy notice, in accordance with data retention requirements.", "justification": "Data Privacy Notice (PRI-02) provides privacy protection that compensates for the absence of Authorized Agent (PRI-03.6) by applying alternative privacy safeguards to protect personal data and honor data subject rights. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-03.7", "risk_if_not_implemented": "Without Active Participation By Data Subjects, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Active Participation By Data Subjects (PRI-03.7) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PRI-03", "name": "Choice & Consent", "description": "Mechanisms exist to enable data subjects to authorize the collection, receiving, processing, storage, transmission, sharing, updating and/or disposal of their Personal Data (PD), where prior to collection the data subject is provided with:\n(1) Plain language to illustrate the potential data privacy risks of the authorization; \n(2) A means for users to decline the authorization; and\n(3) All necessary choice and consent-related criteria required by applicable statutory, regulatory and contractual obligations.", "justification": "Choice & Consent (PRI-03) provides privacy protection that compensates for the absence of Active Participation By Data Subjects (PRI-03.7) by applying alternative privacy safeguards to protect personal data and honor data subject rights. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-03.8", "risk_if_not_implemented": "Without Global Privacy Control (GPC), personal data may be processed without appropriate safeguards, increasing regulatory and reputational risk.", "compensating_control_1": { "control_id": "PRI-03", "name": "Choice & Consent", "description": "Mechanisms exist to enable data subjects to authorize the collection, receiving, processing, storage, transmission, sharing, updating and/or disposal of their Personal Data (PD), where prior to collection the data subject is provided with:\n(1) Plain language to illustrate the potential data privacy risks of the authorization; \n(2) A means for users to decline the authorization; and\n(3) All necessary choice and consent-related criteria required by applicable statutory, regulatory and contractual obligations.", "justification": "Choice & Consent (PRI-03) provides privacy protection that compensates for the absence of Global Privacy Control (GPC) (PRI-03.8) by applying alternative privacy safeguards to protect personal data and honor data subject rights. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Global Privacy Control (GPC) (PRI-03.8) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-03.9", "risk_if_not_implemented": "Without Continued Use of Personal Data (PD), personal data may be processed without appropriate safeguards, increasing regulatory and reputational risk.", "compensating_control_1": { "control_id": "PRI-02", "name": "Data Privacy Notice", "description": "Mechanisms exist to:\n(1) Make data privacy notice(s) available to individuals upon first interacting with an organization and subsequently as necessary; \n(2) Ensure that data privacy notices are clear and easy-to-understand, expressing relevant information about how Personal Data (PD) is collected, received, processed, stored, transmitted, shared, updated and/or disposed;\n(3) Contain all necessary notice-related criteria required by applicable statutory, regulatory and contractual obligations;\n(4) Define the scope of PD processing activities, including the geographic locations and third-party recipients that process the PD within the scope of the data privacy notice;\n(5) Periodically, review and update the content of the privacy notice, as necessary; and\n(6) Retain prior versions of the privacy notice, in accordance with data retention requirements.", "justification": "Data Privacy Notice (PRI-02) provides privacy protection that compensates for the absence of Continued Use of Personal Data (PD) (PRI-03.9) by applying alternative privacy safeguards to protect personal data and honor data subject rights. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Continued Use of Personal Data (PD) (PRI-03.9) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-03.10", "risk_if_not_implemented": "Without Cease Processing, Storing and/or Sharing Personal Data (PD), personal data may be processed without appropriate safeguards, increasing regulatory and reputational risk.", "compensating_control_1": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Cease Processing, Storing and/or Sharing Personal Data (PD) (PRI-03.10) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PRI-02", "name": "Data Privacy Notice", "description": "Mechanisms exist to:\n(1) Make data privacy notice(s) available to individuals upon first interacting with an organization and subsequently as necessary; \n(2) Ensure that data privacy notices are clear and easy-to-understand, expressing relevant information about how Personal Data (PD) is collected, received, processed, stored, transmitted, shared, updated and/or disposed;\n(3) Contain all necessary notice-related criteria required by applicable statutory, regulatory and contractual obligations;\n(4) Define the scope of PD processing activities, including the geographic locations and third-party recipients that process the PD within the scope of the data privacy notice;\n(5) Periodically, review and update the content of the privacy notice, as necessary; and\n(6) Retain prior versions of the privacy notice, in accordance with data retention requirements.", "justification": "Data Privacy Notice (PRI-02) provides privacy protection that compensates for the absence of Cease Processing, Storing and/or Sharing Personal Data (PD) (PRI-03.10) by applying alternative privacy safeguards to protect personal data and honor data subject rights. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-03.11", "risk_if_not_implemented": "Without Communicating Processing Changes, unauthorized or unreviewed changes may introduce instability or security vulnerabilities into the environment.", "compensating_control_1": { "control_id": "PRI-03", "name": "Choice & Consent", "description": "Mechanisms exist to enable data subjects to authorize the collection, receiving, processing, storage, transmission, sharing, updating and/or disposal of their Personal Data (PD), where prior to collection the data subject is provided with:\n(1) Plain language to illustrate the potential data privacy risks of the authorization; \n(2) A means for users to decline the authorization; and\n(3) All necessary choice and consent-related criteria required by applicable statutory, regulatory and contractual obligations.", "justification": "Choice & Consent (PRI-03) provides privacy protection that compensates for the absence of Communicating Processing Changes (PRI-03.11) by applying alternative privacy safeguards to protect personal data and honor data subject rights. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PRI-02", "name": "Data Privacy Notice", "description": "Mechanisms exist to:\n(1) Make data privacy notice(s) available to individuals upon first interacting with an organization and subsequently as necessary; \n(2) Ensure that data privacy notices are clear and easy-to-understand, expressing relevant information about how Personal Data (PD) is collected, received, processed, stored, transmitted, shared, updated and/or disposed;\n(3) Contain all necessary notice-related criteria required by applicable statutory, regulatory and contractual obligations;\n(4) Define the scope of PD processing activities, including the geographic locations and third-party recipients that process the PD within the scope of the data privacy notice;\n(5) Periodically, review and update the content of the privacy notice, as necessary; and\n(6) Retain prior versions of the privacy notice, in accordance with data retention requirements.", "justification": "Data Privacy Notice (PRI-02) provides privacy protection that compensates for the absence of Communicating Processing Changes (PRI-03.11) by applying alternative privacy safeguards to protect personal data and honor data subject rights. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-03.12", "risk_if_not_implemented": "Without Data Subject Opt-In Consent, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "PRI-02", "name": "Data Privacy Notice", "description": "Mechanisms exist to:\n(1) Make data privacy notice(s) available to individuals upon first interacting with an organization and subsequently as necessary; \n(2) Ensure that data privacy notices are clear and easy-to-understand, expressing relevant information about how Personal Data (PD) is collected, received, processed, stored, transmitted, shared, updated and/or disposed;\n(3) Contain all necessary notice-related criteria required by applicable statutory, regulatory and contractual obligations;\n(4) Define the scope of PD processing activities, including the geographic locations and third-party recipients that process the PD within the scope of the data privacy notice;\n(5) Periodically, review and update the content of the privacy notice, as necessary; and\n(6) Retain prior versions of the privacy notice, in accordance with data retention requirements.", "justification": "Data Privacy Notice (PRI-02) provides privacy protection that compensates for the absence of Data Subject Opt-In Consent (PRI-03.12) by applying alternative privacy safeguards to protect personal data and honor data subject rights. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PRI-03", "name": "Choice & Consent", "description": "Mechanisms exist to enable data subjects to authorize the collection, receiving, processing, storage, transmission, sharing, updating and/or disposal of their Personal Data (PD), where prior to collection the data subject is provided with:\n(1) Plain language to illustrate the potential data privacy risks of the authorization; \n(2) A means for users to decline the authorization; and\n(3) All necessary choice and consent-related criteria required by applicable statutory, regulatory and contractual obligations.", "justification": "Choice & Consent (PRI-03) provides privacy protection that compensates for the absence of Data Subject Opt-In Consent (PRI-03.12) by applying alternative privacy safeguards to protect personal data and honor data subject rights. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-03.13", "risk_if_not_implemented": "Without Parent or Guardian Opt-In Consent For Minors, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Parent or Guardian Opt-In Consent For Minors (PRI-03.13) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PRI-03", "name": "Choice & Consent", "description": "Mechanisms exist to enable data subjects to authorize the collection, receiving, processing, storage, transmission, sharing, updating and/or disposal of their Personal Data (PD), where prior to collection the data subject is provided with:\n(1) Plain language to illustrate the potential data privacy risks of the authorization; \n(2) A means for users to decline the authorization; and\n(3) All necessary choice and consent-related criteria required by applicable statutory, regulatory and contractual obligations.", "justification": "Choice & Consent (PRI-03) provides privacy protection that compensates for the absence of Parent or Guardian Opt-In Consent For Minors (PRI-03.13) by applying alternative privacy safeguards to protect personal data and honor data subject rights. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-04", "risk_if_not_implemented": "Without Restrict Collection To Identified Purpose, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "DCH-02", "name": "Data & Asset Classification", "description": "Mechanisms exist to ensure data and assets are categorized in accordance with applicable statutory, regulatory and contractual requirements.", "justification": "Data & Asset Classification (DCH-02) provides overlapping security capability that compensates for the absence of Restrict Collection To Identified Purpose (PRI-04) by addressing related risk objectives through an alternative control mechanism aligned with Data applicability. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Restrict Collection To Identified Purpose (PRI-04) by addressing related risk objectives through an alternative control mechanism aligned with Data applicability. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-04.1", "risk_if_not_implemented": "Without Authority To Collect, Process, Store & Share Personal Data (PD), personal data may be processed without appropriate safeguards, increasing regulatory and reputational risk.", "compensating_control_1": { "control_id": "DCH-16", "name": "Data Mining Protection", "description": "Mechanisms exist to protect data storage objects against unauthorized data mining and data harvesting techniques.", "justification": "Data Mining Protection (DCH-16) provides overlapping security capability that compensates for the absence of Authority To Collect, Process, Store & Share Personal Data (PD) (PRI-04.1) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-20", "name": "Access Enforcement", "description": "Mechanisms exist to enforce Logical Access Control (LAC) permissions that conform to the principle of \"least privilege.\"", "justification": "Access Enforcement (IAC-20) provides access control enforcement that compensates for the absence of Authority To Collect, Process, Store & Share Personal Data (PD) (PRI-04.1) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-04.2", "risk_if_not_implemented": "Without Primary Sources, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Primary Sources (PRI-04.2) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PRI-04", "name": "Restrict Collection To Identified Purpose", "description": "Mechanisms exist to minimize the collection of Personal Data (PD) to only what is adequate, relevant and limited to the purposes identified in the data privacy notice, including protections against collecting PD from minors without appropriate parental or legal guardian consent.", "justification": "Restrict Collection To Identified Purpose (PRI-04) provides overlapping security capability that compensates for the absence of Primary Sources (PRI-04.2) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-04.3", "risk_if_not_implemented": "Without Identifiable Image Collection, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "PRI-04", "name": "Restrict Collection To Identified Purpose", "description": "Mechanisms exist to minimize the collection of Personal Data (PD) to only what is adequate, relevant and limited to the purposes identified in the data privacy notice, including protections against collecting PD from minors without appropriate parental or legal guardian consent.", "justification": "Restrict Collection To Identified Purpose (PRI-04) provides overlapping security capability that compensates for the absence of Identifiable Image Collection (PRI-04.3) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "DCH-02", "name": "Data & Asset Classification", "description": "Mechanisms exist to ensure data and assets are categorized in accordance with applicable statutory, regulatory and contractual requirements.", "justification": "Data & Asset Classification (DCH-02) provides overlapping security capability that compensates for the absence of Identifiable Image Collection (PRI-04.3) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-04.4", "risk_if_not_implemented": "Without Acquired Personal Data (PD), personal data may be processed without appropriate safeguards, increasing regulatory and reputational risk.", "compensating_control_1": { "control_id": "DCH-02", "name": "Data & Asset Classification", "description": "Mechanisms exist to ensure data and assets are categorized in accordance with applicable statutory, regulatory and contractual requirements.", "justification": "Data & Asset Classification (DCH-02) provides overlapping security capability that compensates for the absence of Acquired Personal Data (PD) (PRI-04.4) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PRI-04", "name": "Restrict Collection To Identified Purpose", "description": "Mechanisms exist to minimize the collection of Personal Data (PD) to only what is adequate, relevant and limited to the purposes identified in the data privacy notice, including protections against collecting PD from minors without appropriate parental or legal guardian consent.", "justification": "Restrict Collection To Identified Purpose (PRI-04) provides overlapping security capability that compensates for the absence of Acquired Personal Data (PD) (PRI-04.4) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-04.5", "risk_if_not_implemented": "Without Validate Collected Personal Data (PD), personal data may be processed without appropriate safeguards, increasing regulatory and reputational risk.", "compensating_control_1": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Validate Collected Personal Data (PD) (PRI-04.5) by addressing related risk objectives through an alternative control mechanism aligned with Data applicability. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "DCH-02", "name": "Data & Asset Classification", "description": "Mechanisms exist to ensure data and assets are categorized in accordance with applicable statutory, regulatory and contractual requirements.", "justification": "Data & Asset Classification (DCH-02) provides overlapping security capability that compensates for the absence of Validate Collected Personal Data (PD) (PRI-04.5) by addressing related risk objectives through an alternative control mechanism aligned with Data applicability. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-04.6", "risk_if_not_implemented": "Without Re-Validate Collected Personal Data (PD), personal data may be processed without appropriate safeguards, increasing regulatory and reputational risk.", "compensating_control_1": { "control_id": "PRI-04", "name": "Restrict Collection To Identified Purpose", "description": "Mechanisms exist to minimize the collection of Personal Data (PD) to only what is adequate, relevant and limited to the purposes identified in the data privacy notice, including protections against collecting PD from minors without appropriate parental or legal guardian consent.", "justification": "Restrict Collection To Identified Purpose (PRI-04) provides overlapping security capability that compensates for the absence of Re-Validate Collected Personal Data (PD) (PRI-04.6) by addressing related risk objectives through an alternative control mechanism aligned with Data applicability. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Re-Validate Collected Personal Data (PD) (PRI-04.6) by addressing related risk objectives through an alternative control mechanism aligned with Data applicability. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-04.7", "risk_if_not_implemented": "Without Personal Data (PD) Collection Methods, personal data may be processed without appropriate safeguards, increasing regulatory and reputational risk.", "compensating_control_1": { "control_id": "DCH-02", "name": "Data & Asset Classification", "description": "Mechanisms exist to ensure data and assets are categorized in accordance with applicable statutory, regulatory and contractual requirements.", "justification": "Data & Asset Classification (DCH-02) provides overlapping security capability that compensates for the absence of Personal Data (PD) Collection Methods (PRI-04.7) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Personal Data (PD) Collection Methods (PRI-04.7) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-05", "risk_if_not_implemented": "Without Personal Data (PD) Retention & Disposal, personal data may be processed without appropriate safeguards, increasing regulatory and reputational risk.", "compensating_control_1": { "control_id": "DCH-09", "name": "System Media Sanitization", "description": "Mechanisms exist to sanitize system media with the strength and integrity commensurate with the classification or sensitivity of the information prior to disposal, release out of organizational control or release for reuse.", "justification": "System Media Sanitization (DCH-09) provides overlapping security capability that compensates for the absence of Personal Data (PD) Retention & Disposal (PRI-05) by addressing related risk objectives through an alternative control mechanism aligned with Data applicability. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "DCH-18", "name": "Media & Data Retention", "description": "Mechanisms exist to retain media and data in accordance with applicable statutory, regulatory and contractual obligations.", "justification": "Media & Data Retention (DCH-18) provides overlapping security capability that compensates for the absence of Personal Data (PD) Retention & Disposal (PRI-05) by addressing related risk objectives through an alternative control mechanism aligned with Data applicability. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-05.1", "risk_if_not_implemented": "Without Internal Use of Personal Data (PD) For Testing, Training and Research, personal data may be processed without appropriate safeguards, increasing regulatory and reputational risk.", "compensating_control_1": { "control_id": "DCH-18", "name": "Media & Data Retention", "description": "Mechanisms exist to retain media and data in accordance with applicable statutory, regulatory and contractual obligations.", "justification": "Media & Data Retention (DCH-18) provides overlapping security capability that compensates for the absence of Internal Use of Personal Data (PD) For Testing, Training and Research (PRI-05.1) by addressing related risk objectives through an alternative control mechanism aligned with Data applicability. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "DCH-09", "name": "System Media Sanitization", "description": "Mechanisms exist to sanitize system media with the strength and integrity commensurate with the classification or sensitivity of the information prior to disposal, release out of organizational control or release for reuse.", "justification": "System Media Sanitization (DCH-09) provides overlapping security capability that compensates for the absence of Internal Use of Personal Data (PD) For Testing, Training and Research (PRI-05.1) by addressing related risk objectives through an alternative control mechanism aligned with Data applicability. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-05.2", "risk_if_not_implemented": "Without Personal Data (PD) Accuracy & Integrity, personal data may be processed without appropriate safeguards, increasing regulatory and reputational risk.", "compensating_control_1": { "control_id": "DCH-09", "name": "System Media Sanitization", "description": "Mechanisms exist to sanitize system media with the strength and integrity commensurate with the classification or sensitivity of the information prior to disposal, release out of organizational control or release for reuse.", "justification": "System Media Sanitization (DCH-09) provides overlapping security capability that compensates for the absence of Personal Data (PD) Accuracy & Integrity (PRI-05.2) by addressing related risk objectives through an alternative control mechanism aligned with Data applicability. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PRI-05", "name": "Personal Data (PD) Retention & Disposal", "description": "Mechanisms exist to: \n(1) Retain Personal Data (PD), including metadata, for an organization-defined time period to fulfill the purpose(s) identified in the notice or as required by law;\n(2) Dispose of, destroys, erases, and/or anonymizes the PD, regardless of the method of storage; and\n(3) Use organization-defined techniques or methods to ensure secure deletion or destruction of PD (including originals, copies and archived records).", "justification": "Personal Data (PD) Retention & Disposal (PRI-05) provides privacy protection that compensates for the absence of Personal Data (PD) Accuracy & Integrity (PRI-05.2) by applying alternative privacy safeguards to protect personal data and honor data subject rights. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-05.3", "risk_if_not_implemented": "Without Data Masking, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "PRI-05", "name": "Personal Data (PD) Retention & Disposal", "description": "Mechanisms exist to: \n(1) Retain Personal Data (PD), including metadata, for an organization-defined time period to fulfill the purpose(s) identified in the notice or as required by law;\n(2) Dispose of, destroys, erases, and/or anonymizes the PD, regardless of the method of storage; and\n(3) Use organization-defined techniques or methods to ensure secure deletion or destruction of PD (including originals, copies and archived records).", "justification": "Personal Data (PD) Retention & Disposal (PRI-05) provides privacy protection that compensates for the absence of Data Masking (PRI-05.3) by applying alternative privacy safeguards to protect personal data and honor data subject rights. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "DCH-18", "name": "Media & Data Retention", "description": "Mechanisms exist to retain media and data in accordance with applicable statutory, regulatory and contractual obligations.", "justification": "Media & Data Retention (DCH-18) provides overlapping security capability that compensates for the absence of Data Masking (PRI-05.3) by addressing related risk objectives through an alternative control mechanism aligned with Data applicability. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-05.4", "risk_if_not_implemented": "Without Usage Restrictions of Personal Data (PD), personal data may be processed without appropriate safeguards, increasing regulatory and reputational risk.", "compensating_control_1": { "control_id": "DCH-18", "name": "Media & Data Retention", "description": "Mechanisms exist to retain media and data in accordance with applicable statutory, regulatory and contractual obligations.", "justification": "Media & Data Retention (DCH-18) provides overlapping security capability that compensates for the absence of Usage Restrictions of Personal Data (PD) (PRI-05.4) by addressing related risk objectives through an alternative control mechanism aligned with Data applicability. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PRI-05", "name": "Personal Data (PD) Retention & Disposal", "description": "Mechanisms exist to: \n(1) Retain Personal Data (PD), including metadata, for an organization-defined time period to fulfill the purpose(s) identified in the notice or as required by law;\n(2) Dispose of, destroys, erases, and/or anonymizes the PD, regardless of the method of storage; and\n(3) Use organization-defined techniques or methods to ensure secure deletion or destruction of PD (including originals, copies and archived records).", "justification": "Personal Data (PD) Retention & Disposal (PRI-05) provides privacy protection that compensates for the absence of Usage Restrictions of Personal Data (PD) (PRI-05.4) by applying alternative privacy safeguards to protect personal data and honor data subject rights. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-05.5", "risk_if_not_implemented": "Without Inventory of Personal Data (PD), personal data may be processed without appropriate safeguards, increasing regulatory and reputational risk.", "compensating_control_1": { "control_id": "PRI-05", "name": "Personal Data (PD) Retention & Disposal", "description": "Mechanisms exist to: \n(1) Retain Personal Data (PD), including metadata, for an organization-defined time period to fulfill the purpose(s) identified in the notice or as required by law;\n(2) Dispose of, destroys, erases, and/or anonymizes the PD, regardless of the method of storage; and\n(3) Use organization-defined techniques or methods to ensure secure deletion or destruction of PD (including originals, copies and archived records).", "justification": "Personal Data (PD) Retention & Disposal (PRI-05) provides privacy protection that compensates for the absence of Inventory of Personal Data (PD) (PRI-05.5) by applying alternative privacy safeguards to protect personal data and honor data subject rights. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "DCH-09", "name": "System Media Sanitization", "description": "Mechanisms exist to sanitize system media with the strength and integrity commensurate with the classification or sensitivity of the information prior to disposal, release out of organizational control or release for reuse.", "justification": "System Media Sanitization (DCH-09) provides overlapping security capability that compensates for the absence of Inventory of Personal Data (PD) (PRI-05.5) by addressing related risk objectives through an alternative control mechanism aligned with Data applicability. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-05.6", "risk_if_not_implemented": "Without Personal Data (PD) Inventory Automation Support, personal data may be processed without appropriate safeguards, increasing regulatory and reputational risk.", "compensating_control_1": { "control_id": "DCH-09", "name": "System Media Sanitization", "description": "Mechanisms exist to sanitize system media with the strength and integrity commensurate with the classification or sensitivity of the information prior to disposal, release out of organizational control or release for reuse.", "justification": "System Media Sanitization (DCH-09) provides overlapping security capability that compensates for the absence of Personal Data (PD) Inventory Automation Support (PRI-05.6) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "DCH-18", "name": "Media & Data Retention", "description": "Mechanisms exist to retain media and data in accordance with applicable statutory, regulatory and contractual obligations.", "justification": "Media & Data Retention (DCH-18) provides overlapping security capability that compensates for the absence of Personal Data (PD) Inventory Automation Support (PRI-05.6) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-05.7", "risk_if_not_implemented": "Without Personal Data (PD) Categories, personal data may be processed without appropriate safeguards, increasing regulatory and reputational risk.", "compensating_control_1": { "control_id": "DCH-18", "name": "Media & Data Retention", "description": "Mechanisms exist to retain media and data in accordance with applicable statutory, regulatory and contractual obligations.", "justification": "Media & Data Retention (DCH-18) provides overlapping security capability that compensates for the absence of Personal Data (PD) Categories (PRI-05.7) by addressing related risk objectives through an alternative control mechanism aligned with Data applicability. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PRI-05", "name": "Personal Data (PD) Retention & Disposal", "description": "Mechanisms exist to: \n(1) Retain Personal Data (PD), including metadata, for an organization-defined time period to fulfill the purpose(s) identified in the notice or as required by law;\n(2) Dispose of, destroys, erases, and/or anonymizes the PD, regardless of the method of storage; and\n(3) Use organization-defined techniques or methods to ensure secure deletion or destruction of PD (including originals, copies and archived records).", "justification": "Personal Data (PD) Retention & Disposal (PRI-05) provides privacy protection that compensates for the absence of Personal Data (PD) Categories (PRI-05.7) by applying alternative privacy safeguards to protect personal data and honor data subject rights. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-05.8", "risk_if_not_implemented": "Without Personal Data (PD) Formats, personal data may be processed without appropriate safeguards, increasing regulatory and reputational risk.", "compensating_control_1": { "control_id": "PRI-05", "name": "Personal Data (PD) Retention & Disposal", "description": "Mechanisms exist to: \n(1) Retain Personal Data (PD), including metadata, for an organization-defined time period to fulfill the purpose(s) identified in the notice or as required by law;\n(2) Dispose of, destroys, erases, and/or anonymizes the PD, regardless of the method of storage; and\n(3) Use organization-defined techniques or methods to ensure secure deletion or destruction of PD (including originals, copies and archived records).", "justification": "Personal Data (PD) Retention & Disposal (PRI-05) provides privacy protection that compensates for the absence of Personal Data (PD) Formats (PRI-05.8) by applying alternative privacy safeguards to protect personal data and honor data subject rights. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "DCH-09", "name": "System Media Sanitization", "description": "Mechanisms exist to sanitize system media with the strength and integrity commensurate with the classification or sensitivity of the information prior to disposal, release out of organizational control or release for reuse.", "justification": "System Media Sanitization (DCH-09) provides overlapping security capability that compensates for the absence of Personal Data (PD) Formats (PRI-05.8) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-06", "risk_if_not_implemented": "Without Data Subject Empowerment, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Data Subject Empowerment (PRI-06) by addressing related risk objectives through an alternative control mechanism aligned with Data applicability. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PRI-01", "name": "Data Privacy Program", "description": "Mechanisms exist to facilitate the implementation and operation of data protection controls throughout the data lifecycle to ensure all forms of Personal Data (PD) are processed lawfully, fairly and transparently.", "justification": "Data Privacy Program (PRI-01) provides policy-level governance that compensates for the absence of Data Subject Empowerment (PRI-06) by establishing documented expectations, accountability structures, and organizational guardrails. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-06.1", "risk_if_not_implemented": "Without Correcting Inaccurate Personal Data (PD), personal data may be processed without appropriate safeguards, increasing regulatory and reputational risk.", "compensating_control_1": { "control_id": "PRI-06", "name": "Data Subject Empowerment", "description": "Mechanisms exist to provide authenticated data subjects the ability to:\n(1) Access their Personal Data (PD) that is being processed, stored and shared, except where the burden, risk or expense of providing access would be disproportionate to the benefit offered to the data subject through granting access;\n(2) Obtain answers on the specifics of how their PD is collected, received, processed, stored, transmitted, shared, updated and/or disposed; \n(3) Obtain the source(s) of their PD; \n(4) Obtain the categories of their PD being collected, received, processed, stored and shared; \n(5) Request correction to their PD due to inaccuracies;\n(6) Request erasure of their PD; and\n(7) Restrict the further collecting, receiving, processing, storing, transmitting, updated and/or sharing of their PD.", "justification": "Data Subject Empowerment (PRI-06) provides privacy protection that compensates for the absence of Correcting Inaccurate Personal Data (PD) (PRI-06.1) by applying alternative privacy safeguards to protect personal data and honor data subject rights. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-07", "name": "Grievances", "description": "Mechanisms exist to govern the intake and analysis of grievances related to the organization's cybersecurity and/or data protection practices.", "justification": "Grievances (CPL-07) provides overlapping security capability that compensates for the absence of Correcting Inaccurate Personal Data (PD) (PRI-06.1) by addressing related risk objectives through an alternative control mechanism aligned with Data applicability. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-06.2", "risk_if_not_implemented": "Without Notice of Correction or Processing Change, unauthorized or unreviewed changes may introduce instability or security vulnerabilities into the environment.", "compensating_control_1": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Notice of Correction or Processing Change (PRI-06.2) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PRI-06", "name": "Data Subject Empowerment", "description": "Mechanisms exist to provide authenticated data subjects the ability to:\n(1) Access their Personal Data (PD) that is being processed, stored and shared, except where the burden, risk or expense of providing access would be disproportionate to the benefit offered to the data subject through granting access;\n(2) Obtain answers on the specifics of how their PD is collected, received, processed, stored, transmitted, shared, updated and/or disposed; \n(3) Obtain the source(s) of their PD; \n(4) Obtain the categories of their PD being collected, received, processed, stored and shared; \n(5) Request correction to their PD due to inaccuracies;\n(6) Request erasure of their PD; and\n(7) Restrict the further collecting, receiving, processing, storing, transmitting, updated and/or sharing of their PD.", "justification": "Data Subject Empowerment (PRI-06) provides privacy protection that compensates for the absence of Notice of Correction or Processing Change (PRI-06.2) by applying alternative privacy safeguards to protect personal data and honor data subject rights. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-06.3", "risk_if_not_implemented": "Without Appeal Adverse Decision, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "PRI-06", "name": "Data Subject Empowerment", "description": "Mechanisms exist to provide authenticated data subjects the ability to:\n(1) Access their Personal Data (PD) that is being processed, stored and shared, except where the burden, risk or expense of providing access would be disproportionate to the benefit offered to the data subject through granting access;\n(2) Obtain answers on the specifics of how their PD is collected, received, processed, stored, transmitted, shared, updated and/or disposed; \n(3) Obtain the source(s) of their PD; \n(4) Obtain the categories of their PD being collected, received, processed, stored and shared; \n(5) Request correction to their PD due to inaccuracies;\n(6) Request erasure of their PD; and\n(7) Restrict the further collecting, receiving, processing, storing, transmitting, updated and/or sharing of their PD.", "justification": "Data Subject Empowerment (PRI-06) provides privacy protection that compensates for the absence of Appeal Adverse Decision (PRI-06.3) by applying alternative privacy safeguards to protect personal data and honor data subject rights. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PRI-01", "name": "Data Privacy Program", "description": "Mechanisms exist to facilitate the implementation and operation of data protection controls throughout the data lifecycle to ensure all forms of Personal Data (PD) are processed lawfully, fairly and transparently.", "justification": "Data Privacy Program (PRI-01) provides policy-level governance that compensates for the absence of Appeal Adverse Decision (PRI-06.3) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-06.4", "risk_if_not_implemented": "Without User Feedback Management, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "PRI-01", "name": "Data Privacy Program", "description": "Mechanisms exist to facilitate the implementation and operation of data protection controls throughout the data lifecycle to ensure all forms of Personal Data (PD) are processed lawfully, fairly and transparently.", "justification": "Data Privacy Program (PRI-01) provides policy-level governance that compensates for the absence of User Feedback Management (PRI-06.4) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PRI-06", "name": "Data Subject Empowerment", "description": "Mechanisms exist to provide authenticated data subjects the ability to:\n(1) Access their Personal Data (PD) that is being processed, stored and shared, except where the burden, risk or expense of providing access would be disproportionate to the benefit offered to the data subject through granting access;\n(2) Obtain answers on the specifics of how their PD is collected, received, processed, stored, transmitted, shared, updated and/or disposed; \n(3) Obtain the source(s) of their PD; \n(4) Obtain the categories of their PD being collected, received, processed, stored and shared; \n(5) Request correction to their PD due to inaccuracies;\n(6) Request erasure of their PD; and\n(7) Restrict the further collecting, receiving, processing, storing, transmitting, updated and/or sharing of their PD.", "justification": "Data Subject Empowerment (PRI-06) provides privacy protection that compensates for the absence of User Feedback Management (PRI-06.4) by applying alternative privacy safeguards to protect personal data and honor data subject rights. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-06.5", "risk_if_not_implemented": "Without Right to Erasure, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CPL-07", "name": "Grievances", "description": "Mechanisms exist to govern the intake and analysis of grievances related to the organization's cybersecurity and/or data protection practices.", "justification": "Grievances (CPL-07) provides overlapping security capability that compensates for the absence of Right to Erasure (PRI-06.5) by addressing related risk objectives through an alternative control mechanism aligned with People applicability. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PRI-06", "name": "Data Subject Empowerment", "description": "Mechanisms exist to provide authenticated data subjects the ability to:\n(1) Access their Personal Data (PD) that is being processed, stored and shared, except where the burden, risk or expense of providing access would be disproportionate to the benefit offered to the data subject through granting access;\n(2) Obtain answers on the specifics of how their PD is collected, received, processed, stored, transmitted, shared, updated and/or disposed; \n(3) Obtain the source(s) of their PD; \n(4) Obtain the categories of their PD being collected, received, processed, stored and shared; \n(5) Request correction to their PD due to inaccuracies;\n(6) Request erasure of their PD; and\n(7) Restrict the further collecting, receiving, processing, storing, transmitting, updated and/or sharing of their PD.", "justification": "Data Subject Empowerment (PRI-06) provides privacy protection that compensates for the absence of Right to Erasure (PRI-06.5) by applying alternative privacy safeguards to protect personal data and honor data subject rights. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-06.6", "risk_if_not_implemented": "Without Data Portability, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "PRI-06", "name": "Data Subject Empowerment", "description": "Mechanisms exist to provide authenticated data subjects the ability to:\n(1) Access their Personal Data (PD) that is being processed, stored and shared, except where the burden, risk or expense of providing access would be disproportionate to the benefit offered to the data subject through granting access;\n(2) Obtain answers on the specifics of how their PD is collected, received, processed, stored, transmitted, shared, updated and/or disposed; \n(3) Obtain the source(s) of their PD; \n(4) Obtain the categories of their PD being collected, received, processed, stored and shared; \n(5) Request correction to their PD due to inaccuracies;\n(6) Request erasure of their PD; and\n(7) Restrict the further collecting, receiving, processing, storing, transmitting, updated and/or sharing of their PD.", "justification": "Data Subject Empowerment (PRI-06) provides privacy protection that compensates for the absence of Data Portability (PRI-06.6) by applying alternative privacy safeguards to protect personal data and honor data subject rights. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Data Portability (PRI-06.6) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-06.7", "risk_if_not_implemented": "Without Personal Data (PD) Exports, personal data may be processed without appropriate safeguards, increasing regulatory and reputational risk.", "compensating_control_1": { "control_id": "PRI-01", "name": "Data Privacy Program", "description": "Mechanisms exist to facilitate the implementation and operation of data protection controls throughout the data lifecycle to ensure all forms of Personal Data (PD) are processed lawfully, fairly and transparently.", "justification": "Data Privacy Program (PRI-01) provides policy-level governance that compensates for the absence of Personal Data (PD) Exports (PRI-06.7) by establishing documented expectations, accountability structures, and organizational guardrails. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Personal Data (PD) Exports (PRI-06.7) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-06.8", "risk_if_not_implemented": "Without Data Subject Authentication, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Data Subject Authentication (PRI-06.8) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PRI-01", "name": "Data Privacy Program", "description": "Mechanisms exist to facilitate the implementation and operation of data protection controls throughout the data lifecycle to ensure all forms of Personal Data (PD) are processed lawfully, fairly and transparently.", "justification": "Data Privacy Program (PRI-01) provides policy-level governance that compensates for the absence of Data Subject Authentication (PRI-06.8) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-07", "risk_if_not_implemented": "Without Information Sharing With Third Parties, third-party risks may go unmanaged, creating supply-chain exposure that compromises the organization.", "compensating_control_1": { "control_id": "TPM-05", "name": "Third-Party Contract Requirements", "description": "Mechanisms exist to require contractual requirements for applicable security, compliance and resilience requirements with third-parties, reflecting the organization's needs to protect its Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Third-Party Contract Requirements (TPM-05) provides third-party oversight that compensates for the absence of Information Sharing With Third Parties (PRI-07) by extending security obligations contractually and monitoring third-party risk in lieu of direct control. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "DCH-14", "name": "Information Sharing", "description": "Mechanisms exist to utilize a process to assist users in making information sharing decisions to ensure data is appropriately protected.", "justification": "Information Sharing (DCH-14) provides overlapping security capability that compensates for the absence of Information Sharing With Third Parties (PRI-07) by addressing related risk objectives through an alternative control mechanism aligned with Data applicability. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-07.2", "risk_if_not_implemented": "Without Joint Processing of Personal Data (PD), personal data may be processed without appropriate safeguards, increasing regulatory and reputational risk.", "compensating_control_1": { "control_id": "TPM-05", "name": "Third-Party Contract Requirements", "description": "Mechanisms exist to require contractual requirements for applicable security, compliance and resilience requirements with third-parties, reflecting the organization's needs to protect its Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Third-Party Contract Requirements (TPM-05) provides third-party oversight that compensates for the absence of Joint Processing of Personal Data (PD) (PRI-07.2) by extending security obligations contractually and monitoring third-party risk in lieu of direct control. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PRI-07", "name": "Information Sharing With Third Parties", "description": "Mechanisms exist to disclose Personal Data (PD) to third-parties only for the purposes identified in the data privacy notice and with the implicit or explicit consent of the data subject.", "justification": "Information Sharing With Third Parties (PRI-07) provides third-party oversight that compensates for the absence of Joint Processing of Personal Data (PD) (PRI-07.2) by extending security obligations contractually and monitoring third-party risk in lieu of direct control. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-07.3", "risk_if_not_implemented": "Without Obligation To Inform Third-Parties, third-party risks may go unmanaged, creating supply-chain exposure that compromises the organization.", "compensating_control_1": { "control_id": "PRI-07", "name": "Information Sharing With Third Parties", "description": "Mechanisms exist to disclose Personal Data (PD) to third-parties only for the purposes identified in the data privacy notice and with the implicit or explicit consent of the data subject.", "justification": "Information Sharing With Third Parties (PRI-07) provides third-party oversight that compensates for the absence of Obligation To Inform Third-Parties (PRI-07.3) by extending security obligations contractually and monitoring third-party risk in lieu of direct control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "DCH-14", "name": "Information Sharing", "description": "Mechanisms exist to utilize a process to assist users in making information sharing decisions to ensure data is appropriately protected.", "justification": "Information Sharing (DCH-14) provides overlapping security capability that compensates for the absence of Obligation To Inform Third-Parties (PRI-07.3) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-07.4", "risk_if_not_implemented": "Without Reject Unauthenticated or Untrustworthy Disclosure Requests, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "DCH-14", "name": "Information Sharing", "description": "Mechanisms exist to utilize a process to assist users in making information sharing decisions to ensure data is appropriately protected.", "justification": "Information Sharing (DCH-14) provides overlapping security capability that compensates for the absence of Reject Unauthenticated or Untrustworthy Disclosure Requests (PRI-07.4) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PRI-07", "name": "Information Sharing With Third Parties", "description": "Mechanisms exist to disclose Personal Data (PD) to third-parties only for the purposes identified in the data privacy notice and with the implicit or explicit consent of the data subject.", "justification": "Information Sharing With Third Parties (PRI-07) provides third-party oversight that compensates for the absence of Reject Unauthenticated or Untrustworthy Disclosure Requests (PRI-07.4) by extending security obligations contractually and monitoring third-party risk in lieu of direct control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-07.5", "risk_if_not_implemented": "Without Justification To Reject Disclosure Requests, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "TPM-05", "name": "Third-Party Contract Requirements", "description": "Mechanisms exist to require contractual requirements for applicable security, compliance and resilience requirements with third-parties, reflecting the organization's needs to protect its Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Third-Party Contract Requirements (TPM-05) provides third-party oversight that compensates for the absence of Justification To Reject Disclosure Requests (PRI-07.5) by extending security obligations contractually and monitoring third-party risk in lieu of direct control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PRI-07", "name": "Information Sharing With Third Parties", "description": "Mechanisms exist to disclose Personal Data (PD) to third-parties only for the purposes identified in the data privacy notice and with the implicit or explicit consent of the data subject.", "justification": "Information Sharing With Third Parties (PRI-07) provides third-party oversight that compensates for the absence of Justification To Reject Disclosure Requests (PRI-07.5) by extending security obligations contractually and monitoring third-party risk in lieu of direct control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-08", "risk_if_not_implemented": "Without Personal Data (PD) Control Testing, Training & Monitoring, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of Personal Data (PD) Control Testing, Training & Monitoring (PRI-08) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Personal Data (PD) Control Testing, Training & Monitoring (PRI-08) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-09", "risk_if_not_implemented": "Without Personal Data (PD) Lineage, personal data may be processed without appropriate safeguards, increasing regulatory and reputational risk.", "compensating_control_1": { "control_id": "DCH-24", "name": "Information Location", "description": "Mechanisms exist to identify and document the location of information and the specific system components on which the information resides.", "justification": "Information Location (DCH-24) provides overlapping security capability that compensates for the absence of Personal Data (PD) Lineage (PRI-09) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "AST-02", "name": "Asset Inventories", "description": "Mechanisms exist to perform inventories of Technology Assets, Applications, Services and/or Data (TAASD) that:\n(1) Accurately reflects the current TAASD in use; \n(2) Identifies authorized software products, including business justification details;\n(3) Is at the level of granularity deemed necessary for tracking and reporting;\n(4) Includes organization-defined information deemed necessary to achieve effective property accountability; and\n(5) Is available for review and audit by designated organizational personnel.", "justification": "Asset Inventories (AST-02) provides overlapping security capability that compensates for the absence of Personal Data (PD) Lineage (PRI-09) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-10", "risk_if_not_implemented": "Without Data Quality Management, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "DCH-22", "name": "Data Quality Operations", "description": "Mechanisms exist to check for Redundant, Obsolete/Outdated, Toxic or Trivial (ROTT) data to ensure the accuracy, relevance, timeliness, impact, completeness and de-identification of information throughout the information lifecycle.", "justification": "Data Quality Operations (DCH-22) provides overlapping security capability that compensates for the absence of Data Quality Management (PRI-10) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "GOV-10", "name": "Data Governance", "description": "Mechanisms exist to facilitate data governance to oversee the organization's policies, standards and procedures so that sensitive/regulated data is effectively managed and maintained in accordance with applicable statutory, regulatory and contractual obligations.", "justification": "Data Governance (GOV-10) provides policy-level governance that compensates for the absence of Data Quality Management (PRI-10) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-10.1", "risk_if_not_implemented": "Without Data Quality Automation, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "GOV-10", "name": "Data Governance", "description": "Mechanisms exist to facilitate data governance to oversee the organization's policies, standards and procedures so that sensitive/regulated data is effectively managed and maintained in accordance with applicable statutory, regulatory and contractual obligations.", "justification": "Data Governance (GOV-10) provides policy-level governance that compensates for the absence of Data Quality Automation (PRI-10.1) by establishing documented expectations, accountability structures, and organizational guardrails. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "DCH-22", "name": "Data Quality Operations", "description": "Mechanisms exist to check for Redundant, Obsolete/Outdated, Toxic or Trivial (ROTT) data to ensure the accuracy, relevance, timeliness, impact, completeness and de-identification of information throughout the information lifecycle.", "justification": "Data Quality Operations (DCH-22) provides overlapping security capability that compensates for the absence of Data Quality Automation (PRI-10.1) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-10.2", "risk_if_not_implemented": "Without Data Analytics Bias, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "DCH-22", "name": "Data Quality Operations", "description": "Mechanisms exist to check for Redundant, Obsolete/Outdated, Toxic or Trivial (ROTT) data to ensure the accuracy, relevance, timeliness, impact, completeness and de-identification of information throughout the information lifecycle.", "justification": "Data Quality Operations (DCH-22) provides overlapping security capability that compensates for the absence of Data Analytics Bias (PRI-10.2) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PRI-10", "name": "Data Quality Management", "description": "Mechanisms exist to manage the quality, utility, objectivity, integrity and impact determination and de-identification of sensitive/regulated data across the information lifecycle.", "justification": "Data Quality Management (PRI-10) provides overlapping security capability that compensates for the absence of Data Analytics Bias (PRI-10.2) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-11", "risk_if_not_implemented": "Without Data Tagging, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "DCH-04", "name": "Media Marking", "description": "Mechanisms exist to mark media in accordance with data protection requirements so that personnel are alerted to distribution limitations, handling caveats and applicable security requirements.", "justification": "Media Marking (DCH-04) provides overlapping security capability that compensates for the absence of Data Tagging (PRI-11) by addressing related risk objectives through an alternative control mechanism aligned with Data applicability. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "DCH-05", "name": "Cybersecurity & Data Protection Attributes", "description": "Mechanisms exist to bind cybersecurity and data protection attributes to information as it is stored, transmitted and processed.", "justification": "Cybersecurity & Data Protection Attributes (DCH-05) provides overlapping security capability that compensates for the absence of Data Tagging (PRI-11) by addressing related risk objectives through an alternative control mechanism aligned with Data applicability. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-12", "risk_if_not_implemented": "Without Updating Personal Data (PD) Process, personal data may be processed without appropriate safeguards, increasing regulatory and reputational risk.", "compensating_control_1": { "control_id": "DCH-22", "name": "Data Quality Operations", "description": "Mechanisms exist to check for Redundant, Obsolete/Outdated, Toxic or Trivial (ROTT) data to ensure the accuracy, relevance, timeliness, impact, completeness and de-identification of information throughout the information lifecycle.", "justification": "Data Quality Operations (DCH-22) provides overlapping security capability that compensates for the absence of Updating Personal Data (PD) Process (PRI-12) by addressing related risk objectives through an alternative control mechanism aligned with Data applicability. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PRI-10", "name": "Data Quality Management", "description": "Mechanisms exist to manage the quality, utility, objectivity, integrity and impact determination and de-identification of sensitive/regulated data across the information lifecycle.", "justification": "Data Quality Management (PRI-10) provides overlapping security capability that compensates for the absence of Updating Personal Data (PD) Process (PRI-12) by addressing related risk objectives through an alternative control mechanism aligned with Data applicability. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-12.1", "risk_if_not_implemented": "Without Enabling Data Subjects To Update Personal Data (PD), personal data may be processed without appropriate safeguards, increasing regulatory and reputational risk.", "compensating_control_1": { "control_id": "PRI-10", "name": "Data Quality Management", "description": "Mechanisms exist to manage the quality, utility, objectivity, integrity and impact determination and de-identification of sensitive/regulated data across the information lifecycle.", "justification": "Data Quality Management (PRI-10) provides overlapping security capability that compensates for the absence of Enabling Data Subjects To Update Personal Data (PD) (PRI-12.1) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "DCH-22", "name": "Data Quality Operations", "description": "Mechanisms exist to check for Redundant, Obsolete/Outdated, Toxic or Trivial (ROTT) data to ensure the accuracy, relevance, timeliness, impact, completeness and de-identification of information throughout the information lifecycle.", "justification": "Data Quality Operations (DCH-22) provides overlapping security capability that compensates for the absence of Enabling Data Subjects To Update Personal Data (PD) (PRI-12.1) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-13", "risk_if_not_implemented": "Without Data Management Board, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "GOV-10", "name": "Data Governance", "description": "Mechanisms exist to facilitate data governance to oversee the organization's policies, standards and procedures so that sensitive/regulated data is effectively managed and maintained in accordance with applicable statutory, regulatory and contractual obligations.", "justification": "Data Governance (GOV-10) provides policy-level governance that compensates for the absence of Data Management Board (PRI-13) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PRI-01", "name": "Data Privacy Program", "description": "Mechanisms exist to facilitate the implementation and operation of data protection controls throughout the data lifecycle to ensure all forms of Personal Data (PD) are processed lawfully, fairly and transparently.", "justification": "Data Privacy Program (PRI-01) provides policy-level governance that compensates for the absence of Data Management Board (PRI-13) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-14", "risk_if_not_implemented": "Without Documenting Data Processing Activities, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "GOV-10", "name": "Data Governance", "description": "Mechanisms exist to facilitate data governance to oversee the organization's policies, standards and procedures so that sensitive/regulated data is effectively managed and maintained in accordance with applicable statutory, regulatory and contractual obligations.", "justification": "Data Governance (GOV-10) provides policy-level governance that compensates for the absence of Documenting Data Processing Activities (PRI-14) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Documenting Data Processing Activities (PRI-14) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-14.1", "risk_if_not_implemented": "Without Accounting of Disclosures, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Accounting of Disclosures (PRI-14.1) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "GOV-10", "name": "Data Governance", "description": "Mechanisms exist to facilitate data governance to oversee the organization's policies, standards and procedures so that sensitive/regulated data is effectively managed and maintained in accordance with applicable statutory, regulatory and contractual obligations.", "justification": "Data Governance (GOV-10) provides policy-level governance that compensates for the absence of Accounting of Disclosures (PRI-14.1) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-14.2", "risk_if_not_implemented": "Without Notification of Disclosure Request To Data Subject, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "GOV-10", "name": "Data Governance", "description": "Mechanisms exist to facilitate data governance to oversee the organization's policies, standards and procedures so that sensitive/regulated data is effectively managed and maintained in accordance with applicable statutory, regulatory and contractual obligations.", "justification": "Data Governance (GOV-10) provides policy-level governance that compensates for the absence of Notification of Disclosure Request To Data Subject (PRI-14.2) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PRI-14", "name": "Documenting Data Processing Activities", "description": "Mechanisms exist to document Personal Data (PD) processing activities that covers collection, receiving, processing, storage, transmission, sharing, updating and/or disposal actions with sufficient detail to demonstrate conformity with applicable statutory, regulatory and contractual requirements.", "justification": "Documenting Data Processing Activities (PRI-14) provides overlapping security capability that compensates for the absence of Notification of Disclosure Request To Data Subject (PRI-14.2) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-15", "risk_if_not_implemented": "Without Register As A Data Controller and/or Data Processor, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Register As A Data Controller and/or Data Processor (PRI-15) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "GOV-10", "name": "Data Governance", "description": "Mechanisms exist to facilitate data governance to oversee the organization's policies, standards and procedures so that sensitive/regulated data is effectively managed and maintained in accordance with applicable statutory, regulatory and contractual obligations.", "justification": "Data Governance (GOV-10) provides policy-level governance that compensates for the absence of Register As A Data Controller and/or Data Processor (PRI-15) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-17", "risk_if_not_implemented": "Without Data Subject Communications, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "PRI-02", "name": "Data Privacy Notice", "description": "Mechanisms exist to:\n(1) Make data privacy notice(s) available to individuals upon first interacting with an organization and subsequently as necessary; \n(2) Ensure that data privacy notices are clear and easy-to-understand, expressing relevant information about how Personal Data (PD) is collected, received, processed, stored, transmitted, shared, updated and/or disposed;\n(3) Contain all necessary notice-related criteria required by applicable statutory, regulatory and contractual obligations;\n(4) Define the scope of PD processing activities, including the geographic locations and third-party recipients that process the PD within the scope of the data privacy notice;\n(5) Periodically, review and update the content of the privacy notice, as necessary; and\n(6) Retain prior versions of the privacy notice, in accordance with data retention requirements.", "justification": "Data Privacy Notice (PRI-02) provides privacy protection that compensates for the absence of Data Subject Communications (PRI-17) by applying alternative privacy safeguards to protect personal data and honor data subject rights. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Data Subject Communications (PRI-17) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-17.1", "risk_if_not_implemented": "Without Conspicuous Link To Data Privacy Notice, personal data may be processed without appropriate safeguards, increasing regulatory and reputational risk.", "compensating_control_1": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Conspicuous Link To Data Privacy Notice (PRI-17.1) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PRI-02", "name": "Data Privacy Notice", "description": "Mechanisms exist to:\n(1) Make data privacy notice(s) available to individuals upon first interacting with an organization and subsequently as necessary; \n(2) Ensure that data privacy notices are clear and easy-to-understand, expressing relevant information about how Personal Data (PD) is collected, received, processed, stored, transmitted, shared, updated and/or disposed;\n(3) Contain all necessary notice-related criteria required by applicable statutory, regulatory and contractual obligations;\n(4) Define the scope of PD processing activities, including the geographic locations and third-party recipients that process the PD within the scope of the data privacy notice;\n(5) Periodically, review and update the content of the privacy notice, as necessary; and\n(6) Retain prior versions of the privacy notice, in accordance with data retention requirements.", "justification": "Data Privacy Notice (PRI-02) provides privacy protection that compensates for the absence of Conspicuous Link To Data Privacy Notice (PRI-17.1) by applying alternative privacy safeguards to protect personal data and honor data subject rights. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-17.2", "risk_if_not_implemented": "Without Notice of Financial Incentive, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "PRI-17", "name": "Data Subject Communications", "description": "Mechanisms exist to craft disclosures and communications to data subjects in a manner that is concise, unambiguous and understandable by a reasonable person.", "justification": "Data Subject Communications (PRI-17) provides privacy protection that compensates for the absence of Notice of Financial Incentive (PRI-17.2) by applying alternative privacy safeguards to protect personal data and honor data subject rights. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Notice of Financial Incentive (PRI-17.2) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-17.3", "risk_if_not_implemented": "Without Data Subject Communications Documentation, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "PRI-02", "name": "Data Privacy Notice", "description": "Mechanisms exist to:\n(1) Make data privacy notice(s) available to individuals upon first interacting with an organization and subsequently as necessary; \n(2) Ensure that data privacy notices are clear and easy-to-understand, expressing relevant information about how Personal Data (PD) is collected, received, processed, stored, transmitted, shared, updated and/or disposed;\n(3) Contain all necessary notice-related criteria required by applicable statutory, regulatory and contractual obligations;\n(4) Define the scope of PD processing activities, including the geographic locations and third-party recipients that process the PD within the scope of the data privacy notice;\n(5) Periodically, review and update the content of the privacy notice, as necessary; and\n(6) Retain prior versions of the privacy notice, in accordance with data retention requirements.", "justification": "Data Privacy Notice (PRI-02) provides privacy protection that compensates for the absence of Data Subject Communications Documentation (PRI-17.3) by applying alternative privacy safeguards to protect personal data and honor data subject rights. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PRI-17", "name": "Data Subject Communications", "description": "Mechanisms exist to craft disclosures and communications to data subjects in a manner that is concise, unambiguous and understandable by a reasonable person.", "justification": "Data Subject Communications (PRI-17) provides privacy protection that compensates for the absence of Data Subject Communications Documentation (PRI-17.3) by applying alternative privacy safeguards to protect personal data and honor data subject rights. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-17.4", "risk_if_not_implemented": "Without Data Subject Communications Metrics, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "PRI-17", "name": "Data Subject Communications", "description": "Mechanisms exist to craft disclosures and communications to data subjects in a manner that is concise, unambiguous and understandable by a reasonable person.", "justification": "Data Subject Communications (PRI-17) provides privacy protection that compensates for the absence of Data Subject Communications Metrics (PRI-17.4) by applying alternative privacy safeguards to protect personal data and honor data subject rights. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PRI-02", "name": "Data Privacy Notice", "description": "Mechanisms exist to:\n(1) Make data privacy notice(s) available to individuals upon first interacting with an organization and subsequently as necessary; \n(2) Ensure that data privacy notices are clear and easy-to-understand, expressing relevant information about how Personal Data (PD) is collected, received, processed, stored, transmitted, shared, updated and/or disposed;\n(3) Contain all necessary notice-related criteria required by applicable statutory, regulatory and contractual obligations;\n(4) Define the scope of PD processing activities, including the geographic locations and third-party recipients that process the PD within the scope of the data privacy notice;\n(5) Periodically, review and update the content of the privacy notice, as necessary; and\n(6) Retain prior versions of the privacy notice, in accordance with data retention requirements.", "justification": "Data Privacy Notice (PRI-02) provides privacy protection that compensates for the absence of Data Subject Communications Metrics (PRI-17.4) by applying alternative privacy safeguards to protect personal data and honor data subject rights. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-17.5", "risk_if_not_implemented": "Without Data Subject Communications Disclosure, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Data Subject Communications Disclosure (PRI-17.5) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PRI-17", "name": "Data Subject Communications", "description": "Mechanisms exist to craft disclosures and communications to data subjects in a manner that is concise, unambiguous and understandable by a reasonable person.", "justification": "Data Subject Communications (PRI-17) provides privacy protection that compensates for the absence of Data Subject Communications Disclosure (PRI-17.5) by applying alternative privacy safeguards to protect personal data and honor data subject rights. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-18", "risk_if_not_implemented": "Without Data Controller Communications, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Data Controller Communications (PRI-18) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PRI-01", "name": "Data Privacy Program", "description": "Mechanisms exist to facilitate the implementation and operation of data protection controls throughout the data lifecycle to ensure all forms of Personal Data (PD) are processed lawfully, fairly and transparently.", "justification": "Data Privacy Program (PRI-01) provides policy-level governance that compensates for the absence of Data Controller Communications (PRI-18) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-19", "risk_if_not_implemented": "Without Automated Decision-Making Technology (ADMT) For Data Subject Actions, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "IAC-20", "name": "Access Enforcement", "description": "Mechanisms exist to enforce Logical Access Control (LAC) permissions that conform to the principle of \"least privilege.\"", "justification": "Access Enforcement (IAC-20) provides access control enforcement that compensates for the absence of Automated Decision-Making Technology (ADMT) For Data Subject Actions (PRI-19) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "RSK-04", "name": "Risk Assessment", "description": "Mechanisms exist to conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Risk Assessment (RSK-04) provides periodic assessment and assurance that compensates for the absence of Automated Decision-Making Technology (ADMT) For Data Subject Actions (PRI-19) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-19.1", "risk_if_not_implemented": "Without Automated Decision-Making Technology (ADMT) Use Notification, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "RSK-04", "name": "Risk Assessment", "description": "Mechanisms exist to conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Risk Assessment (RSK-04) provides periodic assessment and assurance that compensates for the absence of Automated Decision-Making Technology (ADMT) Use Notification (PRI-19.1) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-20", "name": "Access Enforcement", "description": "Mechanisms exist to enforce Logical Access Control (LAC) permissions that conform to the principle of \"least privilege.\"", "justification": "Access Enforcement (IAC-20) provides access control enforcement that compensates for the absence of Automated Decision-Making Technology (ADMT) Use Notification (PRI-19.1) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-19.2", "risk_if_not_implemented": "Without Automated Decision-Making Technology (ADMT) Opt-Out Consent, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "IAC-20", "name": "Access Enforcement", "description": "Mechanisms exist to enforce Logical Access Control (LAC) permissions that conform to the principle of \"least privilege.\"", "justification": "Access Enforcement (IAC-20) provides access control enforcement that compensates for the absence of Automated Decision-Making Technology (ADMT) Opt-Out Consent (PRI-19.2) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PRI-19", "name": "Automated Decision-Making Technology (ADMT) For Data Subject Actions", "description": "Mechanisms exist to ensure data subject actions utilizing Automated Decision-Making Technology (ADMT) where computation replaces, or substantially replaces, human decisionmaking, conforms with all applicable statutory, regulatory and/or contractual obligations.", "justification": "Automated Decision-Making Technology (ADMT) For Data Subject Actions (PRI-19) provides detective monitoring capability that compensates for the absence of Automated Decision-Making Technology (ADMT) Opt-Out Consent (PRI-19.2) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-19.3", "risk_if_not_implemented": "Without Automated Decision-Making Technology (ADMT) Transparency, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "PRI-19", "name": "Automated Decision-Making Technology (ADMT) For Data Subject Actions", "description": "Mechanisms exist to ensure data subject actions utilizing Automated Decision-Making Technology (ADMT) where computation replaces, or substantially replaces, human decisionmaking, conforms with all applicable statutory, regulatory and/or contractual obligations.", "justification": "Automated Decision-Making Technology (ADMT) For Data Subject Actions (PRI-19) provides detective monitoring capability that compensates for the absence of Automated Decision-Making Technology (ADMT) Transparency (PRI-19.3) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-20", "name": "Access Enforcement", "description": "Mechanisms exist to enforce Logical Access Control (LAC) permissions that conform to the principle of \"least privilege.\"", "justification": "Access Enforcement (IAC-20) provides access control enforcement that compensates for the absence of Automated Decision-Making Technology (ADMT) Transparency (PRI-19.3) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-20", "risk_if_not_implemented": "Without Data Brokers, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Data Brokers (PRI-20) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PRI-01", "name": "Data Privacy Program", "description": "Mechanisms exist to facilitate the implementation and operation of data protection controls throughout the data lifecycle to ensure all forms of Personal Data (PD) are processed lawfully, fairly and transparently.", "justification": "Data Privacy Program (PRI-01) provides policy-level governance that compensates for the absence of Data Brokers (PRI-20) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-21", "risk_if_not_implemented": "Without Notice of Right To Opt-Out, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "PRI-02", "name": "Data Privacy Notice", "description": "Mechanisms exist to:\n(1) Make data privacy notice(s) available to individuals upon first interacting with an organization and subsequently as necessary; \n(2) Ensure that data privacy notices are clear and easy-to-understand, expressing relevant information about how Personal Data (PD) is collected, received, processed, stored, transmitted, shared, updated and/or disposed;\n(3) Contain all necessary notice-related criteria required by applicable statutory, regulatory and contractual obligations;\n(4) Define the scope of PD processing activities, including the geographic locations and third-party recipients that process the PD within the scope of the data privacy notice;\n(5) Periodically, review and update the content of the privacy notice, as necessary; and\n(6) Retain prior versions of the privacy notice, in accordance with data retention requirements.", "justification": "Data Privacy Notice (PRI-02) provides privacy protection that compensates for the absence of Notice of Right To Opt-Out (PRI-21) by applying alternative privacy safeguards to protect personal data and honor data subject rights. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Notice of Right To Opt-Out (PRI-21) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-21.1", "risk_if_not_implemented": "Without Opt-Out Links, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Opt-Out Links (PRI-21.1) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PRI-02", "name": "Data Privacy Notice", "description": "Mechanisms exist to:\n(1) Make data privacy notice(s) available to individuals upon first interacting with an organization and subsequently as necessary; \n(2) Ensure that data privacy notices are clear and easy-to-understand, expressing relevant information about how Personal Data (PD) is collected, received, processed, stored, transmitted, shared, updated and/or disposed;\n(3) Contain all necessary notice-related criteria required by applicable statutory, regulatory and contractual obligations;\n(4) Define the scope of PD processing activities, including the geographic locations and third-party recipients that process the PD within the scope of the data privacy notice;\n(5) Periodically, review and update the content of the privacy notice, as necessary; and\n(6) Retain prior versions of the privacy notice, in accordance with data retention requirements.", "justification": "Data Privacy Notice (PRI-02) provides privacy protection that compensates for the absence of Opt-Out Links (PRI-21.1) by applying alternative privacy safeguards to protect personal data and honor data subject rights. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRI-21.2", "risk_if_not_implemented": "Without Alternative Out-Out Link, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "PRI-21", "name": "Notice of Right To Opt-Out", "description": "Mechanisms exist to include a notification to data subjects within the data privacy notice of:\n(1) Their right to direct an organization that sells or shares their Personal Data (PD) to stop selling or sharing their PD; and\n(2) The methods available to exercise that right.", "justification": "Notice of Right To Opt-Out (PRI-21) provides overlapping security capability that compensates for the absence of Alternative Out-Out Link (PRI-21.2) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Alternative Out-Out Link (PRI-21.2) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRM-01", "risk_if_not_implemented": "Without Security, Compliance & Resilience Protection Portfolio Management, the organization may be unable to recover from disruptions, resulting in data loss and extended downtime.", "compensating_control_1": { "control_id": "RSK-01", "name": "Risk Management Program", "description": "Mechanisms exist to facilitate the implementation of strategic, operational and tactical risk management controls.", "justification": "Risk Management Program (RSK-01) provides policy-level governance that compensates for the absence of Security, Compliance & Resilience Protection Portfolio Management (PRM-01) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "GOV-01", "name": "Security, Compliance & Resilience Program (SCRP)", "description": "Mechanisms exist to facilitate the implementation of security, compliance and resilience governance controls.", "justification": "Security, Compliance & Resilience Program (SCRP) (GOV-01) provides resilience and recovery capability that compensates for the absence of Security, Compliance & Resilience Protection Portfolio Management (PRM-01) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRM-01.1", "risk_if_not_implemented": "Without Strategic Plan & Objectives, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "GOV-01", "name": "Security, Compliance & Resilience Program (SCRP)", "description": "Mechanisms exist to facilitate the implementation of security, compliance and resilience governance controls.", "justification": "Security, Compliance & Resilience Program (SCRP) (GOV-01) provides resilience and recovery capability that compensates for the absence of Strategic Plan & Objectives (PRM-01.1) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "RSK-01", "name": "Risk Management Program", "description": "Mechanisms exist to facilitate the implementation of strategic, operational and tactical risk management controls.", "justification": "Risk Management Program (RSK-01) provides policy-level governance that compensates for the absence of Strategic Plan & Objectives (PRM-01.1) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRM-01.2", "risk_if_not_implemented": "Without Targeted Capability Maturity Levels, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "RSK-01", "name": "Risk Management Program", "description": "Mechanisms exist to facilitate the implementation of strategic, operational and tactical risk management controls.", "justification": "Risk Management Program (RSK-01) provides policy-level governance that compensates for the absence of Targeted Capability Maturity Levels (PRM-01.2) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PRM-01", "name": "Security, Compliance & Resilience Protection Portfolio Management", "description": "Mechanisms exist to facilitate the implementation of resource planning controls that provide a portfolio management approach to achieve security, compliance and resilience objectives.", "justification": "Security, Compliance & Resilience Protection Portfolio Management (PRM-01) provides resilience and recovery capability that compensates for the absence of Targeted Capability Maturity Levels (PRM-01.2) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRM-02", "risk_if_not_implemented": "Without Security, Compliance & Resilience Resource Management, the organization may be unable to recover from disruptions, resulting in data loss and extended downtime.", "compensating_control_1": { "control_id": "RSK-01", "name": "Risk Management Program", "description": "Mechanisms exist to facilitate the implementation of strategic, operational and tactical risk management controls.", "justification": "Risk Management Program (RSK-01) provides policy-level governance that compensates for the absence of Security, Compliance & Resilience Resource Management (PRM-02) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "GOV-05", "name": "Measures of Performance", "description": "Mechanisms exist to develop, report and monitor Security, Compliance & Resilience Program (SCRP) measures of performance.", "justification": "Measures of Performance (GOV-05) provides overlapping security capability that compensates for the absence of Security, Compliance & Resilience Resource Management (PRM-02) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRM-02.1", "risk_if_not_implemented": "Without Prioritization To Address Evolving Risks & Threats, security risks may go unmanaged, resulting in uncontrolled exposures and misaligned security investments.", "compensating_control_1": { "control_id": "GOV-05", "name": "Measures of Performance", "description": "Mechanisms exist to develop, report and monitor Security, Compliance & Resilience Program (SCRP) measures of performance.", "justification": "Measures of Performance (GOV-05) provides overlapping security capability that compensates for the absence of Prioritization To Address Evolving Risks & Threats (PRM-02.1) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "RSK-01", "name": "Risk Management Program", "description": "Mechanisms exist to facilitate the implementation of strategic, operational and tactical risk management controls.", "justification": "Risk Management Program (RSK-01) provides policy-level governance that compensates for the absence of Prioritization To Address Evolving Risks & Threats (PRM-02.1) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRM-03", "risk_if_not_implemented": "Without Allocation of Resources, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "PRM-02", "name": "Security, Compliance & Resilience Resource Management", "description": "Mechanisms exist to address all capital planning and investment requests, including the resources needed to implement the Security, Compliance & Resilience Program (SCRP) and document all exceptions to this requirement.", "justification": "Security, Compliance & Resilience Resource Management (PRM-02) provides resilience and recovery capability that compensates for the absence of Allocation of Resources (PRM-03) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "RSK-01", "name": "Risk Management Program", "description": "Mechanisms exist to facilitate the implementation of strategic, operational and tactical risk management controls.", "justification": "Risk Management Program (RSK-01) provides policy-level governance that compensates for the absence of Allocation of Resources (PRM-03) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRM-05", "risk_if_not_implemented": "Without Security, Compliance & Resilience Requirements Definition, the organization may be unable to recover from disruptions, resulting in data loss and extended downtime.", "compensating_control_1": { "control_id": "TDA-02", "name": "Minimum Viable Product (MVP) Security Requirements", "description": "Mechanisms exist to design, develop and produce Technology Assets, Applications and/or Services (TAAS) in such a way that risk-based technical and functional specifications ensure Minimum Viable Product (MVP) criteria establish an appropriate level of security and resiliency based on applicable risks and threats.", "justification": "Minimum Viable Product (MVP) Security Requirements (TDA-02) provides overlapping security capability that compensates for the absence of Security, Compliance & Resilience Requirements Definition (PRM-05) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "RSK-04", "name": "Risk Assessment", "description": "Mechanisms exist to conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Risk Assessment (RSK-04) provides periodic assessment and assurance that compensates for the absence of Security, Compliance & Resilience Requirements Definition (PRM-05) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRM-06", "risk_if_not_implemented": "Without Business Process Definition, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "GOV-08", "name": "Defining Business Context & Mission", "description": "Mechanisms exist to define the context of its business model and document the organization's mission.", "justification": "Defining Business Context & Mission (GOV-08) provides overlapping security capability that compensates for the absence of Business Process Definition (PRM-06) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "RSK-01", "name": "Risk Management Program", "description": "Mechanisms exist to facilitate the implementation of strategic, operational and tactical risk management controls.", "justification": "Risk Management Program (RSK-01) provides policy-level governance that compensates for the absence of Business Process Definition (PRM-06) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "PRM-08", "risk_if_not_implemented": "Without Manage Organizational Knowledge, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "SAT-05", "name": "Security, Compliance & Resilience Knowledge Sharing", "description": "Mechanisms exist to improve knowledge sharing across security, compliance and resilience personnel allowing for:\n(1) Efficient operations; and\n(2) Rapid and effective response to incidents.", "justification": "Security, Compliance & Resilience Knowledge Sharing (SAT-05) provides personnel training and awareness that compensates for the absence of Manage Organizational Knowledge (PRM-08) by reducing human-factor risk by equipping personnel to recognize and respond to relevant threats. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "GOV-02", "name": "Publishing Security, Compliance & Resilience Documentation", "description": "Mechanisms exist to establish, maintain and disseminate policies, standards and procedures necessary for secure, compliant and resilient capabilities.", "justification": "Publishing Security, Compliance & Resilience Documentation (GOV-02) provides resilience and recovery capability that compensates for the absence of Manage Organizational Knowledge (PRM-08) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "RSK-01.1", "risk_if_not_implemented": "Without Risk Framing, security risks may go unmanaged, resulting in uncontrolled exposures and misaligned security investments.", "compensating_control_1": { "control_id": "GOV-01", "name": "Security, Compliance & Resilience Program (SCRP)", "description": "Mechanisms exist to facilitate the implementation of security, compliance and resilience governance controls.", "justification": "Security, Compliance & Resilience Program (SCRP) (GOV-01) provides resilience and recovery capability that compensates for the absence of Risk Framing (RSK-01.1) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Risk Framing (RSK-01.1) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "RSK-01.2", "risk_if_not_implemented": "Without Risk Management Resourcing, security risks may go unmanaged, resulting in uncontrolled exposures and misaligned security investments.", "compensating_control_1": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Risk Management Resourcing (RSK-01.2) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "RSK-01", "name": "Risk Management Program", "description": "Mechanisms exist to facilitate the implementation of strategic, operational and tactical risk management controls.", "justification": "Risk Management Program (RSK-01) provides policy-level governance that compensates for the absence of Risk Management Resourcing (RSK-01.2) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "RSK-01.3", "risk_if_not_implemented": "Without Risk Tolerance, security risks may go unmanaged, resulting in uncontrolled exposures and misaligned security investments.", "compensating_control_1": { "control_id": "RSK-01", "name": "Risk Management Program", "description": "Mechanisms exist to facilitate the implementation of strategic, operational and tactical risk management controls.", "justification": "Risk Management Program (RSK-01) provides policy-level governance that compensates for the absence of Risk Tolerance (RSK-01.3) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "GOV-01", "name": "Security, Compliance & Resilience Program (SCRP)", "description": "Mechanisms exist to facilitate the implementation of security, compliance and resilience governance controls.", "justification": "Security, Compliance & Resilience Program (SCRP) (GOV-01) provides resilience and recovery capability that compensates for the absence of Risk Tolerance (RSK-01.3) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "RSK-01.4", "risk_if_not_implemented": "Without Risk Threshold, security risks may go unmanaged, resulting in uncontrolled exposures and misaligned security investments.", "compensating_control_1": { "control_id": "GOV-01", "name": "Security, Compliance & Resilience Program (SCRP)", "description": "Mechanisms exist to facilitate the implementation of security, compliance and resilience governance controls.", "justification": "Security, Compliance & Resilience Program (SCRP) (GOV-01) provides resilience and recovery capability that compensates for the absence of Risk Threshold (RSK-01.4) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "RSK-01", "name": "Risk Management Program", "description": "Mechanisms exist to facilitate the implementation of strategic, operational and tactical risk management controls.", "justification": "Risk Management Program (RSK-01) provides policy-level governance that compensates for the absence of Risk Threshold (RSK-01.4) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "RSK-01.5", "risk_if_not_implemented": "Without Risk Appetite, security risks may go unmanaged, resulting in uncontrolled exposures and misaligned security investments.", "compensating_control_1": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Risk Appetite (RSK-01.5) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "GOV-01", "name": "Security, Compliance & Resilience Program (SCRP)", "description": "Mechanisms exist to facilitate the implementation of security, compliance and resilience governance controls.", "justification": "Security, Compliance & Resilience Program (SCRP) (GOV-01) provides resilience and recovery capability that compensates for the absence of Risk Appetite (RSK-01.5) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "RSK-02", "risk_if_not_implemented": "Without Risk-Based Security Categorization, security risks may go unmanaged, resulting in uncontrolled exposures and misaligned security investments.", "compensating_control_1": { "control_id": "RSK-04", "name": "Risk Assessment", "description": "Mechanisms exist to conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Risk Assessment (RSK-04) provides periodic assessment and assurance that compensates for the absence of Risk-Based Security Categorization (RSK-02) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "DCH-02", "name": "Data & Asset Classification", "description": "Mechanisms exist to ensure data and assets are categorized in accordance with applicable statutory, regulatory and contractual requirements.", "justification": "Data & Asset Classification (DCH-02) provides overlapping security capability that compensates for the absence of Risk-Based Security Categorization (RSK-02) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "RSK-02.1", "risk_if_not_implemented": "Without Impact-Level Prioritization, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "DCH-02", "name": "Data & Asset Classification", "description": "Mechanisms exist to ensure data and assets are categorized in accordance with applicable statutory, regulatory and contractual requirements.", "justification": "Data & Asset Classification (DCH-02) provides overlapping security capability that compensates for the absence of Impact-Level Prioritization (RSK-02.1) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "RSK-04", "name": "Risk Assessment", "description": "Mechanisms exist to conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Risk Assessment (RSK-04) provides periodic assessment and assurance that compensates for the absence of Impact-Level Prioritization (RSK-02.1) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "RSK-03", "risk_if_not_implemented": "Without Risk Identification, security risks may go unmanaged, resulting in uncontrolled exposures and misaligned security investments.", "compensating_control_1": { "control_id": "THR-01", "name": "Threat Intelligence Program", "description": "Mechanisms exist to implement a threat intelligence program that includes a cross-organization information-sharing capability that can influence the development of the system and security architectures, selection of security solutions, monitoring, threat hunting, response and recovery activities.", "justification": "Threat Intelligence Program (THR-01) provides policy-level governance that compensates for the absence of Risk Identification (RSK-03) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "AST-02", "name": "Asset Inventories", "description": "Mechanisms exist to perform inventories of Technology Assets, Applications, Services and/or Data (TAASD) that:\n(1) Accurately reflects the current TAASD in use; \n(2) Identifies authorized software products, including business justification details;\n(3) Is at the level of granularity deemed necessary for tracking and reporting;\n(4) Includes organization-defined information deemed necessary to achieve effective property accountability; and\n(5) Is available for review and audit by designated organizational personnel.", "justification": "Asset Inventories (AST-02) provides overlapping security capability that compensates for the absence of Risk Identification (RSK-03) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "RSK-03.1", "risk_if_not_implemented": "Without Risk Catalog, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "AST-02", "name": "Asset Inventories", "description": "Mechanisms exist to perform inventories of Technology Assets, Applications, Services and/or Data (TAASD) that:\n(1) Accurately reflects the current TAASD in use; \n(2) Identifies authorized software products, including business justification details;\n(3) Is at the level of granularity deemed necessary for tracking and reporting;\n(4) Includes organization-defined information deemed necessary to achieve effective property accountability; and\n(5) Is available for review and audit by designated organizational personnel.", "justification": "Asset Inventories (AST-02) provides overlapping security capability that compensates for the absence of Risk Catalog (RSK-03.1) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "THR-01", "name": "Threat Intelligence Program", "description": "Mechanisms exist to implement a threat intelligence program that includes a cross-organization information-sharing capability that can influence the development of the system and security architectures, selection of security solutions, monitoring, threat hunting, response and recovery activities.", "justification": "Threat Intelligence Program (THR-01) provides policy-level governance that compensates for the absence of Risk Catalog (RSK-03.1) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "RSK-04.2", "risk_if_not_implemented": "Without Risk Assessment Methodology, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of Risk Assessment Methodology (RSK-04.2) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "RSK-04", "name": "Risk Assessment", "description": "Mechanisms exist to conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Risk Assessment (RSK-04) provides periodic assessment and assurance that compensates for the absence of Risk Assessment Methodology (RSK-04.2) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "RSK-04.3", "risk_if_not_implemented": "Without Instances Requiring A Risk Assessment, security risks may go unmanaged, resulting in uncontrolled exposures and misaligned security investments.", "compensating_control_1": { "control_id": "RSK-04", "name": "Risk Assessment", "description": "Mechanisms exist to conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Risk Assessment (RSK-04) provides periodic assessment and assurance that compensates for the absence of Instances Requiring A Risk Assessment (RSK-04.3) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Instances Requiring A Risk Assessment (RSK-04.3) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "RSK-04.4", "risk_if_not_implemented": "Without Risk Assessment Stakeholder Involvement, security risks may go unmanaged, resulting in uncontrolled exposures and misaligned security investments.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Risk Assessment Stakeholder Involvement (RSK-04.4) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "RSK-04", "name": "Risk Assessment", "description": "Mechanisms exist to conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Risk Assessment (RSK-04) provides periodic assessment and assurance that compensates for the absence of Risk Assessment Stakeholder Involvement (RSK-04.4) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "RSK-05", "risk_if_not_implemented": "Without Risk Ranking, security risks may go unmanaged, resulting in uncontrolled exposures and misaligned security investments.", "compensating_control_1": { "control_id": "RSK-04", "name": "Risk Assessment", "description": "Mechanisms exist to conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Risk Assessment (RSK-04) provides periodic assessment and assurance that compensates for the absence of Risk Ranking (RSK-05) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-06", "name": "Monitoring Reporting", "description": "Mechanisms exist to provide an event log report generation capability to aid in detecting and assessing anomalous activities.", "justification": "Monitoring Reporting (MON-06) provides detective monitoring capability that compensates for the absence of Risk Ranking (RSK-05) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "RSK-06.1", "risk_if_not_implemented": "Without Risk Response, the organization may lack capability to detect, contain, or recover from security incidents effectively.", "compensating_control_1": { "control_id": "CHG-01", "name": "Change Management Program", "description": "Mechanisms exist to facilitate the implementation of a change management program.", "justification": "Change Management Program (CHG-01) provides policy-level governance that compensates for the absence of Risk Response (RSK-06.1) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "VPM-02", "name": "Vulnerability Remediation Process", "description": "Mechanisms exist to ensure that vulnerabilities are properly identified, tracked and remediated.", "justification": "Vulnerability Remediation Process (VPM-02) provides vulnerability management that compensates for the absence of Risk Response (RSK-06.1) by reducing the exploitable attack surface by addressing known weaknesses before they are leveraged. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "RSK-06.2", "risk_if_not_implemented": "Without Compensating Countermeasures, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "VPM-02", "name": "Vulnerability Remediation Process", "description": "Mechanisms exist to ensure that vulnerabilities are properly identified, tracked and remediated.", "justification": "Vulnerability Remediation Process (VPM-02) provides vulnerability management that compensates for the absence of Compensating Countermeasures (RSK-06.2) by reducing the exploitable attack surface by addressing known weaknesses before they are leveraged. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "RSK-06", "name": "Risk Remediation", "description": "Mechanisms exist to remediate risks to an acceptable level.", "justification": "Risk Remediation (RSK-06) provides vulnerability management that compensates for the absence of Compensating Countermeasures (RSK-06.2) by reducing the exploitable attack surface by addressing known weaknesses before they are leveraged. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "RSK-06.3", "risk_if_not_implemented": "Without Risk Treatment Options, security risks may go unmanaged, resulting in uncontrolled exposures and misaligned security investments.", "compensating_control_1": { "control_id": "RSK-06", "name": "Risk Remediation", "description": "Mechanisms exist to remediate risks to an acceptable level.", "justification": "Risk Remediation (RSK-06) provides vulnerability management that compensates for the absence of Risk Treatment Options (RSK-06.3) by reducing the exploitable attack surface by addressing known weaknesses before they are leveraged. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CHG-01", "name": "Change Management Program", "description": "Mechanisms exist to facilitate the implementation of a change management program.", "justification": "Change Management Program (CHG-01) provides policy-level governance that compensates for the absence of Risk Treatment Options (RSK-06.3) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "RSK-06.4", "risk_if_not_implemented": "Without Risk Treatment Plan (RTP), security risks may go unmanaged, resulting in uncontrolled exposures and misaligned security investments.", "compensating_control_1": { "control_id": "CHG-01", "name": "Change Management Program", "description": "Mechanisms exist to facilitate the implementation of a change management program.", "justification": "Change Management Program (CHG-01) provides policy-level governance that compensates for the absence of Risk Treatment Plan (RTP) (RSK-06.4) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "RSK-06", "name": "Risk Remediation", "description": "Mechanisms exist to remediate risks to an acceptable level.", "justification": "Risk Remediation (RSK-06) provides vulnerability management that compensates for the absence of Risk Treatment Plan (RTP) (RSK-06.4) by reducing the exploitable attack surface by addressing known weaknesses before they are leveraged. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "RSK-07", "risk_if_not_implemented": "Without Risk Assessment Update, security risks may go unmanaged, resulting in uncontrolled exposures and misaligned security investments.", "compensating_control_1": { "control_id": "RSK-04", "name": "Risk Assessment", "description": "Mechanisms exist to conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Risk Assessment (RSK-04) provides periodic assessment and assurance that compensates for the absence of Risk Assessment Update (RSK-07) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of Risk Assessment Update (RSK-07) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "RSK-08", "risk_if_not_implemented": "Without Business Impact Analysis (BIA), residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "BCD-01", "name": "Business Continuity Management System (BCMS)", "description": "Mechanisms exist to facilitate the implementation of contingency planning controls to help ensure resilient Technology Assets, Applications and/or Services (TAAS) (e.g., Continuity of Operations Plan (COOP) or Business Continuity & Disaster Recovery (BC/DR) playbooks).", "justification": "Business Continuity Management System (BCMS) (BCD-01) provides resilience and recovery capability that compensates for the absence of Business Impact Analysis (BIA) (RSK-08) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "RSK-04", "name": "Risk Assessment", "description": "Mechanisms exist to conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Risk Assessment (RSK-04) provides periodic assessment and assurance that compensates for the absence of Business Impact Analysis (BIA) (RSK-08) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "RSK-09.1", "risk_if_not_implemented": "Without Supply Chain Risk Assessment, security risks may go unmanaged, resulting in uncontrolled exposures and misaligned security investments.", "compensating_control_1": { "control_id": "RSK-04", "name": "Risk Assessment", "description": "Mechanisms exist to conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Risk Assessment (RSK-04) provides periodic assessment and assurance that compensates for the absence of Supply Chain Risk Assessment (RSK-09.1) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "TPM-01", "name": "Third-Party Management", "description": "Mechanisms exist to facilitate the implementation of third-party management controls.", "justification": "Third-Party Management (TPM-01) provides third-party oversight that compensates for the absence of Supply Chain Risk Assessment (RSK-09.1) by extending security obligations contractually and monitoring third-party risk in lieu of direct control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "RSK-09.2", "risk_if_not_implemented": "Without AI & Autonomous Technologies Supply Chain Impacts, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "TPM-01", "name": "Third-Party Management", "description": "Mechanisms exist to facilitate the implementation of third-party management controls.", "justification": "Third-Party Management (TPM-01) provides third-party oversight that compensates for the absence of AI & Autonomous Technologies Supply Chain Impacts (RSK-09.2) by extending security obligations contractually and monitoring third-party risk in lieu of direct control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "RSK-09", "name": "Supply Chain Risk Management (SCRM) Plan", "description": "Mechanisms exist to develop a plan for Supply Chain Risk Management (SCRM) associated with the development, acquisition, maintenance and disposal of Technology Assets, Applications and/or Services (TAAS), including documenting selected mitigating actions and monitoring performance against those plans.", "justification": "Supply Chain Risk Management (SCRM) Plan (RSK-09) provides risk identification and prioritization that compensates for the absence of AI & Autonomous Technologies Supply Chain Impacts (RSK-09.2) by enabling informed decisions about where to focus resources to manage residual exposure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "RSK-10", "risk_if_not_implemented": "Without Data Protection Impact Assessment (DPIA), residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "PRI-01", "name": "Data Privacy Program", "description": "Mechanisms exist to facilitate the implementation and operation of data protection controls throughout the data lifecycle to ensure all forms of Personal Data (PD) are processed lawfully, fairly and transparently.", "justification": "Data Privacy Program (PRI-01) provides policy-level governance that compensates for the absence of Data Protection Impact Assessment (DPIA) (RSK-10) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "RSK-04", "name": "Risk Assessment", "description": "Mechanisms exist to conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Risk Assessment (RSK-04) provides periodic assessment and assurance that compensates for the absence of Data Protection Impact Assessment (DPIA) (RSK-10) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "RSK-11", "risk_if_not_implemented": "Without Risk Monitoring, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Risk Monitoring (RSK-11) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-02", "name": "Security, Compliance & Resilience Controls Oversight", "description": "Mechanisms exist to provide a security, compliance and resilience controls oversight function that reports to the organization's executive leadership.", "justification": "Security, Compliance & Resilience Controls Oversight (CPL-02) provides resilience and recovery capability that compensates for the absence of Risk Monitoring (RSK-11) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "RSK-12", "risk_if_not_implemented": "Without Risk Culture, security risks may go unmanaged, resulting in uncontrolled exposures and misaligned security investments.", "compensating_control_1": { "control_id": "SAT-02", "name": "Security, Compliance & Resilience Awareness Training", "description": "Mechanisms exist to provide all employees and contractors appropriate security, compliance and resilience awareness education and training that is relevant for their job function.", "justification": "Security, Compliance & Resilience Awareness Training (SAT-02) provides personnel training and awareness that compensates for the absence of Risk Culture (RSK-12) by reducing human-factor risk by equipping personnel to recognize and respond to relevant threats. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "GOV-01", "name": "Security, Compliance & Resilience Program (SCRP)", "description": "Mechanisms exist to facilitate the implementation of security, compliance and resilience governance controls.", "justification": "Security, Compliance & Resilience Program (SCRP) (GOV-01) provides resilience and recovery capability that compensates for the absence of Risk Culture (RSK-12) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "RSK-13", "risk_if_not_implemented": "Without Executive Leadership Approval For Managing Material Risk, security risks may go unmanaged, resulting in uncontrolled exposures and misaligned security investments.", "compensating_control_1": { "control_id": "CPL-02", "name": "Security, Compliance & Resilience Controls Oversight", "description": "Mechanisms exist to provide a security, compliance and resilience controls oversight function that reports to the organization's executive leadership.", "justification": "Security, Compliance & Resilience Controls Oversight (CPL-02) provides resilience and recovery capability that compensates for the absence of Executive Leadership Approval For Managing Material Risk (RSK-13) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "RSK-11", "name": "Risk Monitoring", "description": "Mechanisms exist to ensure risk monitoring as an integral part of the continuous monitoring strategy that includes monitoring the effectiveness of security, compliance and resilience controls, compliance and change management.", "justification": "Risk Monitoring (RSK-11) provides detective monitoring capability that compensates for the absence of Executive Leadership Approval For Managing Material Risk (RSK-13) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "RSK-13.1", "risk_if_not_implemented": "Without Documented Alternatives, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "RSK-11", "name": "Risk Monitoring", "description": "Mechanisms exist to ensure risk monitoring as an integral part of the continuous monitoring strategy that includes monitoring the effectiveness of security, compliance and resilience controls, compliance and change management.", "justification": "Risk Monitoring (RSK-11) provides detective monitoring capability that compensates for the absence of Documented Alternatives (RSK-13.1) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-02", "name": "Security, Compliance & Resilience Controls Oversight", "description": "Mechanisms exist to provide a security, compliance and resilience controls oversight function that reports to the organization's executive leadership.", "justification": "Security, Compliance & Resilience Controls Oversight (CPL-02) provides resilience and recovery capability that compensates for the absence of Documented Alternatives (RSK-13.1) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "RSK-13.2", "risk_if_not_implemented": "Without Documented Justification For Material Risk Management Decisions, security risks may go unmanaged, resulting in uncontrolled exposures and misaligned security investments.", "compensating_control_1": { "control_id": "CPL-02", "name": "Security, Compliance & Resilience Controls Oversight", "description": "Mechanisms exist to provide a security, compliance and resilience controls oversight function that reports to the organization's executive leadership.", "justification": "Security, Compliance & Resilience Controls Oversight (CPL-02) provides resilience and recovery capability that compensates for the absence of Documented Justification For Material Risk Management Decisions (RSK-13.2) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "RSK-13", "name": "Executive Leadership Approval For Managing Material Risk", "description": "Mechanisms exist to obtain executive leadership approval for risk management decisions involving material risk.", "justification": "Executive Leadership Approval For Managing Material Risk (RSK-13) provides risk identification and prioritization that compensates for the absence of Documented Justification For Material Risk Management Decisions (RSK-13.2) by enabling informed decisions about where to focus resources to manage residual exposure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "SEA-01.1", "risk_if_not_implemented": "Without Centralized Management of Security, Compliance & Resilience Controls, the organization may be unable to recover from disruptions, resulting in data loss and extended downtime.", "compensating_control_1": { "control_id": "TDA-06", "name": "Secure Software Development Practices (SSDP)", "description": "Mechanisms exist to develop applications based on Secure Software Development Practices (SSDP).", "justification": "Secure Software Development Practices (SSDP) (TDA-06) provides overlapping security capability that compensates for the absence of Centralized Management of Security, Compliance & Resilience Controls (SEA-01.1) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CFG-02", "name": "Secure Baseline Configurations", "description": "Mechanisms exist to develop, document and maintain secure baseline configurations for Technology Assets, Applications and/or Services (TAAS) that are consistent with industry-accepted system hardening standards.", "justification": "Secure Baseline Configurations (CFG-02) provides configuration hardening that compensates for the absence of Centralized Management of Security, Compliance & Resilience Controls (SEA-01.1) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "SEA-01.2", "risk_if_not_implemented": "Without Achieving Resilience Requirements, the organization may be unable to recover from disruptions, resulting in data loss and extended downtime.", "compensating_control_1": { "control_id": "CFG-02", "name": "Secure Baseline Configurations", "description": "Mechanisms exist to develop, document and maintain secure baseline configurations for Technology Assets, Applications and/or Services (TAAS) that are consistent with industry-accepted system hardening standards.", "justification": "Secure Baseline Configurations (CFG-02) provides configuration hardening that compensates for the absence of Achieving Resilience Requirements (SEA-01.2) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "SEA-01", "name": "Secure Engineering Principles", "description": "Mechanisms exist to facilitate the implementation of industry-recognized security, compliance and resilience practices in the specification, design, development, implementation and modification of Technology Assets, Applications and/or Services (TAAS).", "justification": "Secure Engineering Principles (SEA-01) provides overlapping security capability that compensates for the absence of Achieving Resilience Requirements (SEA-01.2) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "SEA-01.3", "risk_if_not_implemented": "Without Resilience Capabilities, the organization may be unable to recover from disruptions, resulting in data loss and extended downtime.", "compensating_control_1": { "control_id": "TDA-06", "name": "Secure Software Development Practices (SSDP)", "description": "Mechanisms exist to develop applications based on Secure Software Development Practices (SSDP).", "justification": "Secure Software Development Practices (SSDP) (TDA-06) provides overlapping security capability that compensates for the absence of Resilience Capabilities (SEA-01.3) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "SEA-01", "name": "Secure Engineering Principles", "description": "Mechanisms exist to facilitate the implementation of industry-recognized security, compliance and resilience practices in the specification, design, development, implementation and modification of Technology Assets, Applications and/or Services (TAAS).", "justification": "Secure Engineering Principles (SEA-01) provides overlapping security capability that compensates for the absence of Resilience Capabilities (SEA-01.3) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "SEA-02", "risk_if_not_implemented": "Without Alignment With Enterprise Architecture, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "SEA-01", "name": "Secure Engineering Principles", "description": "Mechanisms exist to facilitate the implementation of industry-recognized security, compliance and resilience practices in the specification, design, development, implementation and modification of Technology Assets, Applications and/or Services (TAAS).", "justification": "Secure Engineering Principles (SEA-01) provides overlapping security capability that compensates for the absence of Alignment With Enterprise Architecture (SEA-02) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-06", "name": "Network Segmentation (macrosegementation)", "description": "Mechanisms exist to ensure network architecture utilizes network segmentation to isolate Technology Assets, Applications and/or Services (TAAS) to protect from other network resources.", "justification": "Network Segmentation (macrosegementation) (NET-06) provides network-level access restriction that compensates for the absence of Alignment With Enterprise Architecture (SEA-02) by limiting attacker reach and lateral movement opportunities across the environment. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "SEA-02.1", "risk_if_not_implemented": "Without Standardized Terminology, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "NET-06", "name": "Network Segmentation (macrosegementation)", "description": "Mechanisms exist to ensure network architecture utilizes network segmentation to isolate Technology Assets, Applications and/or Services (TAAS) to protect from other network resources.", "justification": "Network Segmentation (macrosegementation) (NET-06) provides network-level access restriction that compensates for the absence of Standardized Terminology (SEA-02.1) by limiting attacker reach and lateral movement opportunities across the environment. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "SEA-02", "name": "Alignment With Enterprise Architecture", "description": "Mechanisms exist to develop an enterprise architecture, aligned with industry-recognized leading practices, with consideration for security, compliance and resilience principles that addresses risk to organizational operations, assets, individuals and other organizations.", "justification": "Alignment With Enterprise Architecture (SEA-02) provides overlapping security capability that compensates for the absence of Standardized Terminology (SEA-02.1) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "SEA-02.2", "risk_if_not_implemented": "Without Outsourcing Non-Essential Functions or Services, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "SEA-02", "name": "Alignment With Enterprise Architecture", "description": "Mechanisms exist to develop an enterprise architecture, aligned with industry-recognized leading practices, with consideration for security, compliance and resilience principles that addresses risk to organizational operations, assets, individuals and other organizations.", "justification": "Alignment With Enterprise Architecture (SEA-02) provides overlapping security capability that compensates for the absence of Outsourcing Non-Essential Functions or Services (SEA-02.2) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-06", "name": "Network Segmentation (macrosegementation)", "description": "Mechanisms exist to ensure network architecture utilizes network segmentation to isolate Technology Assets, Applications and/or Services (TAAS) to protect from other network resources.", "justification": "Network Segmentation (macrosegementation) (NET-06) provides network-level access restriction that compensates for the absence of Outsourcing Non-Essential Functions or Services (SEA-02.2) by limiting attacker reach and lateral movement opportunities across the environment. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "SEA-02.3", "risk_if_not_implemented": "Without Technical Debt Reviews, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "SEA-01", "name": "Secure Engineering Principles", "description": "Mechanisms exist to facilitate the implementation of industry-recognized security, compliance and resilience practices in the specification, design, development, implementation and modification of Technology Assets, Applications and/or Services (TAAS).", "justification": "Secure Engineering Principles (SEA-01) provides overlapping security capability that compensates for the absence of Technical Debt Reviews (SEA-02.3) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "SEA-02", "name": "Alignment With Enterprise Architecture", "description": "Mechanisms exist to develop an enterprise architecture, aligned with industry-recognized leading practices, with consideration for security, compliance and resilience principles that addresses risk to organizational operations, assets, individuals and other organizations.", "justification": "Alignment With Enterprise Architecture (SEA-02) provides overlapping security capability that compensates for the absence of Technical Debt Reviews (SEA-02.3) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "SEA-03.1", "risk_if_not_implemented": "Without System Partitioning, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "END-02", "name": "Endpoint Protection Measures", "description": "Mechanisms exist to protect the confidentiality, integrity, availability and safety of endpoint devices.", "justification": "Endpoint Protection Measures (END-02) provides overlapping security capability that compensates for the absence of System Partitioning (SEA-03.1) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-06", "name": "Network Segmentation (macrosegementation)", "description": "Mechanisms exist to ensure network architecture utilizes network segmentation to isolate Technology Assets, Applications and/or Services (TAAS) to protect from other network resources.", "justification": "Network Segmentation (macrosegementation) (NET-06) provides network-level access restriction that compensates for the absence of System Partitioning (SEA-03.1) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "SEA-03.2", "risk_if_not_implemented": "Without Application Partitioning, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "NET-06", "name": "Network Segmentation (macrosegementation)", "description": "Mechanisms exist to ensure network architecture utilizes network segmentation to isolate Technology Assets, Applications and/or Services (TAAS) to protect from other network resources.", "justification": "Network Segmentation (macrosegementation) (NET-06) provides network-level access restriction that compensates for the absence of Application Partitioning (SEA-03.2) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "SEA-03", "name": "Defense-In-Depth (DiD) Architecture", "description": "Mechanisms exist to implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.", "justification": "Defense-In-Depth (DiD) Architecture (SEA-03) provides overlapping security capability that compensates for the absence of Application Partitioning (SEA-03.2) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "SEA-04", "risk_if_not_implemented": "Without Process Isolation, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "NET-06", "name": "Network Segmentation (macrosegementation)", "description": "Mechanisms exist to ensure network architecture utilizes network segmentation to isolate Technology Assets, Applications and/or Services (TAAS) to protect from other network resources.", "justification": "Network Segmentation (macrosegementation) (NET-06) provides network-level access restriction that compensates for the absence of Process Isolation (SEA-04) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CFG-03", "name": "Least Functionality", "description": "Mechanisms exist to configure systems to provide only essential capabilities by specifically prohibiting or restricting the use of ports, protocols, and/or services.", "justification": "Least Functionality (CFG-03) provides configuration hardening that compensates for the absence of Process Isolation (SEA-04) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "SEA-04.1", "risk_if_not_implemented": "Without Security Function Isolation, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CFG-03", "name": "Least Functionality", "description": "Mechanisms exist to configure systems to provide only essential capabilities by specifically prohibiting or restricting the use of ports, protocols, and/or services.", "justification": "Least Functionality (CFG-03) provides configuration hardening that compensates for the absence of Security Function Isolation (SEA-04.1) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-06", "name": "Network Segmentation (macrosegementation)", "description": "Mechanisms exist to ensure network architecture utilizes network segmentation to isolate Technology Assets, Applications and/or Services (TAAS) to protect from other network resources.", "justification": "Network Segmentation (macrosegementation) (NET-06) provides network-level access restriction that compensates for the absence of Security Function Isolation (SEA-04.1) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "SEA-04.2", "risk_if_not_implemented": "Without Hardware Separation, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "NET-06", "name": "Network Segmentation (macrosegementation)", "description": "Mechanisms exist to ensure network architecture utilizes network segmentation to isolate Technology Assets, Applications and/or Services (TAAS) to protect from other network resources.", "justification": "Network Segmentation (macrosegementation) (NET-06) provides network-level access restriction that compensates for the absence of Hardware Separation (SEA-04.2) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "SEA-04", "name": "Process Isolation", "description": "Mechanisms exist to implement a separate execution domain for each executing process.", "justification": "Process Isolation (SEA-04) provides overlapping security capability that compensates for the absence of Hardware Separation (SEA-04.2) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "SEA-04.3", "risk_if_not_implemented": "Without Thread Separation, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "SEA-04", "name": "Process Isolation", "description": "Mechanisms exist to implement a separate execution domain for each executing process.", "justification": "Process Isolation (SEA-04) provides overlapping security capability that compensates for the absence of Thread Separation (SEA-04.3) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CFG-03", "name": "Least Functionality", "description": "Mechanisms exist to configure systems to provide only essential capabilities by specifically prohibiting or restricting the use of ports, protocols, and/or services.", "justification": "Least Functionality (CFG-03) provides configuration hardening that compensates for the absence of Thread Separation (SEA-04.3) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "SEA-04.4", "risk_if_not_implemented": "Without System Privileges Isolation, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "CFG-03", "name": "Least Functionality", "description": "Mechanisms exist to configure systems to provide only essential capabilities by specifically prohibiting or restricting the use of ports, protocols, and/or services.", "justification": "Least Functionality (CFG-03) provides configuration hardening that compensates for the absence of System Privileges Isolation (SEA-04.4) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "SEA-04", "name": "Process Isolation", "description": "Mechanisms exist to implement a separate execution domain for each executing process.", "justification": "Process Isolation (SEA-04) provides overlapping security capability that compensates for the absence of System Privileges Isolation (SEA-04.4) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "SEA-05", "risk_if_not_implemented": "Without Information In Shared Resources, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CRY-05", "name": "Encrypting Data At Rest", "description": "Cryptographic mechanisms exist to prevent unauthorized disclosure of data at rest.", "justification": "Encrypting Data At Rest (CRY-05) provides cryptographic protection that compensates for the absence of Information In Shared Resources (SEA-05) by ensuring data confidentiality and integrity through alternative technical means. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-21", "name": "Least Privilege", "description": "Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.", "justification": "Least Privilege (IAC-21) provides access control enforcement that compensates for the absence of Information In Shared Resources (SEA-05) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "SEA-06", "risk_if_not_implemented": "Without Prevent Program Execution, security risks may go unmanaged, resulting in uncontrolled exposures and misaligned security investments.", "compensating_control_1": { "control_id": "CFG-03", "name": "Least Functionality", "description": "Mechanisms exist to configure systems to provide only essential capabilities by specifically prohibiting or restricting the use of ports, protocols, and/or services.", "justification": "Least Functionality (CFG-03) provides configuration hardening that compensates for the absence of Prevent Program Execution (SEA-06) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-21", "name": "Least Privilege", "description": "Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.", "justification": "Least Privilege (IAC-21) provides access control enforcement that compensates for the absence of Prevent Program Execution (SEA-06) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "SEA-07", "risk_if_not_implemented": "Without Predictable Failure Analysis, AI and autonomous technology risks may go ungoverned, leading to unintended outcomes or exploitation.", "compensating_control_1": { "control_id": "BCD-01", "name": "Business Continuity Management System (BCMS)", "description": "Mechanisms exist to facilitate the implementation of contingency planning controls to help ensure resilient Technology Assets, Applications and/or Services (TAAS) (e.g., Continuity of Operations Plan (COOP) or Business Continuity & Disaster Recovery (BC/DR) playbooks).", "justification": "Business Continuity Management System (BCMS) (BCD-01) provides resilience and recovery capability that compensates for the absence of Predictable Failure Analysis (SEA-07) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "RSK-04", "name": "Risk Assessment", "description": "Mechanisms exist to conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Risk Assessment (RSK-04) provides periodic assessment and assurance that compensates for the absence of Predictable Failure Analysis (SEA-07) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "SEA-07.1", "risk_if_not_implemented": "Without Technology Lifecycle Management, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "RSK-04", "name": "Risk Assessment", "description": "Mechanisms exist to conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Risk Assessment (RSK-04) provides periodic assessment and assurance that compensates for the absence of Technology Lifecycle Management (SEA-07.1) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "BCD-01", "name": "Business Continuity Management System (BCMS)", "description": "Mechanisms exist to facilitate the implementation of contingency planning controls to help ensure resilient Technology Assets, Applications and/or Services (TAAS) (e.g., Continuity of Operations Plan (COOP) or Business Continuity & Disaster Recovery (BC/DR) playbooks).", "justification": "Business Continuity Management System (BCMS) (BCD-01) provides resilience and recovery capability that compensates for the absence of Technology Lifecycle Management (SEA-07.1) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "SEA-07.2", "risk_if_not_implemented": "Without Fail Secure, AI and autonomous technology risks may go ungoverned, leading to unintended outcomes or exploitation.", "compensating_control_1": { "control_id": "BCD-01", "name": "Business Continuity Management System (BCMS)", "description": "Mechanisms exist to facilitate the implementation of contingency planning controls to help ensure resilient Technology Assets, Applications and/or Services (TAAS) (e.g., Continuity of Operations Plan (COOP) or Business Continuity & Disaster Recovery (BC/DR) playbooks).", "justification": "Business Continuity Management System (BCMS) (BCD-01) provides resilience and recovery capability that compensates for the absence of Fail Secure (SEA-07.2) by ensuring the organization can restore operations and data when the primary control is absent. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "SEA-07", "name": "Predictable Failure Analysis", "description": "Mechanisms exist to determine the Mean Time to Failure (MTTF) for system components in specific environments of operation.", "justification": "Predictable Failure Analysis (SEA-07) provides overlapping security capability that compensates for the absence of Fail Secure (SEA-07.2) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "SEA-07.3", "risk_if_not_implemented": "Without Fail Safe, AI and autonomous technology risks may go ungoverned, leading to unintended outcomes or exploitation.", "compensating_control_1": { "control_id": "SEA-07", "name": "Predictable Failure Analysis", "description": "Mechanisms exist to determine the Mean Time to Failure (MTTF) for system components in specific environments of operation.", "justification": "Predictable Failure Analysis (SEA-07) provides overlapping security capability that compensates for the absence of Fail Safe (SEA-07.3) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "BCD-01", "name": "Business Continuity Management System (BCMS)", "description": "Mechanisms exist to facilitate the implementation of contingency planning controls to help ensure resilient Technology Assets, Applications and/or Services (TAAS) (e.g., Continuity of Operations Plan (COOP) or Business Continuity & Disaster Recovery (BC/DR) playbooks).", "justification": "Business Continuity Management System (BCMS) (BCD-01) provides resilience and recovery capability that compensates for the absence of Fail Safe (SEA-07.3) by ensuring the organization can restore operations and data when the primary control is absent. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "SEA-08", "risk_if_not_implemented": "Without Non-Persistence, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CFG-03", "name": "Least Functionality", "description": "Mechanisms exist to configure systems to provide only essential capabilities by specifically prohibiting or restricting the use of ports, protocols, and/or services.", "justification": "Least Functionality (CFG-03) provides configuration hardening that compensates for the absence of Non-Persistence (SEA-08) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "BCD-11", "name": "Data Backups", "description": "Mechanisms exist to create recurring backups of data, software and/or system images, as well as verify the integrity of these backups, to ensure the availability of the data to satisfy Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).", "justification": "Data Backups (BCD-11) provides resilience and recovery capability that compensates for the absence of Non-Persistence (SEA-08) by ensuring the organization can restore operations and data when the primary control is absent. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "SEA-08.1", "risk_if_not_implemented": "Without Refresh from Trusted Sources, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "BCD-11", "name": "Data Backups", "description": "Mechanisms exist to create recurring backups of data, software and/or system images, as well as verify the integrity of these backups, to ensure the availability of the data to satisfy Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).", "justification": "Data Backups (BCD-11) provides resilience and recovery capability that compensates for the absence of Refresh from Trusted Sources (SEA-08.1) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CFG-03", "name": "Least Functionality", "description": "Mechanisms exist to configure systems to provide only essential capabilities by specifically prohibiting or restricting the use of ports, protocols, and/or services.", "justification": "Least Functionality (CFG-03) provides configuration hardening that compensates for the absence of Refresh from Trusted Sources (SEA-08.1) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "SEA-09", "risk_if_not_implemented": "Without Information Output Filtering, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IAC-20", "name": "Access Enforcement", "description": "Mechanisms exist to enforce Logical Access Control (LAC) permissions that conform to the principle of \"least privilege.\"", "justification": "Access Enforcement (IAC-20) provides access control enforcement that compensates for the absence of Information Output Filtering (SEA-09) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Information Output Filtering (SEA-09) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "SEA-09.1", "risk_if_not_implemented": "Without Limit Personal Data (PD) Dissemination, personal data may be processed without appropriate safeguards, increasing regulatory and reputational risk.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Limit Personal Data (PD) Dissemination (SEA-09.1) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-20", "name": "Access Enforcement", "description": "Mechanisms exist to enforce Logical Access Control (LAC) permissions that conform to the principle of \"least privilege.\"", "justification": "Access Enforcement (IAC-20) provides access control enforcement that compensates for the absence of Limit Personal Data (PD) Dissemination (SEA-09.1) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the data-handling focus of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "SEA-10", "risk_if_not_implemented": "Without Memory Protection, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CFG-03", "name": "Least Functionality", "description": "Mechanisms exist to configure systems to provide only essential capabilities by specifically prohibiting or restricting the use of ports, protocols, and/or services.", "justification": "Least Functionality (CFG-03) provides configuration hardening that compensates for the absence of Memory Protection (SEA-10) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "END-02", "name": "Endpoint Protection Measures", "description": "Mechanisms exist to protect the confidentiality, integrity, availability and safety of endpoint devices.", "justification": "Endpoint Protection Measures (END-02) provides overlapping security capability that compensates for the absence of Memory Protection (SEA-10) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "SEA-11", "risk_if_not_implemented": "Without Honeypots, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "NET-08", "name": "Network Intrusion Detection / Prevention Systems (NIDS / NIPS)", "description": "Mechanisms exist to employ Network Intrusion Detection / Prevention Systems (NIDS/NIPS) to detect and/or prevent intrusions into the network.", "justification": "Network Intrusion Detection / Prevention Systems (NIDS / NIPS) (NET-08) provides detective monitoring capability that compensates for the absence of Honeypots (SEA-11) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Honeypots (SEA-11) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "SEA-12", "risk_if_not_implemented": "Without Honeyclients, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "NET-08", "name": "Network Intrusion Detection / Prevention Systems (NIDS / NIPS)", "description": "Mechanisms exist to employ Network Intrusion Detection / Prevention Systems (NIDS/NIPS) to detect and/or prevent intrusions into the network.", "justification": "Network Intrusion Detection / Prevention Systems (NIDS / NIPS) (NET-08) provides detective monitoring capability that compensates for the absence of Honeyclients (SEA-12) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-16", "name": "Anomalous Behavior", "description": "Mechanisms exist to utilize User & Entity Behavior Analytics (UEBA) and/or User Activity Monitoring (UAM) solutions to detect and respond to anomalous behavior that could indicate account compromise or other malicious activities.", "justification": "Anomalous Behavior (MON-16) provides detective monitoring capability that compensates for the absence of Honeyclients (SEA-12) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "SEA-13", "risk_if_not_implemented": "Without Heterogeneity, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "SEA-03", "name": "Defense-In-Depth (DiD) Architecture", "description": "Mechanisms exist to implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.", "justification": "Defense-In-Depth (DiD) Architecture (SEA-03) provides overlapping security capability that compensates for the absence of Heterogeneity (SEA-13) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-06", "name": "Network Segmentation (macrosegementation)", "description": "Mechanisms exist to ensure network architecture utilizes network segmentation to isolate Technology Assets, Applications and/or Services (TAAS) to protect from other network resources.", "justification": "Network Segmentation (macrosegementation) (NET-06) provides network-level access restriction that compensates for the absence of Heterogeneity (SEA-13) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "SEA-13.1", "risk_if_not_implemented": "Without Virtualization Techniques, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "NET-06", "name": "Network Segmentation (macrosegementation)", "description": "Mechanisms exist to ensure network architecture utilizes network segmentation to isolate Technology Assets, Applications and/or Services (TAAS) to protect from other network resources.", "justification": "Network Segmentation (macrosegementation) (NET-06) provides network-level access restriction that compensates for the absence of Virtualization Techniques (SEA-13.1) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "SEA-03", "name": "Defense-In-Depth (DiD) Architecture", "description": "Mechanisms exist to implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.", "justification": "Defense-In-Depth (DiD) Architecture (SEA-03) provides overlapping security capability that compensates for the absence of Virtualization Techniques (SEA-13.1) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "SEA-14", "risk_if_not_implemented": "Without Concealment & Misdirection, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "NET-06", "name": "Network Segmentation (macrosegementation)", "description": "Mechanisms exist to ensure network architecture utilizes network segmentation to isolate Technology Assets, Applications and/or Services (TAAS) to protect from other network resources.", "justification": "Network Segmentation (macrosegementation) (NET-06) provides network-level access restriction that compensates for the absence of Concealment & Misdirection (SEA-14) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Concealment & Misdirection (SEA-14) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "SEA-14.1", "risk_if_not_implemented": "Without Randomness, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Randomness (SEA-14.1) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-06", "name": "Network Segmentation (macrosegementation)", "description": "Mechanisms exist to ensure network architecture utilizes network segmentation to isolate Technology Assets, Applications and/or Services (TAAS) to protect from other network resources.", "justification": "Network Segmentation (macrosegementation) (NET-06) provides network-level access restriction that compensates for the absence of Randomness (SEA-14.1) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "SEA-14.2", "risk_if_not_implemented": "Without Change Processing & Storage Locations, unauthorized or unreviewed changes may introduce instability or security vulnerabilities into the environment.", "compensating_control_1": { "control_id": "NET-06", "name": "Network Segmentation (macrosegementation)", "description": "Mechanisms exist to ensure network architecture utilizes network segmentation to isolate Technology Assets, Applications and/or Services (TAAS) to protect from other network resources.", "justification": "Network Segmentation (macrosegementation) (NET-06) provides network-level access restriction that compensates for the absence of Change Processing & Storage Locations (SEA-14.2) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "SEA-14", "name": "Concealment & Misdirection", "description": "Mechanisms exist to utilize concealment and misdirection techniques for Technology Assets, Applications and/or Services (TAAS) to confuse and mislead adversaries.", "justification": "Concealment & Misdirection (SEA-14) provides overlapping security capability that compensates for the absence of Change Processing & Storage Locations (SEA-14.2) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "SEA-15", "risk_if_not_implemented": "Without Distributed Processing & Storage, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "BCD-11", "name": "Data Backups", "description": "Mechanisms exist to create recurring backups of data, software and/or system images, as well as verify the integrity of these backups, to ensure the availability of the data to satisfy Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).", "justification": "Data Backups (BCD-11) provides resilience and recovery capability that compensates for the absence of Distributed Processing & Storage (SEA-15) by ensuring the organization can restore operations and data when the primary control is absent. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-06", "name": "Network Segmentation (macrosegementation)", "description": "Mechanisms exist to ensure network architecture utilizes network segmentation to isolate Technology Assets, Applications and/or Services (TAAS) to protect from other network resources.", "justification": "Network Segmentation (macrosegementation) (NET-06) provides network-level access restriction that compensates for the absence of Distributed Processing & Storage (SEA-15) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "SEA-16", "risk_if_not_implemented": "Without Non-Modifiable Executable Programs, security risks may go unmanaged, resulting in uncontrolled exposures and misaligned security investments.", "compensating_control_1": { "control_id": "CFG-06", "name": "Configuration Enforcement", "description": "Automated mechanisms exist to monitor, enforce and report on configurations for endpoint devices.", "justification": "Configuration Enforcement (CFG-06) provides configuration hardening that compensates for the absence of Non-Modifiable Executable Programs (SEA-16) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-18", "name": "File Activity Monitoring (FAM)", "description": "Automated mechanisms exist to monitor sensitive/regulated data in Technology Assets, Applications and/or Services (TAAS) and data repositories.", "justification": "File Activity Monitoring (FAM) (MON-18) provides detective monitoring capability that compensates for the absence of Non-Modifiable Executable Programs (SEA-16) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "SEA-17", "risk_if_not_implemented": "Without Secure Log-On Procedures, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "IAC-22", "name": "Account Lockout", "description": "Mechanisms exist to enforce a limit for consecutive invalid login attempts by a user during an organization-defined time period and automatically locks the account when the maximum number of unsuccessful attempts is exceeded.", "justification": "Account Lockout (IAC-22) provides access control enforcement that compensates for the absence of Secure Log-On Procedures (SEA-17) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-12", "name": "Session Audit", "description": "Mechanisms exist to provide session audit capabilities that can: \n(1) Capture and log all content related to a user session; and\n(2) Remotely view all content related to an established user session in real time.", "justification": "Session Audit (MON-12) provides detective monitoring capability that compensates for the absence of Secure Log-On Procedures (SEA-17) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "SEA-18", "risk_if_not_implemented": "Without System Use Notification (Logon Banner), security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "GOV-02", "name": "Publishing Security, Compliance & Resilience Documentation", "description": "Mechanisms exist to establish, maintain and disseminate policies, standards and procedures necessary for secure, compliant and resilient capabilities.", "justification": "Publishing Security, Compliance & Resilience Documentation (GOV-02) provides resilience and recovery capability that compensates for the absence of System Use Notification (Logon Banner) (SEA-18) by ensuring the organization can restore operations and data when the primary control is absent. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "SAT-02", "name": "Security, Compliance & Resilience Awareness Training", "description": "Mechanisms exist to provide all employees and contractors appropriate security, compliance and resilience awareness education and training that is relevant for their job function.", "justification": "Security, Compliance & Resilience Awareness Training (SAT-02) provides personnel training and awareness that compensates for the absence of System Use Notification (Logon Banner) (SEA-18) by reducing human-factor risk by equipping personnel to recognize and respond to relevant threats. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "SEA-18.1", "risk_if_not_implemented": "Without Standardized Microsoft Windows Banner, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "SAT-02", "name": "Security, Compliance & Resilience Awareness Training", "description": "Mechanisms exist to provide all employees and contractors appropriate security, compliance and resilience awareness education and training that is relevant for their job function.", "justification": "Security, Compliance & Resilience Awareness Training (SAT-02) provides personnel training and awareness that compensates for the absence of Standardized Microsoft Windows Banner (SEA-18.1) by reducing human-factor risk by equipping personnel to recognize and respond to relevant threats. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "GOV-02", "name": "Publishing Security, Compliance & Resilience Documentation", "description": "Mechanisms exist to establish, maintain and disseminate policies, standards and procedures necessary for secure, compliant and resilient capabilities.", "justification": "Publishing Security, Compliance & Resilience Documentation (GOV-02) provides resilience and recovery capability that compensates for the absence of Standardized Microsoft Windows Banner (SEA-18.1) by ensuring the organization can restore operations and data when the primary control is absent. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "SEA-18.2", "risk_if_not_implemented": "Without Truncated Banner, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "GOV-02", "name": "Publishing Security, Compliance & Resilience Documentation", "description": "Mechanisms exist to establish, maintain and disseminate policies, standards and procedures necessary for secure, compliant and resilient capabilities.", "justification": "Publishing Security, Compliance & Resilience Documentation (GOV-02) provides resilience and recovery capability that compensates for the absence of Truncated Banner (SEA-18.2) by ensuring the organization can restore operations and data when the primary control is absent. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "SEA-18", "name": "System Use Notification (Logon Banner)", "description": "Mechanisms exist to utilize system use notification / logon banners that display an approved system use notification message or banner before granting access to Technology Assets, Applications and/or Services (TAAS).", "justification": "System Use Notification (Logon Banner) (SEA-18) provides detective monitoring capability that compensates for the absence of Truncated Banner (SEA-18.2) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "SEA-19", "risk_if_not_implemented": "Without Previous Logon Notification, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "MON-12", "name": "Session Audit", "description": "Mechanisms exist to provide session audit capabilities that can: \n(1) Capture and log all content related to a user session; and\n(2) Remotely view all content related to an established user session in real time.", "justification": "Session Audit (MON-12) provides detective monitoring capability that compensates for the absence of Previous Logon Notification (SEA-19) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-25", "name": "Session Termination", "description": "Automated mechanisms exist to log out users, both locally on the network and for remote sessions, at the end of the session or after an organization-defined period of inactivity.", "justification": "Session Termination (IAC-25) provides overlapping security capability that compensates for the absence of Previous Logon Notification (SEA-19) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "SEA-20", "risk_if_not_implemented": "Without Clock Synchronization, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "MON-07", "name": "Time Stamps", "description": "Mechanisms exist to configure Technology Assets, Applications and/or Services (TAAS) to use an authoritative time source to generate time stamps for event logs.", "justification": "Time Stamps (MON-07) provides overlapping security capability that compensates for the absence of Clock Synchronization (SEA-20) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-02", "name": "Centralized Collection of Security Event Logs", "description": "Mechanisms exist to utilize a Security Incident Event Manager (SIEM), or similar automated tool, to support the centralized collection of security-related event logs.", "justification": "Centralized Collection of Security Event Logs (MON-02) provides detective monitoring capability that compensates for the absence of Clock Synchronization (SEA-20) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "SEA-21", "risk_if_not_implemented": "Without Application Container, AI and autonomous technology risks may go ungoverned, leading to unintended outcomes or exploitation.", "compensating_control_1": { "control_id": "NET-06", "name": "Network Segmentation (macrosegementation)", "description": "Mechanisms exist to ensure network architecture utilizes network segmentation to isolate Technology Assets, Applications and/or Services (TAAS) to protect from other network resources.", "justification": "Network Segmentation (macrosegementation) (NET-06) provides network-level access restriction that compensates for the absence of Application Container (SEA-21) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CFG-03", "name": "Least Functionality", "description": "Mechanisms exist to configure systems to provide only essential capabilities by specifically prohibiting or restricting the use of ports, protocols, and/or services.", "justification": "Least Functionality (CFG-03) provides configuration hardening that compensates for the absence of Application Container (SEA-21) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "SEA-22", "risk_if_not_implemented": "Without Privileged Environments, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "IAC-21", "name": "Least Privilege", "description": "Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.", "justification": "Least Privilege (IAC-21) provides access control enforcement that compensates for the absence of Privileged Environments (SEA-22) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CFG-03", "name": "Least Functionality", "description": "Mechanisms exist to configure systems to provide only essential capabilities by specifically prohibiting or restricting the use of ports, protocols, and/or services.", "justification": "Least Functionality (CFG-03) provides configuration hardening that compensates for the absence of Privileged Environments (SEA-22) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "OPS-01", "risk_if_not_implemented": "Without Operations Security, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "GOV-01", "name": "Security, Compliance & Resilience Program (SCRP)", "description": "Mechanisms exist to facilitate the implementation of security, compliance and resilience governance controls.", "justification": "Security, Compliance & Resilience Program (SCRP) (GOV-01) provides resilience and recovery capability that compensates for the absence of Operations Security (OPS-01) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Operations Security (OPS-01) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "OPS-01.1", "risk_if_not_implemented": "Without Standardized Operating Procedures (SOP), residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Standardized Operating Procedures (SOP) (OPS-01.1) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "GOV-01", "name": "Security, Compliance & Resilience Program (SCRP)", "description": "Mechanisms exist to facilitate the implementation of security, compliance and resilience governance controls.", "justification": "Security, Compliance & Resilience Program (SCRP) (GOV-01) provides resilience and recovery capability that compensates for the absence of Standardized Operating Procedures (SOP) (OPS-01.1) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "OPS-02", "risk_if_not_implemented": "Without Security Concept Of Operations (CONOPS), residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "GOV-02", "name": "Publishing Security, Compliance & Resilience Documentation", "description": "Mechanisms exist to establish, maintain and disseminate policies, standards and procedures necessary for secure, compliant and resilient capabilities.", "justification": "Publishing Security, Compliance & Resilience Documentation (GOV-02) provides resilience and recovery capability that compensates for the absence of Security Concept Of Operations (CONOPS) (OPS-02) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "RSK-01", "name": "Risk Management Program", "description": "Mechanisms exist to facilitate the implementation of strategic, operational and tactical risk management controls.", "justification": "Risk Management Program (RSK-01) provides policy-level governance that compensates for the absence of Security Concept Of Operations (CONOPS) (OPS-02) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "OPS-03", "risk_if_not_implemented": "Without Service Delivery\n(Business Process Support), residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "BCD-01", "name": "Business Continuity Management System (BCMS)", "description": "Mechanisms exist to facilitate the implementation of contingency planning controls to help ensure resilient Technology Assets, Applications and/or Services (TAAS) (e.g., Continuity of Operations Plan (COOP) or Business Continuity & Disaster Recovery (BC/DR) playbooks).", "justification": "Business Continuity Management System (BCMS) (BCD-01) provides resilience and recovery capability that compensates for the absence of Service Delivery\n(Business Process Support) (OPS-03) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CAP-01", "name": "Capacity & Performance Management", "description": "Mechanisms exist to facilitate the implementation of capacity management controls to ensure optimal system performance to meet expected and anticipated future capacity requirements.", "justification": "Capacity & Performance Management (CAP-01) provides overlapping security capability that compensates for the absence of Service Delivery\n(Business Process Support) (OPS-03) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "OPS-04", "risk_if_not_implemented": "Without Security Operations Center (SOC), residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Security Operations Center (SOC) (OPS-04) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IRO-01", "name": "Incident Response Operations", "description": "Mechanisms exist to implement and govern processes and documentation to facilitate an organization-wide response capability for cybersecurity and data protection-related incidents.", "justification": "Incident Response Operations (IRO-01) provides incident response capability that compensates for the absence of Security Operations Center (SOC) (OPS-04) by enabling timely detection, containment, and recovery from security events in the absence of the primary control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "OPS-05", "risk_if_not_implemented": "Without Secure Practices Guidelines, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "GOV-02", "name": "Publishing Security, Compliance & Resilience Documentation", "description": "Mechanisms exist to establish, maintain and disseminate policies, standards and procedures necessary for secure, compliant and resilient capabilities.", "justification": "Publishing Security, Compliance & Resilience Documentation (GOV-02) provides resilience and recovery capability that compensates for the absence of Secure Practices Guidelines (OPS-05) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "SAT-02", "name": "Security, Compliance & Resilience Awareness Training", "description": "Mechanisms exist to provide all employees and contractors appropriate security, compliance and resilience awareness education and training that is relevant for their job function.", "justification": "Security, Compliance & Resilience Awareness Training (SAT-02) provides personnel training and awareness that compensates for the absence of Secure Practices Guidelines (OPS-05) by reducing human-factor risk by equipping personnel to recognize and respond to relevant threats. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "OPS-06", "risk_if_not_implemented": "Without Security Orchestration, Automation, and Response (SOAR), the organization may lack capability to detect, contain, or recover from security incidents effectively.", "compensating_control_1": { "control_id": "IRO-01", "name": "Incident Response Operations", "description": "Mechanisms exist to implement and govern processes and documentation to facilitate an organization-wide response capability for cybersecurity and data protection-related incidents.", "justification": "Incident Response Operations (IRO-01) provides incident response capability that compensates for the absence of Security Orchestration, Automation, and Response (SOAR) (OPS-06) by enabling timely detection, containment, and recovery from security events in the absence of the primary control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Security Orchestration, Automation, and Response (SOAR) (OPS-06) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "OPS-07", "risk_if_not_implemented": "Without Shadow Information Technology Detection, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "AST-02", "name": "Asset Inventories", "description": "Mechanisms exist to perform inventories of Technology Assets, Applications, Services and/or Data (TAASD) that:\n(1) Accurately reflects the current TAASD in use; \n(2) Identifies authorized software products, including business justification details;\n(3) Is at the level of granularity deemed necessary for tracking and reporting;\n(4) Includes organization-defined information deemed necessary to achieve effective property accountability; and\n(5) Is available for review and audit by designated organizational personnel.", "justification": "Asset Inventories (AST-02) provides overlapping security capability that compensates for the absence of Shadow Information Technology Detection (OPS-07) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Shadow Information Technology Detection (OPS-07) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "SAT-01", "risk_if_not_implemented": "Without Security, Compliance & Resilience-Minded Workforce, the organization may be unable to recover from disruptions, resulting in data loss and extended downtime.", "compensating_control_1": { "control_id": "GOV-01", "name": "Security, Compliance & Resilience Program (SCRP)", "description": "Mechanisms exist to facilitate the implementation of security, compliance and resilience governance controls.", "justification": "Security, Compliance & Resilience Program (SCRP) (GOV-01) provides resilience and recovery capability that compensates for the absence of Security, Compliance & Resilience-Minded Workforce (SAT-01) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "HRS-01", "name": "Human Resources Security Management", "description": "Mechanisms exist to facilitate the implementation of personnel security controls.", "justification": "Human Resources Security Management (HRS-01) provides overlapping security capability that compensates for the absence of Security, Compliance & Resilience-Minded Workforce (SAT-01) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "SAT-01.1", "risk_if_not_implemented": "Without Maintaining Workforce Development Relevancy, AI and autonomous technology risks may go ungoverned, leading to unintended outcomes or exploitation.", "compensating_control_1": { "control_id": "HRS-01", "name": "Human Resources Security Management", "description": "Mechanisms exist to facilitate the implementation of personnel security controls.", "justification": "Human Resources Security Management (HRS-01) provides overlapping security capability that compensates for the absence of Maintaining Workforce Development Relevancy (SAT-01.1) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "GOV-01", "name": "Security, Compliance & Resilience Program (SCRP)", "description": "Mechanisms exist to facilitate the implementation of security, compliance and resilience governance controls.", "justification": "Security, Compliance & Resilience Program (SCRP) (GOV-01) provides resilience and recovery capability that compensates for the absence of Maintaining Workforce Development Relevancy (SAT-01.1) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "SAT-02", "risk_if_not_implemented": "Without Security, Compliance & Resilience Awareness Training, the organization may be unable to recover from disruptions, resulting in data loss and extended downtime.", "compensating_control_1": { "control_id": "GOV-02", "name": "Publishing Security, Compliance & Resilience Documentation", "description": "Mechanisms exist to establish, maintain and disseminate policies, standards and procedures necessary for secure, compliant and resilient capabilities.", "justification": "Publishing Security, Compliance & Resilience Documentation (GOV-02) provides resilience and recovery capability that compensates for the absence of Security, Compliance & Resilience Awareness Training (SAT-02) by ensuring the organization can restore operations and data when the primary control is absent. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "SAT-03", "name": "Role-Based Security, Compliance & Resilience Training", "description": "Mechanisms exist to provide role-based security, compliance and resilience-related training: \n(1) Before authorizing access to the system or performing assigned duties; \n(2) When required by system changes; and \n(3) Annually thereafter.", "justification": "Role-Based Security, Compliance & Resilience Training (SAT-03) provides personnel training and awareness that compensates for the absence of Security, Compliance & Resilience Awareness Training (SAT-02) by reducing human-factor risk by equipping personnel to recognize and respond to relevant threats. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "SAT-02.1", "risk_if_not_implemented": "Without Simulated Cyber Attack Scenario Training, personnel may lack knowledge to recognize threats, increasing susceptibility to phishing and social engineering.", "compensating_control_1": { "control_id": "SAT-04", "name": "Security, Compliance & Resilience Training Records", "description": "Mechanisms exist to document, retain and monitor individual training activities, including:\n(1) Initial security, compliance and resilience awareness training;\n(2) Recurring awareness training; and\n(3) Technology Assets, Applications and/or Services (TAAS)-specific training.", "justification": "Security, Compliance & Resilience Training Records (SAT-04) provides personnel training and awareness that compensates for the absence of Simulated Cyber Attack Scenario Training (SAT-02.1) by reducing human-factor risk by equipping personnel to recognize and respond to relevant threats. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "SAT-02", "name": "Security, Compliance & Resilience Awareness Training", "description": "Mechanisms exist to provide all employees and contractors appropriate security, compliance and resilience awareness education and training that is relevant for their job function.", "justification": "Security, Compliance & Resilience Awareness Training (SAT-02) provides personnel training and awareness that compensates for the absence of Simulated Cyber Attack Scenario Training (SAT-02.1) by reducing human-factor risk by equipping personnel to recognize and respond to relevant threats. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "SAT-02.2", "risk_if_not_implemented": "Without Social Engineering & Mining, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "SAT-05", "name": "Security, Compliance & Resilience Knowledge Sharing", "description": "Mechanisms exist to improve knowledge sharing across security, compliance and resilience personnel allowing for:\n(1) Efficient operations; and\n(2) Rapid and effective response to incidents.", "justification": "Security, Compliance & Resilience Knowledge Sharing (SAT-05) provides personnel training and awareness that compensates for the absence of Social Engineering & Mining (SAT-02.2) by reducing human-factor risk by equipping personnel to recognize and respond to relevant threats. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "SAT-02", "name": "Security, Compliance & Resilience Awareness Training", "description": "Mechanisms exist to provide all employees and contractors appropriate security, compliance and resilience awareness education and training that is relevant for their job function.", "justification": "Security, Compliance & Resilience Awareness Training (SAT-02) provides personnel training and awareness that compensates for the absence of Social Engineering & Mining (SAT-02.2) by reducing human-factor risk by equipping personnel to recognize and respond to relevant threats. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "SAT-03", "risk_if_not_implemented": "Without Role-Based Security, Compliance & Resilience Training, the organization may be unable to recover from disruptions, resulting in data loss and extended downtime.", "compensating_control_1": { "control_id": "SAT-02", "name": "Security, Compliance & Resilience Awareness Training", "description": "Mechanisms exist to provide all employees and contractors appropriate security, compliance and resilience awareness education and training that is relevant for their job function.", "justification": "Security, Compliance & Resilience Awareness Training (SAT-02) provides personnel training and awareness that compensates for the absence of Role-Based Security, Compliance & Resilience Training (SAT-03) by reducing human-factor risk by equipping personnel to recognize and respond to relevant threats. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "SAT-04", "name": "Security, Compliance & Resilience Training Records", "description": "Mechanisms exist to document, retain and monitor individual training activities, including:\n(1) Initial security, compliance and resilience awareness training;\n(2) Recurring awareness training; and\n(3) Technology Assets, Applications and/or Services (TAAS)-specific training.", "justification": "Security, Compliance & Resilience Training Records (SAT-04) provides personnel training and awareness that compensates for the absence of Role-Based Security, Compliance & Resilience Training (SAT-03) by reducing human-factor risk by equipping personnel to recognize and respond to relevant threats. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "SAT-03.1", "risk_if_not_implemented": "Without Practical Exercises, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "SAT-04", "name": "Security, Compliance & Resilience Training Records", "description": "Mechanisms exist to document, retain and monitor individual training activities, including:\n(1) Initial security, compliance and resilience awareness training;\n(2) Recurring awareness training; and\n(3) Technology Assets, Applications and/or Services (TAAS)-specific training.", "justification": "Security, Compliance & Resilience Training Records (SAT-04) provides personnel training and awareness that compensates for the absence of Practical Exercises (SAT-03.1) by reducing human-factor risk by equipping personnel to recognize and respond to relevant threats. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "SAT-02", "name": "Security, Compliance & Resilience Awareness Training", "description": "Mechanisms exist to provide all employees and contractors appropriate security, compliance and resilience awareness education and training that is relevant for their job function.", "justification": "Security, Compliance & Resilience Awareness Training (SAT-02) provides personnel training and awareness that compensates for the absence of Practical Exercises (SAT-03.1) by reducing human-factor risk by equipping personnel to recognize and respond to relevant threats. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "SAT-03.2", "risk_if_not_implemented": "Without Suspicious Communications & Anomalous System Behavior, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "SAT-02", "name": "Security, Compliance & Resilience Awareness Training", "description": "Mechanisms exist to provide all employees and contractors appropriate security, compliance and resilience awareness education and training that is relevant for their job function.", "justification": "Security, Compliance & Resilience Awareness Training (SAT-02) provides personnel training and awareness that compensates for the absence of Suspicious Communications & Anomalous System Behavior (SAT-03.2) by reducing human-factor risk by equipping personnel to recognize and respond to relevant threats. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "SAT-03", "name": "Role-Based Security, Compliance & Resilience Training", "description": "Mechanisms exist to provide role-based security, compliance and resilience-related training: \n(1) Before authorizing access to the system or performing assigned duties; \n(2) When required by system changes; and \n(3) Annually thereafter.", "justification": "Role-Based Security, Compliance & Resilience Training (SAT-03) provides personnel training and awareness that compensates for the absence of Suspicious Communications & Anomalous System Behavior (SAT-03.2) by reducing human-factor risk by equipping personnel to recognize and respond to relevant threats. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "SAT-03.3", "risk_if_not_implemented": "Without Sensitive / Regulated Data Storage, Handling & Processing, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "SAT-03", "name": "Role-Based Security, Compliance & Resilience Training", "description": "Mechanisms exist to provide role-based security, compliance and resilience-related training: \n(1) Before authorizing access to the system or performing assigned duties; \n(2) When required by system changes; and \n(3) Annually thereafter.", "justification": "Role-Based Security, Compliance & Resilience Training (SAT-03) provides personnel training and awareness that compensates for the absence of Sensitive / Regulated Data Storage, Handling & Processing (SAT-03.3) by reducing human-factor risk by equipping personnel to recognize and respond to relevant threats. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "SAT-04", "name": "Security, Compliance & Resilience Training Records", "description": "Mechanisms exist to document, retain and monitor individual training activities, including:\n(1) Initial security, compliance and resilience awareness training;\n(2) Recurring awareness training; and\n(3) Technology Assets, Applications and/or Services (TAAS)-specific training.", "justification": "Security, Compliance & Resilience Training Records (SAT-04) provides personnel training and awareness that compensates for the absence of Sensitive / Regulated Data Storage, Handling & Processing (SAT-03.3) by reducing human-factor risk by equipping personnel to recognize and respond to relevant threats. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "SAT-03.4", "risk_if_not_implemented": "Without Vendor Security, Compliance & Resilience Training, the organization may be unable to recover from disruptions, resulting in data loss and extended downtime.", "compensating_control_1": { "control_id": "SAT-04", "name": "Security, Compliance & Resilience Training Records", "description": "Mechanisms exist to document, retain and monitor individual training activities, including:\n(1) Initial security, compliance and resilience awareness training;\n(2) Recurring awareness training; and\n(3) Technology Assets, Applications and/or Services (TAAS)-specific training.", "justification": "Security, Compliance & Resilience Training Records (SAT-04) provides personnel training and awareness that compensates for the absence of Vendor Security, Compliance & Resilience Training (SAT-03.4) by reducing human-factor risk by equipping personnel to recognize and respond to relevant threats. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "SAT-03", "name": "Role-Based Security, Compliance & Resilience Training", "description": "Mechanisms exist to provide role-based security, compliance and resilience-related training: \n(1) Before authorizing access to the system or performing assigned duties; \n(2) When required by system changes; and \n(3) Annually thereafter.", "justification": "Role-Based Security, Compliance & Resilience Training (SAT-03) provides personnel training and awareness that compensates for the absence of Vendor Security, Compliance & Resilience Training (SAT-03.4) by reducing human-factor risk by equipping personnel to recognize and respond to relevant threats. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "SAT-03.5", "risk_if_not_implemented": "Without Privileged Users, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "SAT-02", "name": "Security, Compliance & Resilience Awareness Training", "description": "Mechanisms exist to provide all employees and contractors appropriate security, compliance and resilience awareness education and training that is relevant for their job function.", "justification": "Security, Compliance & Resilience Awareness Training (SAT-02) provides personnel training and awareness that compensates for the absence of Privileged Users (SAT-03.5) by reducing human-factor risk by equipping personnel to recognize and respond to relevant threats. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "SAT-04", "name": "Security, Compliance & Resilience Training Records", "description": "Mechanisms exist to document, retain and monitor individual training activities, including:\n(1) Initial security, compliance and resilience awareness training;\n(2) Recurring awareness training; and\n(3) Technology Assets, Applications and/or Services (TAAS)-specific training.", "justification": "Security, Compliance & Resilience Training Records (SAT-04) provides personnel training and awareness that compensates for the absence of Privileged Users (SAT-03.5) by reducing human-factor risk by equipping personnel to recognize and respond to relevant threats. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "SAT-03.6", "risk_if_not_implemented": "Without Cyber Threat Environment, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "SAT-04", "name": "Security, Compliance & Resilience Training Records", "description": "Mechanisms exist to document, retain and monitor individual training activities, including:\n(1) Initial security, compliance and resilience awareness training;\n(2) Recurring awareness training; and\n(3) Technology Assets, Applications and/or Services (TAAS)-specific training.", "justification": "Security, Compliance & Resilience Training Records (SAT-04) provides personnel training and awareness that compensates for the absence of Cyber Threat Environment (SAT-03.6) by reducing human-factor risk by equipping personnel to recognize and respond to relevant threats. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "SAT-02", "name": "Security, Compliance & Resilience Awareness Training", "description": "Mechanisms exist to provide all employees and contractors appropriate security, compliance and resilience awareness education and training that is relevant for their job function.", "justification": "Security, Compliance & Resilience Awareness Training (SAT-02) provides personnel training and awareness that compensates for the absence of Cyber Threat Environment (SAT-03.6) by reducing human-factor risk by equipping personnel to recognize and respond to relevant threats. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "SAT-03.7", "risk_if_not_implemented": "Without Continuing Professional Education (CPE) - Security, Compliance & Resilience Personnel, the organization may be unable to recover from disruptions, resulting in data loss and extended downtime.", "compensating_control_1": { "control_id": "SAT-03", "name": "Role-Based Security, Compliance & Resilience Training", "description": "Mechanisms exist to provide role-based security, compliance and resilience-related training: \n(1) Before authorizing access to the system or performing assigned duties; \n(2) When required by system changes; and \n(3) Annually thereafter.", "justification": "Role-Based Security, Compliance & Resilience Training (SAT-03) provides personnel training and awareness that compensates for the absence of Continuing Professional Education (CPE) - Security, Compliance & Resilience Personnel (SAT-03.7) by reducing human-factor risk by equipping personnel to recognize and respond to relevant threats. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "SAT-02", "name": "Security, Compliance & Resilience Awareness Training", "description": "Mechanisms exist to provide all employees and contractors appropriate security, compliance and resilience awareness education and training that is relevant for their job function.", "justification": "Security, Compliance & Resilience Awareness Training (SAT-02) provides personnel training and awareness that compensates for the absence of Continuing Professional Education (CPE) - Security, Compliance & Resilience Personnel (SAT-03.7) by reducing human-factor risk by equipping personnel to recognize and respond to relevant threats. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "SAT-03.8", "risk_if_not_implemented": "Without Continuing Professional Education (CPE) - DevOps Personnel, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "SAT-02", "name": "Security, Compliance & Resilience Awareness Training", "description": "Mechanisms exist to provide all employees and contractors appropriate security, compliance and resilience awareness education and training that is relevant for their job function.", "justification": "Security, Compliance & Resilience Awareness Training (SAT-02) provides personnel training and awareness that compensates for the absence of Continuing Professional Education (CPE) - DevOps Personnel (SAT-03.8) by reducing human-factor risk by equipping personnel to recognize and respond to relevant threats. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "SAT-03", "name": "Role-Based Security, Compliance & Resilience Training", "description": "Mechanisms exist to provide role-based security, compliance and resilience-related training: \n(1) Before authorizing access to the system or performing assigned duties; \n(2) When required by system changes; and \n(3) Annually thereafter.", "justification": "Role-Based Security, Compliance & Resilience Training (SAT-03) provides personnel training and awareness that compensates for the absence of Continuing Professional Education (CPE) - DevOps Personnel (SAT-03.8) by reducing human-factor risk by equipping personnel to recognize and respond to relevant threats. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "SAT-03.9", "risk_if_not_implemented": "Without Counterintelligence Training, personnel may lack knowledge to recognize threats, increasing susceptibility to phishing and social engineering.", "compensating_control_1": { "control_id": "SAT-04", "name": "Security, Compliance & Resilience Training Records", "description": "Mechanisms exist to document, retain and monitor individual training activities, including:\n(1) Initial security, compliance and resilience awareness training;\n(2) Recurring awareness training; and\n(3) Technology Assets, Applications and/or Services (TAAS)-specific training.", "justification": "Security, Compliance & Resilience Training Records (SAT-04) provides personnel training and awareness that compensates for the absence of Counterintelligence Training (SAT-03.9) by reducing human-factor risk by equipping personnel to recognize and respond to relevant threats. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "SAT-03", "name": "Role-Based Security, Compliance & Resilience Training", "description": "Mechanisms exist to provide role-based security, compliance and resilience-related training: \n(1) Before authorizing access to the system or performing assigned duties; \n(2) When required by system changes; and \n(3) Annually thereafter.", "justification": "Role-Based Security, Compliance & Resilience Training (SAT-03) provides personnel training and awareness that compensates for the absence of Counterintelligence Training (SAT-03.9) by reducing human-factor risk by equipping personnel to recognize and respond to relevant threats. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "SAT-04", "risk_if_not_implemented": "Without Security, Compliance & Resilience Training Records, the organization may be unable to recover from disruptions, resulting in data loss and extended downtime.", "compensating_control_1": { "control_id": "SAT-03", "name": "Role-Based Security, Compliance & Resilience Training", "description": "Mechanisms exist to provide role-based security, compliance and resilience-related training: \n(1) Before authorizing access to the system or performing assigned duties; \n(2) When required by system changes; and \n(3) Annually thereafter.", "justification": "Role-Based Security, Compliance & Resilience Training (SAT-03) provides personnel training and awareness that compensates for the absence of Security, Compliance & Resilience Training Records (SAT-04) by reducing human-factor risk by equipping personnel to recognize and respond to relevant threats. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "SAT-02", "name": "Security, Compliance & Resilience Awareness Training", "description": "Mechanisms exist to provide all employees and contractors appropriate security, compliance and resilience awareness education and training that is relevant for their job function.", "justification": "Security, Compliance & Resilience Awareness Training (SAT-02) provides personnel training and awareness that compensates for the absence of Security, Compliance & Resilience Training Records (SAT-04) by reducing human-factor risk by equipping personnel to recognize and respond to relevant threats. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "SAT-05", "risk_if_not_implemented": "Without Security, Compliance & Resilience Knowledge Sharing, the organization may be unable to recover from disruptions, resulting in data loss and extended downtime.", "compensating_control_1": { "control_id": "SAT-02", "name": "Security, Compliance & Resilience Awareness Training", "description": "Mechanisms exist to provide all employees and contractors appropriate security, compliance and resilience awareness education and training that is relevant for their job function.", "justification": "Security, Compliance & Resilience Awareness Training (SAT-02) provides personnel training and awareness that compensates for the absence of Security, Compliance & Resilience Knowledge Sharing (SAT-05) by reducing human-factor risk by equipping personnel to recognize and respond to relevant threats. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "GOV-02", "name": "Publishing Security, Compliance & Resilience Documentation", "description": "Mechanisms exist to establish, maintain and disseminate policies, standards and procedures necessary for secure, compliant and resilient capabilities.", "justification": "Publishing Security, Compliance & Resilience Documentation (GOV-02) provides resilience and recovery capability that compensates for the absence of Security, Compliance & Resilience Knowledge Sharing (SAT-05) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TDA-01.2", "risk_if_not_implemented": "Without Integrity Mechanisms for Software / Firmware Updates, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "RSK-04", "name": "Risk Assessment", "description": "Mechanisms exist to conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Risk Assessment (RSK-04) provides periodic assessment and assurance that compensates for the absence of Integrity Mechanisms for Software / Firmware Updates (TDA-01.2) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "TDA-01", "name": "Technology Development & Acquisition", "description": "Mechanisms exist to facilitate the implementation of tailored development and acquisition strategies, contract tools and procurement methods to meet unique business needs.", "justification": "Technology Development & Acquisition (TDA-01) provides detective monitoring capability that compensates for the absence of Integrity Mechanisms for Software / Firmware Updates (TDA-01.2) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TDA-01.3", "risk_if_not_implemented": "Without Malware Testing Prior to Release, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "TDA-01", "name": "Technology Development & Acquisition", "description": "Mechanisms exist to facilitate the implementation of tailored development and acquisition strategies, contract tools and procurement methods to meet unique business needs.", "justification": "Technology Development & Acquisition (TDA-01) provides detective monitoring capability that compensates for the absence of Malware Testing Prior to Release (TDA-01.3) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "SEA-01", "name": "Secure Engineering Principles", "description": "Mechanisms exist to facilitate the implementation of industry-recognized security, compliance and resilience practices in the specification, design, development, implementation and modification of Technology Assets, Applications and/or Services (TAAS).", "justification": "Secure Engineering Principles (SEA-01) provides overlapping security capability that compensates for the absence of Malware Testing Prior to Release (TDA-01.3) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TDA-01.4", "risk_if_not_implemented": "Without DevSecOps, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "SEA-01", "name": "Secure Engineering Principles", "description": "Mechanisms exist to facilitate the implementation of industry-recognized security, compliance and resilience practices in the specification, design, development, implementation and modification of Technology Assets, Applications and/or Services (TAAS).", "justification": "Secure Engineering Principles (SEA-01) provides overlapping security capability that compensates for the absence of DevSecOps (TDA-01.4) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "TDA-01", "name": "Technology Development & Acquisition", "description": "Mechanisms exist to facilitate the implementation of tailored development and acquisition strategies, contract tools and procurement methods to meet unique business needs.", "justification": "Technology Development & Acquisition (TDA-01) provides detective monitoring capability that compensates for the absence of DevSecOps (TDA-01.4) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TDA-02", "risk_if_not_implemented": "Without Minimum Viable Product (MVP) Security Requirements, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "PRM-05", "name": "Security, Compliance & Resilience Requirements Definition", "description": "Mechanisms exist to identify critical system components and functions by performing a criticality analysis for critical Technology Assets, Applications and/or Services (TAAS) at pre-defined decision points in the Secure Development Life Cycle (SDLC).", "justification": "Security, Compliance & Resilience Requirements Definition (PRM-05) provides resilience and recovery capability that compensates for the absence of Minimum Viable Product (MVP) Security Requirements (TDA-02) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "RSK-04", "name": "Risk Assessment", "description": "Mechanisms exist to conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Risk Assessment (RSK-04) provides periodic assessment and assurance that compensates for the absence of Minimum Viable Product (MVP) Security Requirements (TDA-02) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TDA-02.1", "risk_if_not_implemented": "Without Ports, Protocols & Services In Use, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "RSK-04", "name": "Risk Assessment", "description": "Mechanisms exist to conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Risk Assessment (RSK-04) provides periodic assessment and assurance that compensates for the absence of Ports, Protocols & Services In Use (TDA-02.1) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PRM-05", "name": "Security, Compliance & Resilience Requirements Definition", "description": "Mechanisms exist to identify critical system components and functions by performing a criticality analysis for critical Technology Assets, Applications and/or Services (TAAS) at pre-defined decision points in the Secure Development Life Cycle (SDLC).", "justification": "Security, Compliance & Resilience Requirements Definition (PRM-05) provides resilience and recovery capability that compensates for the absence of Ports, Protocols & Services In Use (TDA-02.1) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TDA-02.2", "risk_if_not_implemented": "Without Information Assurance Enabled Products, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "PRM-05", "name": "Security, Compliance & Resilience Requirements Definition", "description": "Mechanisms exist to identify critical system components and functions by performing a criticality analysis for critical Technology Assets, Applications and/or Services (TAAS) at pre-defined decision points in the Secure Development Life Cycle (SDLC).", "justification": "Security, Compliance & Resilience Requirements Definition (PRM-05) provides resilience and recovery capability that compensates for the absence of Information Assurance Enabled Products (TDA-02.2) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "TDA-02", "name": "Minimum Viable Product (MVP) Security Requirements", "description": "Mechanisms exist to design, develop and produce Technology Assets, Applications and/or Services (TAAS) in such a way that risk-based technical and functional specifications ensure Minimum Viable Product (MVP) criteria establish an appropriate level of security and resiliency based on applicable risks and threats.", "justification": "Minimum Viable Product (MVP) Security Requirements (TDA-02) provides overlapping security capability that compensates for the absence of Information Assurance Enabled Products (TDA-02.2) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TDA-02.3", "risk_if_not_implemented": "Without Development Methods, Techniques & Processes, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "TDA-02", "name": "Minimum Viable Product (MVP) Security Requirements", "description": "Mechanisms exist to design, develop and produce Technology Assets, Applications and/or Services (TAAS) in such a way that risk-based technical and functional specifications ensure Minimum Viable Product (MVP) criteria establish an appropriate level of security and resiliency based on applicable risks and threats.", "justification": "Minimum Viable Product (MVP) Security Requirements (TDA-02) provides overlapping security capability that compensates for the absence of Development Methods, Techniques & Processes (TDA-02.3) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PRM-05", "name": "Security, Compliance & Resilience Requirements Definition", "description": "Mechanisms exist to identify critical system components and functions by performing a criticality analysis for critical Technology Assets, Applications and/or Services (TAAS) at pre-defined decision points in the Secure Development Life Cycle (SDLC).", "justification": "Security, Compliance & Resilience Requirements Definition (PRM-05) provides resilience and recovery capability that compensates for the absence of Development Methods, Techniques & Processes (TDA-02.3) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TDA-02.4", "risk_if_not_implemented": "Without Pre-Established Secure Configurations, systems may operate with insecure settings or unauthorized changes, expanding the attack surface.", "compensating_control_1": { "control_id": "RSK-04", "name": "Risk Assessment", "description": "Mechanisms exist to conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Risk Assessment (RSK-04) provides periodic assessment and assurance that compensates for the absence of Pre-Established Secure Configurations (TDA-02.4) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "TDA-02", "name": "Minimum Viable Product (MVP) Security Requirements", "description": "Mechanisms exist to design, develop and produce Technology Assets, Applications and/or Services (TAAS) in such a way that risk-based technical and functional specifications ensure Minimum Viable Product (MVP) criteria establish an appropriate level of security and resiliency based on applicable risks and threats.", "justification": "Minimum Viable Product (MVP) Security Requirements (TDA-02) provides overlapping security capability that compensates for the absence of Pre-Established Secure Configurations (TDA-02.4) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TDA-02.5", "risk_if_not_implemented": "Without Identification & Justification of Ports, Protocols & Services, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "TDA-02", "name": "Minimum Viable Product (MVP) Security Requirements", "description": "Mechanisms exist to design, develop and produce Technology Assets, Applications and/or Services (TAAS) in such a way that risk-based technical and functional specifications ensure Minimum Viable Product (MVP) criteria establish an appropriate level of security and resiliency based on applicable risks and threats.", "justification": "Minimum Viable Product (MVP) Security Requirements (TDA-02) provides overlapping security capability that compensates for the absence of Identification & Justification of Ports, Protocols & Services (TDA-02.5) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "RSK-04", "name": "Risk Assessment", "description": "Mechanisms exist to conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Risk Assessment (RSK-04) provides periodic assessment and assurance that compensates for the absence of Identification & Justification of Ports, Protocols & Services (TDA-02.5) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TDA-02.6", "risk_if_not_implemented": "Without Insecure Ports, Protocols & Services, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "PRM-05", "name": "Security, Compliance & Resilience Requirements Definition", "description": "Mechanisms exist to identify critical system components and functions by performing a criticality analysis for critical Technology Assets, Applications and/or Services (TAAS) at pre-defined decision points in the Secure Development Life Cycle (SDLC).", "justification": "Security, Compliance & Resilience Requirements Definition (PRM-05) provides resilience and recovery capability that compensates for the absence of Insecure Ports, Protocols & Services (TDA-02.6) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "TDA-02", "name": "Minimum Viable Product (MVP) Security Requirements", "description": "Mechanisms exist to design, develop and produce Technology Assets, Applications and/or Services (TAAS) in such a way that risk-based technical and functional specifications ensure Minimum Viable Product (MVP) criteria establish an appropriate level of security and resiliency based on applicable risks and threats.", "justification": "Minimum Viable Product (MVP) Security Requirements (TDA-02) provides overlapping security capability that compensates for the absence of Insecure Ports, Protocols & Services (TDA-02.6) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TDA-02.8", "risk_if_not_implemented": "Without Minimizing Attack Surfaces, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "RSK-04", "name": "Risk Assessment", "description": "Mechanisms exist to conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Risk Assessment (RSK-04) provides periodic assessment and assurance that compensates for the absence of Minimizing Attack Surfaces (TDA-02.8) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PRM-05", "name": "Security, Compliance & Resilience Requirements Definition", "description": "Mechanisms exist to identify critical system components and functions by performing a criticality analysis for critical Technology Assets, Applications and/or Services (TAAS) at pre-defined decision points in the Secure Development Life Cycle (SDLC).", "justification": "Security, Compliance & Resilience Requirements Definition (PRM-05) provides resilience and recovery capability that compensates for the absence of Minimizing Attack Surfaces (TDA-02.8) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TDA-02.9", "risk_if_not_implemented": "Without Ongoing Product Security Support, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "PRM-05", "name": "Security, Compliance & Resilience Requirements Definition", "description": "Mechanisms exist to identify critical system components and functions by performing a criticality analysis for critical Technology Assets, Applications and/or Services (TAAS) at pre-defined decision points in the Secure Development Life Cycle (SDLC).", "justification": "Security, Compliance & Resilience Requirements Definition (PRM-05) provides resilience and recovery capability that compensates for the absence of Ongoing Product Security Support (TDA-02.9) by ensuring the organization can restore operations and data when the primary control is absent. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "RSK-04", "name": "Risk Assessment", "description": "Mechanisms exist to conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Risk Assessment (RSK-04) provides periodic assessment and assurance that compensates for the absence of Ongoing Product Security Support (TDA-02.9) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TDA-02.10", "risk_if_not_implemented": "Without Product Testing & Reviews, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "TDA-02", "name": "Minimum Viable Product (MVP) Security Requirements", "description": "Mechanisms exist to design, develop and produce Technology Assets, Applications and/or Services (TAAS) in such a way that risk-based technical and functional specifications ensure Minimum Viable Product (MVP) criteria establish an appropriate level of security and resiliency based on applicable risks and threats.", "justification": "Minimum Viable Product (MVP) Security Requirements (TDA-02) provides overlapping security capability that compensates for the absence of Product Testing & Reviews (TDA-02.10) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PRM-05", "name": "Security, Compliance & Resilience Requirements Definition", "description": "Mechanisms exist to identify critical system components and functions by performing a criticality analysis for critical Technology Assets, Applications and/or Services (TAAS) at pre-defined decision points in the Secure Development Life Cycle (SDLC).", "justification": "Security, Compliance & Resilience Requirements Definition (PRM-05) provides resilience and recovery capability that compensates for the absence of Product Testing & Reviews (TDA-02.10) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TDA-02.11", "risk_if_not_implemented": "Without Disclosure of Vulnerabilities, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "RSK-04", "name": "Risk Assessment", "description": "Mechanisms exist to conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Risk Assessment (RSK-04) provides periodic assessment and assurance that compensates for the absence of Disclosure of Vulnerabilities (TDA-02.11) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "TDA-02", "name": "Minimum Viable Product (MVP) Security Requirements", "description": "Mechanisms exist to design, develop and produce Technology Assets, Applications and/or Services (TAAS) in such a way that risk-based technical and functional specifications ensure Minimum Viable Product (MVP) criteria establish an appropriate level of security and resiliency based on applicable risks and threats.", "justification": "Minimum Viable Product (MVP) Security Requirements (TDA-02) provides overlapping security capability that compensates for the absence of Disclosure of Vulnerabilities (TDA-02.11) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TDA-02.12", "risk_if_not_implemented": "Without Products With Digital Elements, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "PRM-05", "name": "Security, Compliance & Resilience Requirements Definition", "description": "Mechanisms exist to identify critical system components and functions by performing a criticality analysis for critical Technology Assets, Applications and/or Services (TAAS) at pre-defined decision points in the Secure Development Life Cycle (SDLC).", "justification": "Security, Compliance & Resilience Requirements Definition (PRM-05) provides resilience and recovery capability that compensates for the absence of Products With Digital Elements (TDA-02.12) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "TDA-02", "name": "Minimum Viable Product (MVP) Security Requirements", "description": "Mechanisms exist to design, develop and produce Technology Assets, Applications and/or Services (TAAS) in such a way that risk-based technical and functional specifications ensure Minimum Viable Product (MVP) criteria establish an appropriate level of security and resiliency based on applicable risks and threats.", "justification": "Minimum Viable Product (MVP) Security Requirements (TDA-02) provides overlapping security capability that compensates for the absence of Products With Digital Elements (TDA-02.12) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TDA-02.13", "risk_if_not_implemented": "Without Reporting Exploitable Vulnerabilities, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "TDA-02", "name": "Minimum Viable Product (MVP) Security Requirements", "description": "Mechanisms exist to design, develop and produce Technology Assets, Applications and/or Services (TAAS) in such a way that risk-based technical and functional specifications ensure Minimum Viable Product (MVP) criteria establish an appropriate level of security and resiliency based on applicable risks and threats.", "justification": "Minimum Viable Product (MVP) Security Requirements (TDA-02) provides overlapping security capability that compensates for the absence of Reporting Exploitable Vulnerabilities (TDA-02.13) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "RSK-04", "name": "Risk Assessment", "description": "Mechanisms exist to conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Risk Assessment (RSK-04) provides periodic assessment and assurance that compensates for the absence of Reporting Exploitable Vulnerabilities (TDA-02.13) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TDA-02.14", "risk_if_not_implemented": "Without Logging Syntax, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "RSK-04", "name": "Risk Assessment", "description": "Mechanisms exist to conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Risk Assessment (RSK-04) provides periodic assessment and assurance that compensates for the absence of Logging Syntax (TDA-02.14) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "PRM-05", "name": "Security, Compliance & Resilience Requirements Definition", "description": "Mechanisms exist to identify critical system components and functions by performing a criticality analysis for critical Technology Assets, Applications and/or Services (TAAS) at pre-defined decision points in the Secure Development Life Cycle (SDLC).", "justification": "Security, Compliance & Resilience Requirements Definition (PRM-05) provides resilience and recovery capability that compensates for the absence of Logging Syntax (TDA-02.14) by ensuring the organization can restore operations and data when the primary control is absent. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TDA-03", "risk_if_not_implemented": "Without Commercial Off-The-Shelf (COTS) Security Solutions, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Commercial Off-The-Shelf (COTS) Security Solutions (TDA-03) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "VPM-01", "name": "Vulnerability & Patch Management Program (VPMP)", "description": "Mechanisms exist to facilitate the implementation and monitoring of vulnerability management controls.", "justification": "Vulnerability & Patch Management Program (VPMP) (VPM-01) provides policy-level governance that compensates for the absence of Commercial Off-The-Shelf (COTS) Security Solutions (TDA-03) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TDA-03.1", "risk_if_not_implemented": "Without Supplier Diversity, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "VPM-01", "name": "Vulnerability & Patch Management Program (VPMP)", "description": "Mechanisms exist to facilitate the implementation and monitoring of vulnerability management controls.", "justification": "Vulnerability & Patch Management Program (VPMP) (VPM-01) provides policy-level governance that compensates for the absence of Supplier Diversity (TDA-03.1) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Supplier Diversity (TDA-03.1) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TDA-04", "risk_if_not_implemented": "Without Documentation Requirements, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "GOV-02", "name": "Publishing Security, Compliance & Resilience Documentation", "description": "Mechanisms exist to establish, maintain and disseminate policies, standards and procedures necessary for secure, compliant and resilient capabilities.", "justification": "Publishing Security, Compliance & Resilience Documentation (GOV-02) provides resilience and recovery capability that compensates for the absence of Documentation Requirements (TDA-04) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of Documentation Requirements (TDA-04) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TDA-04.1", "risk_if_not_implemented": "Without Functional Properties, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of Functional Properties (TDA-04.1) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "GOV-02", "name": "Publishing Security, Compliance & Resilience Documentation", "description": "Mechanisms exist to establish, maintain and disseminate policies, standards and procedures necessary for secure, compliant and resilient capabilities.", "justification": "Publishing Security, Compliance & Resilience Documentation (GOV-02) provides resilience and recovery capability that compensates for the absence of Functional Properties (TDA-04.1) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TDA-04.2", "risk_if_not_implemented": "Without Software Bill of Materials (SBOM), residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "GOV-02", "name": "Publishing Security, Compliance & Resilience Documentation", "description": "Mechanisms exist to establish, maintain and disseminate policies, standards and procedures necessary for secure, compliant and resilient capabilities.", "justification": "Publishing Security, Compliance & Resilience Documentation (GOV-02) provides resilience and recovery capability that compensates for the absence of Software Bill of Materials (SBOM) (TDA-04.2) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "TDA-04", "name": "Documentation Requirements", "description": "Mechanisms exist to obtain, protect and distribute administrator documentation for Technology Assets, Applications and/or Services (TAAS) that describe:\n(1) Secure configuration, installation and operation of the TAAS;\n(2) Effective use and maintenance of security features/functions; and\n(3) Known vulnerabilities regarding configuration and use of administrative (e.g., privileged) functions.", "justification": "Documentation Requirements (TDA-04) provides policy-level governance that compensates for the absence of Software Bill of Materials (SBOM) (TDA-04.2) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TDA-05", "risk_if_not_implemented": "Without Developer Architecture & Design, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "SEA-01", "name": "Secure Engineering Principles", "description": "Mechanisms exist to facilitate the implementation of industry-recognized security, compliance and resilience practices in the specification, design, development, implementation and modification of Technology Assets, Applications and/or Services (TAAS).", "justification": "Secure Engineering Principles (SEA-01) provides overlapping security capability that compensates for the absence of Developer Architecture & Design (TDA-05) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "TDA-06", "name": "Secure Software Development Practices (SSDP)", "description": "Mechanisms exist to develop applications based on Secure Software Development Practices (SSDP).", "justification": "Secure Software Development Practices (SSDP) (TDA-06) provides overlapping security capability that compensates for the absence of Developer Architecture & Design (TDA-05) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TDA-05.1", "risk_if_not_implemented": "Without Physical Diagnostic & Test Interfaces, unauthorized physical access to facilities may enable theft, tampering, or direct attacks on infrastructure.", "compensating_control_1": { "control_id": "TDA-06", "name": "Secure Software Development Practices (SSDP)", "description": "Mechanisms exist to develop applications based on Secure Software Development Practices (SSDP).", "justification": "Secure Software Development Practices (SSDP) (TDA-06) provides overlapping security capability that compensates for the absence of Physical Diagnostic & Test Interfaces (TDA-05.1) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "SEA-01", "name": "Secure Engineering Principles", "description": "Mechanisms exist to facilitate the implementation of industry-recognized security, compliance and resilience practices in the specification, design, development, implementation and modification of Technology Assets, Applications and/or Services (TAAS).", "justification": "Secure Engineering Principles (SEA-01) provides overlapping security capability that compensates for the absence of Physical Diagnostic & Test Interfaces (TDA-05.1) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TDA-05.2", "risk_if_not_implemented": "Without Diagnostic & Test Interface Monitoring, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "SEA-01", "name": "Secure Engineering Principles", "description": "Mechanisms exist to facilitate the implementation of industry-recognized security, compliance and resilience practices in the specification, design, development, implementation and modification of Technology Assets, Applications and/or Services (TAAS).", "justification": "Secure Engineering Principles (SEA-01) provides overlapping security capability that compensates for the absence of Diagnostic & Test Interface Monitoring (TDA-05.2) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "TDA-05", "name": "Developer Architecture & Design", "description": "Mechanisms exist to require the developers of Technology Assets, Applications and/or Services (TAAS) to produce a design specification and security architecture that: \n(1) Is consistent with and supportive of the organization's security architecture which is established within and is an integrated part of the organization's enterprise architecture;\n(2) Accurately and completely describes the required security functionality and the allocation of security, compliance and resilience controls among physical and logical components; and\n(3) Expresses how individual security functions, mechanisms and services work together to provide required security capabilities and a unified approach to protection.", "justification": "Developer Architecture & Design (TDA-05) provides overlapping security capability that compensates for the absence of Diagnostic & Test Interface Monitoring (TDA-05.2) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TDA-06.1", "risk_if_not_implemented": "Without Criticality Analysis During Development, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "TDA-09", "name": "Security, Compliance & Resilience Testing Throughout Development", "description": "Mechanisms exist to require system developers/integrators consult with security, compliance and/or resilience personnel to: \n(1) Create and implement a Security Testing and Evaluation (ST&E) plan, or similar capability;\n(2) Implement a verifiable flaw remediation process to correct weaknesses and deficiencies identified during the control testing and evaluation process; and\n(3) Document the results.", "justification": "Security, Compliance & Resilience Testing Throughout Development (TDA-09) provides periodic assessment and assurance that compensates for the absence of Criticality Analysis During Development (TDA-06.1) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "SEA-01", "name": "Secure Engineering Principles", "description": "Mechanisms exist to facilitate the implementation of industry-recognized security, compliance and resilience practices in the specification, design, development, implementation and modification of Technology Assets, Applications and/or Services (TAAS).", "justification": "Secure Engineering Principles (SEA-01) provides overlapping security capability that compensates for the absence of Criticality Analysis During Development (TDA-06.1) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TDA-06.2", "risk_if_not_implemented": "Without Threat Modeling, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "TDA-09", "name": "Security, Compliance & Resilience Testing Throughout Development", "description": "Mechanisms exist to require system developers/integrators consult with security, compliance and/or resilience personnel to: \n(1) Create and implement a Security Testing and Evaluation (ST&E) plan, or similar capability;\n(2) Implement a verifiable flaw remediation process to correct weaknesses and deficiencies identified during the control testing and evaluation process; and\n(3) Document the results.", "justification": "Security, Compliance & Resilience Testing Throughout Development (TDA-09) provides periodic assessment and assurance that compensates for the absence of Threat Modeling (TDA-06.2) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of Threat Modeling (TDA-06.2) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TDA-06.3", "risk_if_not_implemented": "Without Software Assurance Maturity Model (SAMM), residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of Software Assurance Maturity Model (SAMM) (TDA-06.3) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "TDA-06", "name": "Secure Software Development Practices (SSDP)", "description": "Mechanisms exist to develop applications based on Secure Software Development Practices (SSDP).", "justification": "Secure Software Development Practices (SSDP) (TDA-06) provides overlapping security capability that compensates for the absence of Software Assurance Maturity Model (SAMM) (TDA-06.3) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TDA-06.4", "risk_if_not_implemented": "Without Supporting Toolchain, AI and autonomous technology risks may go ungoverned, leading to unintended outcomes or exploitation.", "compensating_control_1": { "control_id": "SEA-01", "name": "Secure Engineering Principles", "description": "Mechanisms exist to facilitate the implementation of industry-recognized security, compliance and resilience practices in the specification, design, development, implementation and modification of Technology Assets, Applications and/or Services (TAAS).", "justification": "Secure Engineering Principles (SEA-01) provides overlapping security capability that compensates for the absence of Supporting Toolchain (TDA-06.4) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "TDA-06", "name": "Secure Software Development Practices (SSDP)", "description": "Mechanisms exist to develop applications based on Secure Software Development Practices (SSDP).", "justification": "Secure Software Development Practices (SSDP) (TDA-06) provides overlapping security capability that compensates for the absence of Supporting Toolchain (TDA-06.4) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TDA-06.6", "risk_if_not_implemented": "Without Software Design Root Cause Analysis, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of Software Design Root Cause Analysis (TDA-06.6) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "SEA-01", "name": "Secure Engineering Principles", "description": "Mechanisms exist to facilitate the implementation of industry-recognized security, compliance and resilience practices in the specification, design, development, implementation and modification of Technology Assets, Applications and/or Services (TAAS).", "justification": "Secure Engineering Principles (SEA-01) provides overlapping security capability that compensates for the absence of Software Design Root Cause Analysis (TDA-06.6) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TDA-07", "risk_if_not_implemented": "Without Secure Development Environments, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IAC-21", "name": "Least Privilege", "description": "Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.", "justification": "Least Privilege (IAC-21) provides access control enforcement that compensates for the absence of Secure Development Environments (TDA-07) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CFG-02", "name": "Secure Baseline Configurations", "description": "Mechanisms exist to develop, document and maintain secure baseline configurations for Technology Assets, Applications and/or Services (TAAS) that are consistent with industry-accepted system hardening standards.", "justification": "Secure Baseline Configurations (CFG-02) provides configuration hardening that compensates for the absence of Secure Development Environments (TDA-07) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TDA-08.1", "risk_if_not_implemented": "Without Secure Migration Practices, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CFG-02", "name": "Secure Baseline Configurations", "description": "Mechanisms exist to develop, document and maintain secure baseline configurations for Technology Assets, Applications and/or Services (TAAS) that are consistent with industry-accepted system hardening standards.", "justification": "Secure Baseline Configurations (CFG-02) provides configuration hardening that compensates for the absence of Secure Migration Practices (TDA-08.1) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-06", "name": "Network Segmentation (macrosegementation)", "description": "Mechanisms exist to ensure network architecture utilizes network segmentation to isolate Technology Assets, Applications and/or Services (TAAS) to protect from other network resources.", "justification": "Network Segmentation (macrosegementation) (NET-06) provides network-level access restriction that compensates for the absence of Secure Migration Practices (TDA-08.1) by limiting attacker reach and lateral movement opportunities across the environment. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TDA-09", "risk_if_not_implemented": "Without Security, Compliance & Resilience Testing Throughout Development, the organization may be unable to recover from disruptions, resulting in data loss and extended downtime.", "compensating_control_1": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of Security, Compliance & Resilience Testing Throughout Development (TDA-09) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAO-02", "name": "Assessments", "description": "Mechanisms exist to formally assess the security, compliance and resilience controls in Technology Assets, Applications and/or Services (TAAS) through Information Assurance Program (IAP) activities to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting expected requirements.", "justification": "Assessments (IAO-02) provides periodic assessment and assurance that compensates for the absence of Security, Compliance & Resilience Testing Throughout Development (TDA-09) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TDA-09.1", "risk_if_not_implemented": "Without Continuous Monitoring Plan, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "IAO-02", "name": "Assessments", "description": "Mechanisms exist to formally assess the security, compliance and resilience controls in Technology Assets, Applications and/or Services (TAAS) through Information Assurance Program (IAP) activities to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting expected requirements.", "justification": "Assessments (IAO-02) provides periodic assessment and assurance that compensates for the absence of Continuous Monitoring Plan (TDA-09.1) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "TDA-09", "name": "Security, Compliance & Resilience Testing Throughout Development", "description": "Mechanisms exist to require system developers/integrators consult with security, compliance and/or resilience personnel to: \n(1) Create and implement a Security Testing and Evaluation (ST&E) plan, or similar capability;\n(2) Implement a verifiable flaw remediation process to correct weaknesses and deficiencies identified during the control testing and evaluation process; and\n(3) Document the results.", "justification": "Security, Compliance & Resilience Testing Throughout Development (TDA-09) provides periodic assessment and assurance that compensates for the absence of Continuous Monitoring Plan (TDA-09.1) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TDA-09.2", "risk_if_not_implemented": "Without Static Code Analysis, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of Static Code Analysis (TDA-09.2) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "TDA-09", "name": "Security, Compliance & Resilience Testing Throughout Development", "description": "Mechanisms exist to require system developers/integrators consult with security, compliance and/or resilience personnel to: \n(1) Create and implement a Security Testing and Evaluation (ST&E) plan, or similar capability;\n(2) Implement a verifiable flaw remediation process to correct weaknesses and deficiencies identified during the control testing and evaluation process; and\n(3) Document the results.", "justification": "Security, Compliance & Resilience Testing Throughout Development (TDA-09) provides periodic assessment and assurance that compensates for the absence of Static Code Analysis (TDA-09.2) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TDA-09.3", "risk_if_not_implemented": "Without Dynamic Code Analysis, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "TDA-09", "name": "Security, Compliance & Resilience Testing Throughout Development", "description": "Mechanisms exist to require system developers/integrators consult with security, compliance and/or resilience personnel to: \n(1) Create and implement a Security Testing and Evaluation (ST&E) plan, or similar capability;\n(2) Implement a verifiable flaw remediation process to correct weaknesses and deficiencies identified during the control testing and evaluation process; and\n(3) Document the results.", "justification": "Security, Compliance & Resilience Testing Throughout Development (TDA-09) provides periodic assessment and assurance that compensates for the absence of Dynamic Code Analysis (TDA-09.3) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of Dynamic Code Analysis (TDA-09.3) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TDA-09.4", "risk_if_not_implemented": "Without Malformed Input Testing, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IAO-02", "name": "Assessments", "description": "Mechanisms exist to formally assess the security, compliance and resilience controls in Technology Assets, Applications and/or Services (TAAS) through Information Assurance Program (IAP) activities to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting expected requirements.", "justification": "Assessments (IAO-02) provides periodic assessment and assurance that compensates for the absence of Malformed Input Testing (TDA-09.4) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of Malformed Input Testing (TDA-09.4) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TDA-09.5", "risk_if_not_implemented": "Without Application Penetration Testing, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of Application Penetration Testing (TDA-09.5) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAO-02", "name": "Assessments", "description": "Mechanisms exist to formally assess the security, compliance and resilience controls in Technology Assets, Applications and/or Services (TAAS) through Information Assurance Program (IAP) activities to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting expected requirements.", "justification": "Assessments (IAO-02) provides periodic assessment and assurance that compensates for the absence of Application Penetration Testing (TDA-09.5) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TDA-09.6", "risk_if_not_implemented": "Without Secure Settings By Default, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "TDA-09", "name": "Security, Compliance & Resilience Testing Throughout Development", "description": "Mechanisms exist to require system developers/integrators consult with security, compliance and/or resilience personnel to: \n(1) Create and implement a Security Testing and Evaluation (ST&E) plan, or similar capability;\n(2) Implement a verifiable flaw remediation process to correct weaknesses and deficiencies identified during the control testing and evaluation process; and\n(3) Document the results.", "justification": "Security, Compliance & Resilience Testing Throughout Development (TDA-09) provides periodic assessment and assurance that compensates for the absence of Secure Settings By Default (TDA-09.6) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAO-02", "name": "Assessments", "description": "Mechanisms exist to formally assess the security, compliance and resilience controls in Technology Assets, Applications and/or Services (TAAS) through Information Assurance Program (IAP) activities to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting expected requirements.", "justification": "Assessments (IAO-02) provides periodic assessment and assurance that compensates for the absence of Secure Settings By Default (TDA-09.6) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TDA-09.7", "risk_if_not_implemented": "Without Manual Code Review, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IAO-02", "name": "Assessments", "description": "Mechanisms exist to formally assess the security, compliance and resilience controls in Technology Assets, Applications and/or Services (TAAS) through Information Assurance Program (IAP) activities to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting expected requirements.", "justification": "Assessments (IAO-02) provides periodic assessment and assurance that compensates for the absence of Manual Code Review (TDA-09.7) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "TDA-09", "name": "Security, Compliance & Resilience Testing Throughout Development", "description": "Mechanisms exist to require system developers/integrators consult with security, compliance and/or resilience personnel to: \n(1) Create and implement a Security Testing and Evaluation (ST&E) plan, or similar capability;\n(2) Implement a verifiable flaw remediation process to correct weaknesses and deficiencies identified during the control testing and evaluation process; and\n(3) Document the results.", "justification": "Security, Compliance & Resilience Testing Throughout Development (TDA-09) provides periodic assessment and assurance that compensates for the absence of Manual Code Review (TDA-09.7) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TDA-10", "risk_if_not_implemented": "Without Use of Live Data, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "DCH-23", "name": "De-Identification (Anonymization)", "description": "Mechanisms exist to anonymize data by removing Personal Data (PD) from datasets.", "justification": "De-Identification (Anonymization) (DCH-23) provides overlapping security capability that compensates for the absence of Use of Live Data (TDA-10) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "DCH-01", "name": "Data Protection", "description": "Mechanisms exist to facilitate the implementation of data protection controls.", "justification": "Data Protection (DCH-01) provides overlapping security capability that compensates for the absence of Use of Live Data (TDA-10) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TDA-10.1", "risk_if_not_implemented": "Without Test Data Integrity, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "DCH-01", "name": "Data Protection", "description": "Mechanisms exist to facilitate the implementation of data protection controls.", "justification": "Data Protection (DCH-01) provides overlapping security capability that compensates for the absence of Test Data Integrity (TDA-10.1) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "DCH-23", "name": "De-Identification (Anonymization)", "description": "Mechanisms exist to anonymize data by removing Personal Data (PD) from datasets.", "justification": "De-Identification (Anonymization) (DCH-23) provides overlapping security capability that compensates for the absence of Test Data Integrity (TDA-10.1) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TDA-11", "risk_if_not_implemented": "Without Product Tampering and Counterfeiting (PTC), residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "TPM-11", "name": "Third-Party Incident Response & Recovery Capabilities", "description": "Mechanisms exist to ensure response/recovery planning and testing are conducted with critical suppliers/providers.", "justification": "Third-Party Incident Response & Recovery Capabilities (TPM-11) provides resilience and recovery capability that compensates for the absence of Product Tampering and Counterfeiting (PTC) (TDA-11) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "RSK-09", "name": "Supply Chain Risk Management (SCRM) Plan", "description": "Mechanisms exist to develop a plan for Supply Chain Risk Management (SCRM) associated with the development, acquisition, maintenance and disposal of Technology Assets, Applications and/or Services (TAAS), including documenting selected mitigating actions and monitoring performance against those plans.", "justification": "Supply Chain Risk Management (SCRM) Plan (RSK-09) provides risk identification and prioritization that compensates for the absence of Product Tampering and Counterfeiting (PTC) (TDA-11) by enabling informed decisions about where to focus resources to manage residual exposure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TDA-11.1", "risk_if_not_implemented": "Without Anti-Counterfeit Training, personnel may lack knowledge to recognize threats, increasing susceptibility to phishing and social engineering.", "compensating_control_1": { "control_id": "RSK-09", "name": "Supply Chain Risk Management (SCRM) Plan", "description": "Mechanisms exist to develop a plan for Supply Chain Risk Management (SCRM) associated with the development, acquisition, maintenance and disposal of Technology Assets, Applications and/or Services (TAAS), including documenting selected mitigating actions and monitoring performance against those plans.", "justification": "Supply Chain Risk Management (SCRM) Plan (RSK-09) provides risk identification and prioritization that compensates for the absence of Anti-Counterfeit Training (TDA-11.1) by enabling informed decisions about where to focus resources to manage residual exposure. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "TPM-11", "name": "Third-Party Incident Response & Recovery Capabilities", "description": "Mechanisms exist to ensure response/recovery planning and testing are conducted with critical suppliers/providers.", "justification": "Third-Party Incident Response & Recovery Capabilities (TPM-11) provides resilience and recovery capability that compensates for the absence of Anti-Counterfeit Training (TDA-11.1) by ensuring the organization can restore operations and data when the primary control is absent. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TDA-11.2", "risk_if_not_implemented": "Without Component Disposal, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "TPM-11", "name": "Third-Party Incident Response & Recovery Capabilities", "description": "Mechanisms exist to ensure response/recovery planning and testing are conducted with critical suppliers/providers.", "justification": "Third-Party Incident Response & Recovery Capabilities (TPM-11) provides resilience and recovery capability that compensates for the absence of Component Disposal (TDA-11.2) by ensuring the organization can restore operations and data when the primary control is absent. Within the context of the broader security program, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "TDA-11", "name": "Product Tampering and Counterfeiting (PTC)", "description": "Mechanisms exist to maintain awareness of component authenticity by developing and implementing Product Tampering and Counterfeiting (PTC) practices that include the means to detect and prevent counterfeit components.", "justification": "Product Tampering and Counterfeiting (PTC) (TDA-11) provides overlapping security capability that compensates for the absence of Component Disposal (TDA-11.2) by addressing related risk objectives through an alternative control mechanism aligned with nan applicability. Within the context of the broader security program, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TDA-12", "risk_if_not_implemented": "Without Customized Development of Critical Components, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "TPM-12", "name": "Foreign Ownership, Control or Influence (FOCI)", "description": "Mechanisms exist to minimize risk associate with Foreign Ownership, Control or Influence (FOCI) through Supply Chain Risk Management (SCRM) practices.", "justification": "Foreign Ownership, Control or Influence (FOCI) (TPM-12) provides overlapping security capability that compensates for the absence of Customized Development of Critical Components (TDA-12) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "RSK-09", "name": "Supply Chain Risk Management (SCRM) Plan", "description": "Mechanisms exist to develop a plan for Supply Chain Risk Management (SCRM) associated with the development, acquisition, maintenance and disposal of Technology Assets, Applications and/or Services (TAAS), including documenting selected mitigating actions and monitoring performance against those plans.", "justification": "Supply Chain Risk Management (SCRM) Plan (RSK-09) provides risk identification and prioritization that compensates for the absence of Customized Development of Critical Components (TDA-12) by enabling informed decisions about where to focus resources to manage residual exposure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TDA-13", "risk_if_not_implemented": "Without Developer Screening, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "HRS-04", "name": "Personnel Screening", "description": "Mechanisms exist to manage personnel security risk by screening individuals prior to authorizing access.", "justification": "Personnel Screening (HRS-04) provides overlapping security capability that compensates for the absence of Developer Screening (TDA-13) by addressing related risk objectives through an alternative control mechanism aligned with People applicability. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "TPM-06", "name": "Third-Party Personnel Security", "description": "Mechanisms exist to control personnel security requirements including security roles and responsibilities for third-party providers.", "justification": "Third-Party Personnel Security (TPM-06) provides third-party oversight that compensates for the absence of Developer Screening (TDA-13) by extending security obligations contractually and monitoring third-party risk in lieu of direct control. Given the people-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TDA-14", "risk_if_not_implemented": "Without Developer Configuration Management, systems may operate with insecure settings or unauthorized changes, expanding the attack surface.", "compensating_control_1": { "control_id": "CFG-01", "name": "Configuration Management Program", "description": "Mechanisms exist to facilitate the implementation of configuration management controls.", "justification": "Configuration Management Program (CFG-01) provides policy-level governance that compensates for the absence of Developer Configuration Management (TDA-14) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CHG-02", "name": "Configuration Change Control", "description": "Mechanisms exist to govern the technical configuration change control processes.", "justification": "Configuration Change Control (CHG-02) provides configuration hardening that compensates for the absence of Developer Configuration Management (TDA-14) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TDA-14.1", "risk_if_not_implemented": "Without Software / Firmware Integrity Verification, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CHG-02", "name": "Configuration Change Control", "description": "Mechanisms exist to govern the technical configuration change control processes.", "justification": "Configuration Change Control (CHG-02) provides configuration hardening that compensates for the absence of Software / Firmware Integrity Verification (TDA-14.1) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CFG-01", "name": "Configuration Management Program", "description": "Mechanisms exist to facilitate the implementation of configuration management controls.", "justification": "Configuration Management Program (CFG-01) provides policy-level governance that compensates for the absence of Software / Firmware Integrity Verification (TDA-14.1) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TDA-14.2", "risk_if_not_implemented": "Without Hardware Integrity Verification, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CFG-01", "name": "Configuration Management Program", "description": "Mechanisms exist to facilitate the implementation of configuration management controls.", "justification": "Configuration Management Program (CFG-01) provides policy-level governance that compensates for the absence of Hardware Integrity Verification (TDA-14.2) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "TDA-14", "name": "Developer Configuration Management", "description": "Mechanisms exist to require system developers and integrators to perform configuration management during system design, development, implementation and operation.", "justification": "Developer Configuration Management (TDA-14) provides configuration hardening that compensates for the absence of Hardware Integrity Verification (TDA-14.2) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TDA-15", "risk_if_not_implemented": "Without Developer Threat Analysis & Flaw Remediation, unpatched vulnerabilities accumulate, providing attackers with known and exploitable entry points.", "compensating_control_1": { "control_id": "VPM-02", "name": "Vulnerability Remediation Process", "description": "Mechanisms exist to ensure that vulnerabilities are properly identified, tracked and remediated.", "justification": "Vulnerability Remediation Process (VPM-02) provides vulnerability management that compensates for the absence of Developer Threat Analysis & Flaw Remediation (TDA-15) by reducing the exploitable attack surface by addressing known weaknesses before they are leveraged. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "TDA-06", "name": "Secure Software Development Practices (SSDP)", "description": "Mechanisms exist to develop applications based on Secure Software Development Practices (SSDP).", "justification": "Secure Software Development Practices (SSDP) (TDA-06) provides overlapping security capability that compensates for the absence of Developer Threat Analysis & Flaw Remediation (TDA-15) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TDA-16", "risk_if_not_implemented": "Without Developer-Provided Training, personnel may lack knowledge to recognize threats, increasing susceptibility to phishing and social engineering.", "compensating_control_1": { "control_id": "SAT-03", "name": "Role-Based Security, Compliance & Resilience Training", "description": "Mechanisms exist to provide role-based security, compliance and resilience-related training: \n(1) Before authorizing access to the system or performing assigned duties; \n(2) When required by system changes; and \n(3) Annually thereafter.", "justification": "Role-Based Security, Compliance & Resilience Training (SAT-03) provides personnel training and awareness that compensates for the absence of Developer-Provided Training (TDA-16) by reducing human-factor risk by equipping personnel to recognize and respond to relevant threats. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "TDA-06", "name": "Secure Software Development Practices (SSDP)", "description": "Mechanisms exist to develop applications based on Secure Software Development Practices (SSDP).", "justification": "Secure Software Development Practices (SSDP) (TDA-06) provides overlapping security capability that compensates for the absence of Developer-Provided Training (TDA-16) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TDA-17.1", "risk_if_not_implemented": "Without Alternate Sources for Continued Support, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CFG-01", "name": "Configuration Management Program", "description": "Mechanisms exist to facilitate the implementation of configuration management controls.", "justification": "Configuration Management Program (CFG-01) provides policy-level governance that compensates for the absence of Alternate Sources for Continued Support (TDA-17.1) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "VPM-02", "name": "Vulnerability Remediation Process", "description": "Mechanisms exist to ensure that vulnerabilities are properly identified, tracked and remediated.", "justification": "Vulnerability Remediation Process (VPM-02) provides vulnerability management that compensates for the absence of Alternate Sources for Continued Support (TDA-17.1) by reducing the exploitable attack surface by addressing known weaknesses before they are leveraged. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TDA-18", "risk_if_not_implemented": "Without Input Data Validation, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CFG-02", "name": "Secure Baseline Configurations", "description": "Mechanisms exist to develop, document and maintain secure baseline configurations for Technology Assets, Applications and/or Services (TAAS) that are consistent with industry-accepted system hardening standards.", "justification": "Secure Baseline Configurations (CFG-02) provides configuration hardening that compensates for the absence of Input Data Validation (TDA-18) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "TDA-06", "name": "Secure Software Development Practices (SSDP)", "description": "Mechanisms exist to develop applications based on Secure Software Development Practices (SSDP).", "justification": "Secure Software Development Practices (SSDP) (TDA-06) provides overlapping security capability that compensates for the absence of Input Data Validation (TDA-18) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TDA-19", "risk_if_not_implemented": "Without Error Handling, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "TDA-06", "name": "Secure Software Development Practices (SSDP)", "description": "Mechanisms exist to develop applications based on Secure Software Development Practices (SSDP).", "justification": "Secure Software Development Practices (SSDP) (TDA-06) provides overlapping security capability that compensates for the absence of Error Handling (TDA-19) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CFG-02", "name": "Secure Baseline Configurations", "description": "Mechanisms exist to develop, document and maintain secure baseline configurations for Technology Assets, Applications and/or Services (TAAS) that are consistent with industry-accepted system hardening standards.", "justification": "Secure Baseline Configurations (CFG-02) provides configuration hardening that compensates for the absence of Error Handling (TDA-19) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TDA-20", "risk_if_not_implemented": "Without Access to Program Source Code, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "IAC-21", "name": "Least Privilege", "description": "Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.", "justification": "Least Privilege (IAC-21) provides access control enforcement that compensates for the absence of Access to Program Source Code (TDA-20) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-12", "name": "Session Audit", "description": "Mechanisms exist to provide session audit capabilities that can: \n(1) Capture and log all content related to a user session; and\n(2) Remotely view all content related to an established user session in real time.", "justification": "Session Audit (MON-12) provides detective monitoring capability that compensates for the absence of Access to Program Source Code (TDA-20) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TDA-20.1", "risk_if_not_implemented": "Without Software Release Integrity Verification, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "MON-12", "name": "Session Audit", "description": "Mechanisms exist to provide session audit capabilities that can: \n(1) Capture and log all content related to a user session; and\n(2) Remotely view all content related to an established user session in real time.", "justification": "Session Audit (MON-12) provides detective monitoring capability that compensates for the absence of Software Release Integrity Verification (TDA-20.1) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-21", "name": "Least Privilege", "description": "Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.", "justification": "Least Privilege (IAC-21) provides access control enforcement that compensates for the absence of Software Release Integrity Verification (TDA-20.1) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TDA-20.2", "risk_if_not_implemented": "Without Archiving Software Releases, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IAC-21", "name": "Least Privilege", "description": "Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.", "justification": "Least Privilege (IAC-21) provides access control enforcement that compensates for the absence of Archiving Software Releases (TDA-20.2) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "TDA-20", "name": "Access to Program Source Code", "description": "Mechanisms exist to limit privileges to change software resident within software libraries.", "justification": "Access to Program Source Code (TDA-20) provides policy-level governance that compensates for the absence of Archiving Software Releases (TDA-20.2) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TDA-20.3", "risk_if_not_implemented": "Without Software Escrow, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "TDA-20", "name": "Access to Program Source Code", "description": "Mechanisms exist to limit privileges to change software resident within software libraries.", "justification": "Access to Program Source Code (TDA-20) provides policy-level governance that compensates for the absence of Software Escrow (TDA-20.3) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-21", "name": "Least Privilege", "description": "Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.", "justification": "Least Privilege (IAC-21) provides access control enforcement that compensates for the absence of Software Escrow (TDA-20.3) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TDA-20.4", "risk_if_not_implemented": "Without Approved Code, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "MON-12", "name": "Session Audit", "description": "Mechanisms exist to provide session audit capabilities that can: \n(1) Capture and log all content related to a user session; and\n(2) Remotely view all content related to an established user session in real time.", "justification": "Session Audit (MON-12) provides detective monitoring capability that compensates for the absence of Approved Code (TDA-20.4) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "TDA-20", "name": "Access to Program Source Code", "description": "Mechanisms exist to limit privileges to change software resident within software libraries.", "justification": "Access to Program Source Code (TDA-20) provides policy-level governance that compensates for the absence of Approved Code (TDA-20.4) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TDA-21", "risk_if_not_implemented": "Without Product Conformity Governance, security risks may go unmanaged, resulting in uncontrolled exposures and misaligned security investments.", "compensating_control_1": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Product Conformity Governance (TDA-21) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAO-02", "name": "Assessments", "description": "Mechanisms exist to formally assess the security, compliance and resilience controls in Technology Assets, Applications and/or Services (TAAS) through Information Assurance Program (IAP) activities to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting expected requirements.", "justification": "Assessments (IAO-02) provides periodic assessment and assurance that compensates for the absence of Product Conformity Governance (TDA-21) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TDA-22", "risk_if_not_implemented": "Without Technical Documentation Artifacts, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "GOV-02", "name": "Publishing Security, Compliance & Resilience Documentation", "description": "Mechanisms exist to establish, maintain and disseminate policies, standards and procedures necessary for secure, compliant and resilient capabilities.", "justification": "Publishing Security, Compliance & Resilience Documentation (GOV-02) provides resilience and recovery capability that compensates for the absence of Technical Documentation Artifacts (TDA-22) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of Technical Documentation Artifacts (TDA-22) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TDA-22.1", "risk_if_not_implemented": "Without Product-Specific Risk Assessment Artifacts, security risks may go unmanaged, resulting in uncontrolled exposures and misaligned security investments.", "compensating_control_1": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of Product-Specific Risk Assessment Artifacts (TDA-22.1) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "GOV-02", "name": "Publishing Security, Compliance & Resilience Documentation", "description": "Mechanisms exist to establish, maintain and disseminate policies, standards and procedures necessary for secure, compliant and resilient capabilities.", "justification": "Publishing Security, Compliance & Resilience Documentation (GOV-02) provides resilience and recovery capability that compensates for the absence of Product-Specific Risk Assessment Artifacts (TDA-22.1) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TPM-01.1", "risk_if_not_implemented": "Without Third-Party Inventories, third-party risks may go unmanaged, creating supply-chain exposure that compromises the organization.", "compensating_control_1": { "control_id": "TPM-05", "name": "Third-Party Contract Requirements", "description": "Mechanisms exist to require contractual requirements for applicable security, compliance and resilience requirements with third-parties, reflecting the organization's needs to protect its Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Third-Party Contract Requirements (TPM-05) provides third-party oversight that compensates for the absence of Third-Party Inventories (TPM-01.1) by extending security obligations contractually and monitoring third-party risk in lieu of direct control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "RSK-09", "name": "Supply Chain Risk Management (SCRM) Plan", "description": "Mechanisms exist to develop a plan for Supply Chain Risk Management (SCRM) associated with the development, acquisition, maintenance and disposal of Technology Assets, Applications and/or Services (TAAS), including documenting selected mitigating actions and monitoring performance against those plans.", "justification": "Supply Chain Risk Management (SCRM) Plan (RSK-09) provides risk identification and prioritization that compensates for the absence of Third-Party Inventories (TPM-01.1) by enabling informed decisions about where to focus resources to manage residual exposure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TPM-02", "risk_if_not_implemented": "Without Third-Party Criticality Assessments, third-party risks may go unmanaged, creating supply-chain exposure that compromises the organization.", "compensating_control_1": { "control_id": "RSK-04", "name": "Risk Assessment", "description": "Mechanisms exist to conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Risk Assessment (RSK-04) provides periodic assessment and assurance that compensates for the absence of Third-Party Criticality Assessments (TPM-02) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "TPM-05", "name": "Third-Party Contract Requirements", "description": "Mechanisms exist to require contractual requirements for applicable security, compliance and resilience requirements with third-parties, reflecting the organization's needs to protect its Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Third-Party Contract Requirements (TPM-05) provides third-party oversight that compensates for the absence of Third-Party Criticality Assessments (TPM-02) by extending security obligations contractually and monitoring third-party risk in lieu of direct control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TPM-03", "risk_if_not_implemented": "Without Supply Chain Risk Management (SCRM), security risks may go unmanaged, resulting in uncontrolled exposures and misaligned security investments.", "compensating_control_1": { "control_id": "RSK-09", "name": "Supply Chain Risk Management (SCRM) Plan", "description": "Mechanisms exist to develop a plan for Supply Chain Risk Management (SCRM) associated with the development, acquisition, maintenance and disposal of Technology Assets, Applications and/or Services (TAAS), including documenting selected mitigating actions and monitoring performance against those plans.", "justification": "Supply Chain Risk Management (SCRM) Plan (RSK-09) provides risk identification and prioritization that compensates for the absence of Supply Chain Risk Management (SCRM) (TPM-03) by enabling informed decisions about where to focus resources to manage residual exposure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "TPM-01", "name": "Third-Party Management", "description": "Mechanisms exist to facilitate the implementation of third-party management controls.", "justification": "Third-Party Management (TPM-01) provides third-party oversight that compensates for the absence of Supply Chain Risk Management (SCRM) (TPM-03) by extending security obligations contractually and monitoring third-party risk in lieu of direct control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TPM-03.1", "risk_if_not_implemented": "Without Acquisition Strategies, Tools & Methods, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "TPM-01", "name": "Third-Party Management", "description": "Mechanisms exist to facilitate the implementation of third-party management controls.", "justification": "Third-Party Management (TPM-01) provides third-party oversight that compensates for the absence of Acquisition Strategies, Tools & Methods (TPM-03.1) by extending security obligations contractually and monitoring third-party risk in lieu of direct control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "RSK-09", "name": "Supply Chain Risk Management (SCRM) Plan", "description": "Mechanisms exist to develop a plan for Supply Chain Risk Management (SCRM) associated with the development, acquisition, maintenance and disposal of Technology Assets, Applications and/or Services (TAAS), including documenting selected mitigating actions and monitoring performance against those plans.", "justification": "Supply Chain Risk Management (SCRM) Plan (RSK-09) provides risk identification and prioritization that compensates for the absence of Acquisition Strategies, Tools & Methods (TPM-03.1) by enabling informed decisions about where to focus resources to manage residual exposure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TPM-03.2", "risk_if_not_implemented": "Without Limit Potential Harm, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "RSK-09", "name": "Supply Chain Risk Management (SCRM) Plan", "description": "Mechanisms exist to develop a plan for Supply Chain Risk Management (SCRM) associated with the development, acquisition, maintenance and disposal of Technology Assets, Applications and/or Services (TAAS), including documenting selected mitigating actions and monitoring performance against those plans.", "justification": "Supply Chain Risk Management (SCRM) Plan (RSK-09) provides risk identification and prioritization that compensates for the absence of Limit Potential Harm (TPM-03.2) by enabling informed decisions about where to focus resources to manage residual exposure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "TPM-03", "name": "Supply Chain Risk Management (SCRM)", "description": "Mechanisms exist to:\n(1) Evaluate security risks and threats associated with Technology Assets, Applications and/or Services (TAAS) supply chains; and\n(2) Take appropriate remediation actions to minimize the organization's exposure to those risks and threats, as necessary.", "justification": "Supply Chain Risk Management (SCRM) (TPM-03) provides risk identification and prioritization that compensates for the absence of Limit Potential Harm (TPM-03.2) by enabling informed decisions about where to focus resources to manage residual exposure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TPM-03.3", "risk_if_not_implemented": "Without Processes To Address Weaknesses or Deficiencies, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "TPM-03", "name": "Supply Chain Risk Management (SCRM)", "description": "Mechanisms exist to:\n(1) Evaluate security risks and threats associated with Technology Assets, Applications and/or Services (TAAS) supply chains; and\n(2) Take appropriate remediation actions to minimize the organization's exposure to those risks and threats, as necessary.", "justification": "Supply Chain Risk Management (SCRM) (TPM-03) provides risk identification and prioritization that compensates for the absence of Processes To Address Weaknesses or Deficiencies (TPM-03.3) by enabling informed decisions about where to focus resources to manage residual exposure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "TPM-01", "name": "Third-Party Management", "description": "Mechanisms exist to facilitate the implementation of third-party management controls.", "justification": "Third-Party Management (TPM-01) provides third-party oversight that compensates for the absence of Processes To Address Weaknesses or Deficiencies (TPM-03.3) by extending security obligations contractually and monitoring third-party risk in lieu of direct control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TPM-03.4", "risk_if_not_implemented": "Without Adequate Supply, third-party risks may go unmanaged, creating supply-chain exposure that compromises the organization.", "compensating_control_1": { "control_id": "TPM-01", "name": "Third-Party Management", "description": "Mechanisms exist to facilitate the implementation of third-party management controls.", "justification": "Third-Party Management (TPM-01) provides third-party oversight that compensates for the absence of Adequate Supply (TPM-03.4) by extending security obligations contractually and monitoring third-party risk in lieu of direct control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "TPM-03", "name": "Supply Chain Risk Management (SCRM)", "description": "Mechanisms exist to:\n(1) Evaluate security risks and threats associated with Technology Assets, Applications and/or Services (TAAS) supply chains; and\n(2) Take appropriate remediation actions to minimize the organization's exposure to those risks and threats, as necessary.", "justification": "Supply Chain Risk Management (SCRM) (TPM-03) provides risk identification and prioritization that compensates for the absence of Adequate Supply (TPM-03.4) by enabling informed decisions about where to focus resources to manage residual exposure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TPM-04.1", "risk_if_not_implemented": "Without Third-Party Risk Assessments & Approvals, security risks may go unmanaged, resulting in uncontrolled exposures and misaligned security investments.", "compensating_control_1": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Third-Party Risk Assessments & Approvals (TPM-04.1) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "TPM-04", "name": "Third-Party Services", "description": "Mechanisms exist to mitigate the risks associated with third-party access to the organization's Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Third-Party Services (TPM-04) provides third-party oversight that compensates for the absence of Third-Party Risk Assessments & Approvals (TPM-04.1) by extending security obligations contractually and monitoring third-party risk in lieu of direct control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TPM-04.2", "risk_if_not_implemented": "Without External Connectivity Requirements - Identification of Ports, Protocols & Services, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "TPM-04", "name": "Third-Party Services", "description": "Mechanisms exist to mitigate the risks associated with third-party access to the organization's Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Third-Party Services (TPM-04) provides third-party oversight that compensates for the absence of External Connectivity Requirements - Identification of Ports, Protocols & Services (TPM-04.2) by extending security obligations contractually and monitoring third-party risk in lieu of direct control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of External Connectivity Requirements - Identification of Ports, Protocols & Services (TPM-04.2) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TPM-04.3", "risk_if_not_implemented": "Without Conflict of Interests, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "TPM-05", "name": "Third-Party Contract Requirements", "description": "Mechanisms exist to require contractual requirements for applicable security, compliance and resilience requirements with third-parties, reflecting the organization's needs to protect its Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Third-Party Contract Requirements (TPM-05) provides third-party oversight that compensates for the absence of Conflict of Interests (TPM-04.3) by extending security obligations contractually and monitoring third-party risk in lieu of direct control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "TPM-04", "name": "Third-Party Services", "description": "Mechanisms exist to mitigate the risks associated with third-party access to the organization's Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Third-Party Services (TPM-04) provides third-party oversight that compensates for the absence of Conflict of Interests (TPM-04.3) by extending security obligations contractually and monitoring third-party risk in lieu of direct control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TPM-05.1", "risk_if_not_implemented": "Without Security Compromise Notification Agreements, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "TPM-04", "name": "Third-Party Services", "description": "Mechanisms exist to mitigate the risks associated with third-party access to the organization's Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Third-Party Services (TPM-04) provides third-party oversight that compensates for the absence of Security Compromise Notification Agreements (TPM-05.1) by extending security obligations contractually and monitoring third-party risk in lieu of direct control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Security Compromise Notification Agreements (TPM-05.1) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TPM-05.2", "risk_if_not_implemented": "Without Contract Flow-Down Requirements, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Contract Flow-Down Requirements (TPM-05.2) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "TPM-05", "name": "Third-Party Contract Requirements", "description": "Mechanisms exist to require contractual requirements for applicable security, compliance and resilience requirements with third-parties, reflecting the organization's needs to protect its Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Third-Party Contract Requirements (TPM-05) provides third-party oversight that compensates for the absence of Contract Flow-Down Requirements (TPM-05.2) by extending security obligations contractually and monitoring third-party risk in lieu of direct control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TPM-05.3", "risk_if_not_implemented": "Without Third-Party Authentication Practices, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "TPM-05", "name": "Third-Party Contract Requirements", "description": "Mechanisms exist to require contractual requirements for applicable security, compliance and resilience requirements with third-parties, reflecting the organization's needs to protect its Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Third-Party Contract Requirements (TPM-05) provides third-party oversight that compensates for the absence of Third-Party Authentication Practices (TPM-05.3) by extending security obligations contractually and monitoring third-party risk in lieu of direct control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "TPM-04", "name": "Third-Party Services", "description": "Mechanisms exist to mitigate the risks associated with third-party access to the organization's Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Third-Party Services (TPM-04) provides third-party oversight that compensates for the absence of Third-Party Authentication Practices (TPM-05.3) by extending security obligations contractually and monitoring third-party risk in lieu of direct control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TPM-05.4", "risk_if_not_implemented": "Without Responsible, Accountable, Supportive, Consulted & Informed (RASCI) Matrix, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "TPM-04", "name": "Third-Party Services", "description": "Mechanisms exist to mitigate the risks associated with third-party access to the organization's Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Third-Party Services (TPM-04) provides third-party oversight that compensates for the absence of Responsible, Accountable, Supportive, Consulted & Informed (RASCI) Matrix (TPM-05.4) by extending security obligations contractually and monitoring third-party risk in lieu of direct control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "TPM-05", "name": "Third-Party Contract Requirements", "description": "Mechanisms exist to require contractual requirements for applicable security, compliance and resilience requirements with third-parties, reflecting the organization's needs to protect its Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Third-Party Contract Requirements (TPM-05) provides third-party oversight that compensates for the absence of Responsible, Accountable, Supportive, Consulted & Informed (RASCI) Matrix (TPM-05.4) by extending security obligations contractually and monitoring third-party risk in lieu of direct control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TPM-05.6", "risk_if_not_implemented": "Without First-Party Declaration (1PD), residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "TPM-04", "name": "Third-Party Services", "description": "Mechanisms exist to mitigate the risks associated with third-party access to the organization's Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Third-Party Services (TPM-04) provides third-party oversight that compensates for the absence of First-Party Declaration (1PD) (TPM-05.6) by extending security obligations contractually and monitoring third-party risk in lieu of direct control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of First-Party Declaration (1PD) (TPM-05.6) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TPM-05.7", "risk_if_not_implemented": "Without Break Clauses, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "TPM-05", "name": "Third-Party Contract Requirements", "description": "Mechanisms exist to require contractual requirements for applicable security, compliance and resilience requirements with third-parties, reflecting the organization's needs to protect its Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Third-Party Contract Requirements (TPM-05) provides third-party oversight that compensates for the absence of Break Clauses (TPM-05.7) by extending security obligations contractually and monitoring third-party risk in lieu of direct control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Break Clauses (TPM-05.7) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TPM-05.8", "risk_if_not_implemented": "Without Third-Party Attestation (3PA), third-party risks may go unmanaged, creating supply-chain exposure that compromises the organization.", "compensating_control_1": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Third-Party Attestation (3PA) (TPM-05.8) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "TPM-05", "name": "Third-Party Contract Requirements", "description": "Mechanisms exist to require contractual requirements for applicable security, compliance and resilience requirements with third-parties, reflecting the organization's needs to protect its Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Third-Party Contract Requirements (TPM-05) provides third-party oversight that compensates for the absence of Third-Party Attestation (3PA) (TPM-05.8) by extending security obligations contractually and monitoring third-party risk in lieu of direct control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TPM-06", "risk_if_not_implemented": "Without Third-Party Personnel Security, third-party risks may go unmanaged, creating supply-chain exposure that compromises the organization.", "compensating_control_1": { "control_id": "HRS-04", "name": "Personnel Screening", "description": "Mechanisms exist to manage personnel security risk by screening individuals prior to authorizing access.", "justification": "Personnel Screening (HRS-04) provides overlapping security capability that compensates for the absence of Third-Party Personnel Security (TPM-06) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "TPM-01", "name": "Third-Party Management", "description": "Mechanisms exist to facilitate the implementation of third-party management controls.", "justification": "Third-Party Management (TPM-01) provides third-party oversight that compensates for the absence of Third-Party Personnel Security (TPM-06) by extending security obligations contractually and monitoring third-party risk in lieu of direct control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TPM-07", "risk_if_not_implemented": "Without Monitoring for Third-Party Information Disclosure, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "MON-11", "name": "Monitoring For Information Disclosure", "description": "Mechanisms exist to monitor for evidence of unauthorized exfiltration or disclosure of non-public information.", "justification": "Monitoring For Information Disclosure (MON-11) provides detective monitoring capability that compensates for the absence of Monitoring for Third-Party Information Disclosure (TPM-07) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-14", "name": "Cross-Organizational Monitoring", "description": "Mechanisms exist to coordinate sanitized event logs among external organizations to identify anomalous events when event logs are shared across organizational boundaries, without giving away sensitive or critical business data.", "justification": "Cross-Organizational Monitoring (MON-14) provides detective monitoring capability that compensates for the absence of Monitoring for Third-Party Information Disclosure (TPM-07) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TPM-08", "risk_if_not_implemented": "Without Review of Third-Party Services, third-party risks may go unmanaged, creating supply-chain exposure that compromises the organization.", "compensating_control_1": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of Review of Third-Party Services (TPM-08) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "TPM-01", "name": "Third-Party Management", "description": "Mechanisms exist to facilitate the implementation of third-party management controls.", "justification": "Third-Party Management (TPM-01) provides third-party oversight that compensates for the absence of Review of Third-Party Services (TPM-08) by extending security obligations contractually and monitoring third-party risk in lieu of direct control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TPM-09", "risk_if_not_implemented": "Without Third-Party Deficiency Remediation, unpatched vulnerabilities accumulate, providing attackers with known and exploitable entry points.", "compensating_control_1": { "control_id": "RSK-06", "name": "Risk Remediation", "description": "Mechanisms exist to remediate risks to an acceptable level.", "justification": "Risk Remediation (RSK-06) provides vulnerability management that compensates for the absence of Third-Party Deficiency Remediation (TPM-09) by reducing the exploitable attack surface by addressing known weaknesses before they are leveraged. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "TPM-05", "name": "Third-Party Contract Requirements", "description": "Mechanisms exist to require contractual requirements for applicable security, compliance and resilience requirements with third-parties, reflecting the organization's needs to protect its Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Third-Party Contract Requirements (TPM-05) provides third-party oversight that compensates for the absence of Third-Party Deficiency Remediation (TPM-09) by extending security obligations contractually and monitoring third-party risk in lieu of direct control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TPM-10", "risk_if_not_implemented": "Without Managing Changes To Third-Party Services, third-party risks may go unmanaged, creating supply-chain exposure that compromises the organization.", "compensating_control_1": { "control_id": "CHG-01", "name": "Change Management Program", "description": "Mechanisms exist to facilitate the implementation of a change management program.", "justification": "Change Management Program (CHG-01) provides policy-level governance that compensates for the absence of Managing Changes To Third-Party Services (TPM-10) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "TPM-08", "name": "Review of Third-Party Services", "description": "Mechanisms exist to monitor, regularly review and assess External Service Providers (ESPs) for compliance with established contractual requirements for security, compliance and resilience controls.", "justification": "Review of Third-Party Services (TPM-08) provides periodic assessment and assurance that compensates for the absence of Managing Changes To Third-Party Services (TPM-10) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TPM-11", "risk_if_not_implemented": "Without Third-Party Incident Response & Recovery Capabilities, the organization may be unable to recover from disruptions, resulting in data loss and extended downtime.", "compensating_control_1": { "control_id": "IRO-04", "name": "Incident Response Plan (IRP)", "description": "Mechanisms exist to maintain and make available a current and viable Incident Response Plan (IRP) to all stakeholders.", "justification": "Incident Response Plan (IRP) (IRO-04) provides incident response capability that compensates for the absence of Third-Party Incident Response & Recovery Capabilities (TPM-11) by enabling timely detection, containment, and recovery from security events in the absence of the primary control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "BCD-01", "name": "Business Continuity Management System (BCMS)", "description": "Mechanisms exist to facilitate the implementation of contingency planning controls to help ensure resilient Technology Assets, Applications and/or Services (TAAS) (e.g., Continuity of Operations Plan (COOP) or Business Continuity & Disaster Recovery (BC/DR) playbooks).", "justification": "Business Continuity Management System (BCMS) (BCD-01) provides resilience and recovery capability that compensates for the absence of Third-Party Incident Response & Recovery Capabilities (TPM-11) by ensuring the organization can restore operations and data when the primary control is absent. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TPM-12", "risk_if_not_implemented": "Without Foreign Ownership, Control or Influence (FOCI) , residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Foreign Ownership, Control or Influence (FOCI) (TPM-12) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "TPM-01", "name": "Third-Party Management", "description": "Mechanisms exist to facilitate the implementation of third-party management controls.", "justification": "Third-Party Management (TPM-01) provides third-party oversight that compensates for the absence of Foreign Ownership, Control or Influence (FOCI) (TPM-12) by extending security obligations contractually and monitoring third-party risk in lieu of direct control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TPM-12.1", "risk_if_not_implemented": "Without Ownership Change Monitoring, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "TPM-01", "name": "Third-Party Management", "description": "Mechanisms exist to facilitate the implementation of third-party management controls.", "justification": "Third-Party Management (TPM-01) provides third-party oversight that compensates for the absence of Ownership Change Monitoring (TPM-12.1) by extending security obligations contractually and monitoring third-party risk in lieu of direct control. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Ownership Change Monitoring (TPM-12.1) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "TPM-12.2", "risk_if_not_implemented": "Without Ownership Change Provisions, unauthorized or unreviewed changes may introduce instability or security vulnerabilities into the environment.", "compensating_control_1": { "control_id": "CPL-01", "name": "Statutory, Regulatory & Contractual Compliance", "description": "Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.", "justification": "Statutory, Regulatory & Contractual Compliance (CPL-01) provides overlapping security capability that compensates for the absence of Ownership Change Provisions (TPM-12.2) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "TPM-12", "name": "Foreign Ownership, Control or Influence (FOCI)", "description": "Mechanisms exist to minimize risk associate with Foreign Ownership, Control or Influence (FOCI) through Supply Chain Risk Management (SCRM) practices.", "justification": "Foreign Ownership, Control or Influence (FOCI) (TPM-12) provides overlapping security capability that compensates for the absence of Ownership Change Provisions (TPM-12.2) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "THR-01", "risk_if_not_implemented": "Without Threat Intelligence Program, security risks may go unmanaged, resulting in uncontrolled exposures and misaligned security investments.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Threat Intelligence Program (THR-01) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "RSK-01", "name": "Risk Management Program", "description": "Mechanisms exist to facilitate the implementation of strategic, operational and tactical risk management controls.", "justification": "Risk Management Program (RSK-01) provides policy-level governance that compensates for the absence of Threat Intelligence Program (THR-01) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "THR-02", "risk_if_not_implemented": "Without Indicators of Exposure (IOE), residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "VPM-06", "name": "Vulnerability Scanning", "description": "Mechanisms exist to detect vulnerabilities and configuration errors by routine vulnerability scanning of systems and applications.", "justification": "Vulnerability Scanning (VPM-06) provides vulnerability management that compensates for the absence of Indicators of Exposure (IOE) (THR-02) by reducing the exploitable attack surface by addressing known weaknesses before they are leveraged. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "THR-01", "name": "Threat Intelligence Program", "description": "Mechanisms exist to implement a threat intelligence program that includes a cross-organization information-sharing capability that can influence the development of the system and security architectures, selection of security solutions, monitoring, threat hunting, response and recovery activities.", "justification": "Threat Intelligence Program (THR-01) provides policy-level governance that compensates for the absence of Indicators of Exposure (IOE) (THR-02) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "THR-03", "risk_if_not_implemented": "Without Threat Intelligence Feeds, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "THR-01", "name": "Threat Intelligence Program", "description": "Mechanisms exist to implement a threat intelligence program that includes a cross-organization information-sharing capability that can influence the development of the system and security architectures, selection of security solutions, monitoring, threat hunting, response and recovery activities.", "justification": "Threat Intelligence Program (THR-01) provides policy-level governance that compensates for the absence of Threat Intelligence Feeds (THR-03) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Threat Intelligence Feeds (THR-03) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "THR-03.1", "risk_if_not_implemented": "Without Threat Intelligence Reporting, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Threat Intelligence Reporting (THR-03.1) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "THR-03", "name": "Threat Intelligence Feeds", "description": "Mechanisms exist to maintain situational awareness of vulnerabilities and evolving threats by leveraging the knowledge of attacker tactics, techniques and procedures to facilitate the implementation of preventative and compensating controls.", "justification": "Threat Intelligence Feeds (THR-03) provides overlapping security capability that compensates for the absence of Threat Intelligence Reporting (THR-03.1) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "THR-04", "risk_if_not_implemented": "Without Insider Threat Program, security risks may go unmanaged, resulting in uncontrolled exposures and misaligned security investments.", "compensating_control_1": { "control_id": "HRS-15", "name": "Reporting Suspicious Activities", "description": "Mechanisms exist to enable personnel to report suspicious activities and/or behavior without fear of reprisal or other negative consequences (e.g., whistleblower protections).", "justification": "Reporting Suspicious Activities (HRS-15) provides overlapping security capability that compensates for the absence of Insider Threat Program (THR-04) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-16", "name": "Anomalous Behavior", "description": "Mechanisms exist to utilize User & Entity Behavior Analytics (UEBA) and/or User Activity Monitoring (UAM) solutions to detect and respond to anomalous behavior that could indicate account compromise or other malicious activities.", "justification": "Anomalous Behavior (MON-16) provides detective monitoring capability that compensates for the absence of Insider Threat Program (THR-04) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "THR-05", "risk_if_not_implemented": "Without Insider Threat Awareness, personnel may lack knowledge to recognize threats, increasing susceptibility to phishing and social engineering.", "compensating_control_1": { "control_id": "SAT-02", "name": "Security, Compliance & Resilience Awareness Training", "description": "Mechanisms exist to provide all employees and contractors appropriate security, compliance and resilience awareness education and training that is relevant for their job function.", "justification": "Security, Compliance & Resilience Awareness Training (SAT-02) provides personnel training and awareness that compensates for the absence of Insider Threat Awareness (THR-05) by reducing human-factor risk by equipping personnel to recognize and respond to relevant threats. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "HRS-15", "name": "Reporting Suspicious Activities", "description": "Mechanisms exist to enable personnel to report suspicious activities and/or behavior without fear of reprisal or other negative consequences (e.g., whistleblower protections).", "justification": "Reporting Suspicious Activities (HRS-15) provides overlapping security capability that compensates for the absence of Insider Threat Awareness (THR-05) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "THR-06", "risk_if_not_implemented": "Without Vulnerability Disclosure Program (VDP), unpatched vulnerabilities accumulate, providing attackers with known and exploitable entry points.", "compensating_control_1": { "control_id": "VPM-02", "name": "Vulnerability Remediation Process", "description": "Mechanisms exist to ensure that vulnerabilities are properly identified, tracked and remediated.", "justification": "Vulnerability Remediation Process (VPM-02) provides vulnerability management that compensates for the absence of Vulnerability Disclosure Program (VDP) (THR-06) by reducing the exploitable attack surface by addressing known weaknesses before they are leveraged. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "VPM-06", "name": "Vulnerability Scanning", "description": "Mechanisms exist to detect vulnerabilities and configuration errors by routine vulnerability scanning of systems and applications.", "justification": "Vulnerability Scanning (VPM-06) provides vulnerability management that compensates for the absence of Vulnerability Disclosure Program (VDP) (THR-06) by reducing the exploitable attack surface by addressing known weaknesses before they are leveraged. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "THR-06.1", "risk_if_not_implemented": "Without Security Disclosure Contact Information, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "VPM-06", "name": "Vulnerability Scanning", "description": "Mechanisms exist to detect vulnerabilities and configuration errors by routine vulnerability scanning of systems and applications.", "justification": "Vulnerability Scanning (VPM-06) provides vulnerability management that compensates for the absence of Security Disclosure Contact Information (THR-06.1) by reducing the exploitable attack surface by addressing known weaknesses before they are leveraged. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "VPM-02", "name": "Vulnerability Remediation Process", "description": "Mechanisms exist to ensure that vulnerabilities are properly identified, tracked and remediated.", "justification": "Vulnerability Remediation Process (VPM-02) provides vulnerability management that compensates for the absence of Security Disclosure Contact Information (THR-06.1) by reducing the exploitable attack surface by addressing known weaknesses before they are leveraged. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "THR-07", "risk_if_not_implemented": "Without Threat Hunting, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Threat Hunting (THR-07) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "THR-01", "name": "Threat Intelligence Program", "description": "Mechanisms exist to implement a threat intelligence program that includes a cross-organization information-sharing capability that can influence the development of the system and security architectures, selection of security solutions, monitoring, threat hunting, response and recovery activities.", "justification": "Threat Intelligence Program (THR-01) provides policy-level governance that compensates for the absence of Threat Hunting (THR-07) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "THR-08", "risk_if_not_implemented": "Without Tainting, AI and autonomous technology risks may go ungoverned, leading to unintended outcomes or exploitation.", "compensating_control_1": { "control_id": "MON-09", "name": "Non-Repudiation", "description": "Mechanisms exist to utilize a non-repudiation capability to protect against an individual falsely denying having performed a particular action.", "justification": "Non-Repudiation (MON-09) provides overlapping security capability that compensates for the absence of Tainting (THR-08) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-12", "name": "Session Audit", "description": "Mechanisms exist to provide session audit capabilities that can: \n(1) Capture and log all content related to a user session; and\n(2) Remotely view all content related to an established user session in real time.", "justification": "Session Audit (MON-12) provides detective monitoring capability that compensates for the absence of Tainting (THR-08) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "THR-09", "risk_if_not_implemented": "Without Threat Catalog, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "THR-01", "name": "Threat Intelligence Program", "description": "Mechanisms exist to implement a threat intelligence program that includes a cross-organization information-sharing capability that can influence the development of the system and security architectures, selection of security solutions, monitoring, threat hunting, response and recovery activities.", "justification": "Threat Intelligence Program (THR-01) provides policy-level governance that compensates for the absence of Threat Catalog (THR-09) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "RSK-04", "name": "Risk Assessment", "description": "Mechanisms exist to conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Risk Assessment (RSK-04) provides periodic assessment and assurance that compensates for the absence of Threat Catalog (THR-09) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "THR-10", "risk_if_not_implemented": "Without Threat Analysis, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "RSK-04", "name": "Risk Assessment", "description": "Mechanisms exist to conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's Technology Assets, Applications, Services and/or Data (TAASD).", "justification": "Risk Assessment (RSK-04) provides periodic assessment and assurance that compensates for the absence of Threat Analysis (THR-10) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "THR-01", "name": "Threat Intelligence Program", "description": "Mechanisms exist to implement a threat intelligence program that includes a cross-organization information-sharing capability that can influence the development of the system and security architectures, selection of security solutions, monitoring, threat hunting, response and recovery activities.", "justification": "Threat Intelligence Program (THR-01) provides policy-level governance that compensates for the absence of Threat Analysis (THR-10) by establishing documented expectations, accountability structures, and organizational guardrails. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "THR-11", "risk_if_not_implemented": "Without Behavioral Baselining, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "MON-16", "name": "Anomalous Behavior", "description": "Mechanisms exist to utilize User & Entity Behavior Analytics (UEBA) and/or User Activity Monitoring (UAM) solutions to detect and respond to anomalous behavior that could indicate account compromise or other malicious activities.", "justification": "Anomalous Behavior (MON-16) provides detective monitoring capability that compensates for the absence of Behavioral Baselining (THR-11) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Behavioral Baselining (THR-11) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "VPM-01", "risk_if_not_implemented": "Without Vulnerability & Patch Management Program (VPMP), unpatched vulnerabilities accumulate, providing attackers with known and exploitable entry points.", "compensating_control_1": { "control_id": "CFG-02", "name": "Secure Baseline Configurations", "description": "Mechanisms exist to develop, document and maintain secure baseline configurations for Technology Assets, Applications and/or Services (TAAS) that are consistent with industry-accepted system hardening standards.", "justification": "Secure Baseline Configurations (CFG-02) provides configuration hardening that compensates for the absence of Vulnerability & Patch Management Program (VPMP) (VPM-01) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-03", "name": "Boundary Protection", "description": "Mechanisms exist to monitor and control communications at the external network boundary and at key internal boundaries within the network.", "justification": "Boundary Protection (NET-03) provides network-level access restriction that compensates for the absence of Vulnerability & Patch Management Program (VPMP) (VPM-01) by limiting attacker reach and lateral movement opportunities across the environment. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "VPM-01.1", "risk_if_not_implemented": "Without Attack Surface Scope, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "VPM-06", "name": "Vulnerability Scanning", "description": "Mechanisms exist to detect vulnerabilities and configuration errors by routine vulnerability scanning of systems and applications.", "justification": "Vulnerability Scanning (VPM-06) provides vulnerability management that compensates for the absence of Attack Surface Scope (VPM-01.1) by reducing the exploitable attack surface by addressing known weaknesses before they are leveraged. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "VPM-02", "name": "Vulnerability Remediation Process", "description": "Mechanisms exist to ensure that vulnerabilities are properly identified, tracked and remediated.", "justification": "Vulnerability Remediation Process (VPM-02) provides vulnerability management that compensates for the absence of Attack Surface Scope (VPM-01.1) by reducing the exploitable attack surface by addressing known weaknesses before they are leveraged. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "VPM-03", "risk_if_not_implemented": "Without Vulnerability Ranking, unpatched vulnerabilities accumulate, providing attackers with known and exploitable entry points.", "compensating_control_1": { "control_id": "RSK-05", "name": "Risk Ranking", "description": "Mechanisms exist to identify and assign a risk ranking to newly discovered security vulnerabilities that is based on industry-recognized practices.", "justification": "Risk Ranking (RSK-05) provides risk identification and prioritization that compensates for the absence of Vulnerability Ranking (VPM-03) by enabling informed decisions about where to focus resources to manage residual exposure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "VPM-02", "name": "Vulnerability Remediation Process", "description": "Mechanisms exist to ensure that vulnerabilities are properly identified, tracked and remediated.", "justification": "Vulnerability Remediation Process (VPM-02) provides vulnerability management that compensates for the absence of Vulnerability Ranking (VPM-03) by reducing the exploitable attack surface by addressing known weaknesses before they are leveraged. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "VPM-03.1", "risk_if_not_implemented": "Without Vulnerability Exploitation Analysis, unpatched vulnerabilities accumulate, providing attackers with known and exploitable entry points.", "compensating_control_1": { "control_id": "VPM-02", "name": "Vulnerability Remediation Process", "description": "Mechanisms exist to ensure that vulnerabilities are properly identified, tracked and remediated.", "justification": "Vulnerability Remediation Process (VPM-02) provides vulnerability management that compensates for the absence of Vulnerability Exploitation Analysis (VPM-03.1) by reducing the exploitable attack surface by addressing known weaknesses before they are leveraged. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "RSK-05", "name": "Risk Ranking", "description": "Mechanisms exist to identify and assign a risk ranking to newly discovered security vulnerabilities that is based on industry-recognized practices.", "justification": "Risk Ranking (RSK-05) provides risk identification and prioritization that compensates for the absence of Vulnerability Exploitation Analysis (VPM-03.1) by enabling informed decisions about where to focus resources to manage residual exposure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "VPM-04", "risk_if_not_implemented": "Without Continuous Vulnerability Remediation Activities, unpatched vulnerabilities accumulate, providing attackers with known and exploitable entry points.", "compensating_control_1": { "control_id": "VPM-05", "name": "Software & Firmware Patching", "description": "Mechanisms exist to conduct software patching for all deployed Technology Assets, Applications and/or Services (TAAS), including firmware.", "justification": "Software & Firmware Patching (VPM-05) provides vulnerability management that compensates for the absence of Continuous Vulnerability Remediation Activities (VPM-04) by reducing the exploitable attack surface by addressing known weaknesses before they are leveraged. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Continuous Vulnerability Remediation Activities (VPM-04) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "VPM-04.1", "risk_if_not_implemented": "Without Stable Versions, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Stable Versions (VPM-04.1) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "VPM-05", "name": "Software & Firmware Patching", "description": "Mechanisms exist to conduct software patching for all deployed Technology Assets, Applications and/or Services (TAAS), including firmware.", "justification": "Software & Firmware Patching (VPM-05) provides vulnerability management that compensates for the absence of Stable Versions (VPM-04.1) by reducing the exploitable attack surface by addressing known weaknesses before they are leveraged. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "VPM-04.2", "risk_if_not_implemented": "Without Flaw Remediation with Personal Data (PD), unpatched vulnerabilities accumulate, providing attackers with known and exploitable entry points.", "compensating_control_1": { "control_id": "VPM-04", "name": "Continuous Vulnerability Remediation Activities", "description": "Mechanisms exist to address new threats and vulnerabilities on an ongoing basis and ensure assets are protected against known attacks.", "justification": "Continuous Vulnerability Remediation Activities (VPM-04) provides vulnerability management that compensates for the absence of Flaw Remediation with Personal Data (PD) (VPM-04.2) by reducing the exploitable attack surface by addressing known weaknesses before they are leveraged. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "VPM-05", "name": "Software & Firmware Patching", "description": "Mechanisms exist to conduct software patching for all deployed Technology Assets, Applications and/or Services (TAAS), including firmware.", "justification": "Software & Firmware Patching (VPM-05) provides vulnerability management that compensates for the absence of Flaw Remediation with Personal Data (PD) (VPM-04.2) by reducing the exploitable attack surface by addressing known weaknesses before they are leveraged. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "VPM-04.3", "risk_if_not_implemented": "Without Deferred Patching Decisions, unpatched vulnerabilities accumulate, providing attackers with known and exploitable entry points.", "compensating_control_1": { "control_id": "VPM-05", "name": "Software & Firmware Patching", "description": "Mechanisms exist to conduct software patching for all deployed Technology Assets, Applications and/or Services (TAAS), including firmware.", "justification": "Software & Firmware Patching (VPM-05) provides vulnerability management that compensates for the absence of Deferred Patching Decisions (VPM-04.3) by reducing the exploitable attack surface by addressing known weaknesses before they are leveraged. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "VPM-04", "name": "Continuous Vulnerability Remediation Activities", "description": "Mechanisms exist to address new threats and vulnerabilities on an ongoing basis and ensure assets are protected against known attacks.", "justification": "Continuous Vulnerability Remediation Activities (VPM-04) provides vulnerability management that compensates for the absence of Deferred Patching Decisions (VPM-04.3) by reducing the exploitable attack surface by addressing known weaknesses before they are leveraged. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "VPM-05.1", "risk_if_not_implemented": "Without Centralized Management of Flaw Remediation Processes, unpatched vulnerabilities accumulate, providing attackers with known and exploitable entry points.", "compensating_control_1": { "control_id": "CFG-06", "name": "Configuration Enforcement", "description": "Automated mechanisms exist to monitor, enforce and report on configurations for endpoint devices.", "justification": "Configuration Enforcement (CFG-06) provides configuration hardening that compensates for the absence of Centralized Management of Flaw Remediation Processes (VPM-05.1) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "VPM-05", "name": "Software & Firmware Patching", "description": "Mechanisms exist to conduct software patching for all deployed Technology Assets, Applications and/or Services (TAAS), including firmware.", "justification": "Software & Firmware Patching (VPM-05) provides vulnerability management that compensates for the absence of Centralized Management of Flaw Remediation Processes (VPM-05.1) by reducing the exploitable attack surface by addressing known weaknesses before they are leveraged. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "VPM-05.2", "risk_if_not_implemented": "Without Automated Remediation Status, unpatched vulnerabilities accumulate, providing attackers with known and exploitable entry points.", "compensating_control_1": { "control_id": "CFG-02", "name": "Secure Baseline Configurations", "description": "Mechanisms exist to develop, document and maintain secure baseline configurations for Technology Assets, Applications and/or Services (TAAS) that are consistent with industry-accepted system hardening standards.", "justification": "Secure Baseline Configurations (CFG-02) provides configuration hardening that compensates for the absence of Automated Remediation Status (VPM-05.2) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "VPM-05", "name": "Software & Firmware Patching", "description": "Mechanisms exist to conduct software patching for all deployed Technology Assets, Applications and/or Services (TAAS), including firmware.", "justification": "Software & Firmware Patching (VPM-05) provides vulnerability management that compensates for the absence of Automated Remediation Status (VPM-05.2) by reducing the exploitable attack surface by addressing known weaknesses before they are leveraged. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "VPM-05.3", "risk_if_not_implemented": "Without Time To Remediate / Benchmarks For Corrective Action, unpatched vulnerabilities accumulate, providing attackers with known and exploitable entry points.", "compensating_control_1": { "control_id": "VPM-05", "name": "Software & Firmware Patching", "description": "Mechanisms exist to conduct software patching for all deployed Technology Assets, Applications and/or Services (TAAS), including firmware.", "justification": "Software & Firmware Patching (VPM-05) provides vulnerability management that compensates for the absence of Time To Remediate / Benchmarks For Corrective Action (VPM-05.3) by reducing the exploitable attack surface by addressing known weaknesses before they are leveraged. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "VPM-06", "name": "Vulnerability Scanning", "description": "Mechanisms exist to detect vulnerabilities and configuration errors by routine vulnerability scanning of systems and applications.", "justification": "Vulnerability Scanning (VPM-06) provides vulnerability management that compensates for the absence of Time To Remediate / Benchmarks For Corrective Action (VPM-05.3) by reducing the exploitable attack surface by addressing known weaknesses before they are leveraged. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "VPM-05.4", "risk_if_not_implemented": "Without Automated Software & Firmware Updates, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "VPM-06", "name": "Vulnerability Scanning", "description": "Mechanisms exist to detect vulnerabilities and configuration errors by routine vulnerability scanning of systems and applications.", "justification": "Vulnerability Scanning (VPM-06) provides vulnerability management that compensates for the absence of Automated Software & Firmware Updates (VPM-05.4) by reducing the exploitable attack surface by addressing known weaknesses before they are leveraged. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "VPM-05", "name": "Software & Firmware Patching", "description": "Mechanisms exist to conduct software patching for all deployed Technology Assets, Applications and/or Services (TAAS), including firmware.", "justification": "Software & Firmware Patching (VPM-05) provides vulnerability management that compensates for the absence of Automated Software & Firmware Updates (VPM-05.4) by reducing the exploitable attack surface by addressing known weaknesses before they are leveraged. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "VPM-05.5", "risk_if_not_implemented": "Without Removal of Previous Versions, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CFG-02", "name": "Secure Baseline Configurations", "description": "Mechanisms exist to develop, document and maintain secure baseline configurations for Technology Assets, Applications and/or Services (TAAS) that are consistent with industry-accepted system hardening standards.", "justification": "Secure Baseline Configurations (CFG-02) provides configuration hardening that compensates for the absence of Removal of Previous Versions (VPM-05.5) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "VPM-06", "name": "Vulnerability Scanning", "description": "Mechanisms exist to detect vulnerabilities and configuration errors by routine vulnerability scanning of systems and applications.", "justification": "Vulnerability Scanning (VPM-06) provides vulnerability management that compensates for the absence of Removal of Previous Versions (VPM-05.5) by reducing the exploitable attack surface by addressing known weaknesses before they are leveraged. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "VPM-05.6", "risk_if_not_implemented": "Without Pre-Deployment Patch Testing, unpatched vulnerabilities accumulate, providing attackers with known and exploitable entry points.", "compensating_control_1": { "control_id": "VPM-06", "name": "Vulnerability Scanning", "description": "Mechanisms exist to detect vulnerabilities and configuration errors by routine vulnerability scanning of systems and applications.", "justification": "Vulnerability Scanning (VPM-06) provides vulnerability management that compensates for the absence of Pre-Deployment Patch Testing (VPM-05.6) by reducing the exploitable attack surface by addressing known weaknesses before they are leveraged. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CFG-02", "name": "Secure Baseline Configurations", "description": "Mechanisms exist to develop, document and maintain secure baseline configurations for Technology Assets, Applications and/or Services (TAAS) that are consistent with industry-accepted system hardening standards.", "justification": "Secure Baseline Configurations (CFG-02) provides configuration hardening that compensates for the absence of Pre-Deployment Patch Testing (VPM-05.6) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "VPM-05.7", "risk_if_not_implemented": "Without Out-of-Cycle Patching, unpatched vulnerabilities accumulate, providing attackers with known and exploitable entry points.", "compensating_control_1": { "control_id": "VPM-05", "name": "Software & Firmware Patching", "description": "Mechanisms exist to conduct software patching for all deployed Technology Assets, Applications and/or Services (TAAS), including firmware.", "justification": "Software & Firmware Patching (VPM-05) provides vulnerability management that compensates for the absence of Out-of-Cycle Patching (VPM-05.7) by reducing the exploitable attack surface by addressing known weaknesses before they are leveraged. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CFG-02", "name": "Secure Baseline Configurations", "description": "Mechanisms exist to develop, document and maintain secure baseline configurations for Technology Assets, Applications and/or Services (TAAS) that are consistent with industry-accepted system hardening standards.", "justification": "Secure Baseline Configurations (CFG-02) provides configuration hardening that compensates for the absence of Out-of-Cycle Patching (VPM-05.7) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "VPM-05.8", "risk_if_not_implemented": "Without Software Patch Integrity, unpatched vulnerabilities accumulate, providing attackers with known and exploitable entry points.", "compensating_control_1": { "control_id": "CFG-02", "name": "Secure Baseline Configurations", "description": "Mechanisms exist to develop, document and maintain secure baseline configurations for Technology Assets, Applications and/or Services (TAAS) that are consistent with industry-accepted system hardening standards.", "justification": "Secure Baseline Configurations (CFG-02) provides configuration hardening that compensates for the absence of Software Patch Integrity (VPM-05.8) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "VPM-05", "name": "Software & Firmware Patching", "description": "Mechanisms exist to conduct software patching for all deployed Technology Assets, Applications and/or Services (TAAS), including firmware.", "justification": "Software & Firmware Patching (VPM-05) provides vulnerability management that compensates for the absence of Software Patch Integrity (VPM-05.8) by reducing the exploitable attack surface by addressing known weaknesses before they are leveraged. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "VPM-06", "risk_if_not_implemented": "Without Vulnerability Scanning, unpatched vulnerabilities accumulate, providing attackers with known and exploitable entry points.", "compensating_control_1": { "control_id": "VPM-02", "name": "Vulnerability Remediation Process", "description": "Mechanisms exist to ensure that vulnerabilities are properly identified, tracked and remediated.", "justification": "Vulnerability Remediation Process (VPM-02) provides vulnerability management that compensates for the absence of Vulnerability Scanning (VPM-06) by reducing the exploitable attack surface by addressing known weaknesses before they are leveraged. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Vulnerability Scanning (VPM-06) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "VPM-06.1", "risk_if_not_implemented": "Without Update Tool Capability, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Update Tool Capability (VPM-06.1) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "VPM-02", "name": "Vulnerability Remediation Process", "description": "Mechanisms exist to ensure that vulnerabilities are properly identified, tracked and remediated.", "justification": "Vulnerability Remediation Process (VPM-02) provides vulnerability management that compensates for the absence of Update Tool Capability (VPM-06.1) by reducing the exploitable attack surface by addressing known weaknesses before they are leveraged. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "VPM-06.2", "risk_if_not_implemented": "Without Breadth / Depth of Coverage, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "VPM-02", "name": "Vulnerability Remediation Process", "description": "Mechanisms exist to ensure that vulnerabilities are properly identified, tracked and remediated.", "justification": "Vulnerability Remediation Process (VPM-02) provides vulnerability management that compensates for the absence of Breadth / Depth of Coverage (VPM-06.2) by reducing the exploitable attack surface by addressing known weaknesses before they are leveraged. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "VPM-06", "name": "Vulnerability Scanning", "description": "Mechanisms exist to detect vulnerabilities and configuration errors by routine vulnerability scanning of systems and applications.", "justification": "Vulnerability Scanning (VPM-06) provides vulnerability management that compensates for the absence of Breadth / Depth of Coverage (VPM-06.2) by reducing the exploitable attack surface by addressing known weaknesses before they are leveraged. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "VPM-06.3", "risk_if_not_implemented": "Without Privileged Access, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "VPM-06", "name": "Vulnerability Scanning", "description": "Mechanisms exist to detect vulnerabilities and configuration errors by routine vulnerability scanning of systems and applications.", "justification": "Vulnerability Scanning (VPM-06) provides vulnerability management that compensates for the absence of Privileged Access (VPM-06.3) by reducing the exploitable attack surface by addressing known weaknesses before they are leveraged. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "VPM-02", "name": "Vulnerability Remediation Process", "description": "Mechanisms exist to ensure that vulnerabilities are properly identified, tracked and remediated.", "justification": "Vulnerability Remediation Process (VPM-02) provides vulnerability management that compensates for the absence of Privileged Access (VPM-06.3) by reducing the exploitable attack surface by addressing known weaknesses before they are leveraged. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "VPM-06.4", "risk_if_not_implemented": "Without Trend Analysis, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Trend Analysis (VPM-06.4) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "VPM-06", "name": "Vulnerability Scanning", "description": "Mechanisms exist to detect vulnerabilities and configuration errors by routine vulnerability scanning of systems and applications.", "justification": "Vulnerability Scanning (VPM-06) provides vulnerability management that compensates for the absence of Trend Analysis (VPM-06.4) by reducing the exploitable attack surface by addressing known weaknesses before they are leveraged. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "VPM-06.5", "risk_if_not_implemented": "Without Review Historical Event logs, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "VPM-06", "name": "Vulnerability Scanning", "description": "Mechanisms exist to detect vulnerabilities and configuration errors by routine vulnerability scanning of systems and applications.", "justification": "Vulnerability Scanning (VPM-06) provides vulnerability management that compensates for the absence of Review Historical Event logs (VPM-06.5) by reducing the exploitable attack surface by addressing known weaknesses before they are leveraged. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Review Historical Event logs (VPM-06.5) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "VPM-06.6", "risk_if_not_implemented": "Without External Vulnerability Assessment Scans, unpatched vulnerabilities accumulate, providing attackers with known and exploitable entry points.", "compensating_control_1": { "control_id": "VPM-02", "name": "Vulnerability Remediation Process", "description": "Mechanisms exist to ensure that vulnerabilities are properly identified, tracked and remediated.", "justification": "Vulnerability Remediation Process (VPM-02) provides vulnerability management that compensates for the absence of External Vulnerability Assessment Scans (VPM-06.6) by reducing the exploitable attack surface by addressing known weaknesses before they are leveraged. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "VPM-06", "name": "Vulnerability Scanning", "description": "Mechanisms exist to detect vulnerabilities and configuration errors by routine vulnerability scanning of systems and applications.", "justification": "Vulnerability Scanning (VPM-06) provides vulnerability management that compensates for the absence of External Vulnerability Assessment Scans (VPM-06.6) by reducing the exploitable attack surface by addressing known weaknesses before they are leveraged. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "VPM-06.7", "risk_if_not_implemented": "Without Internal Vulnerability Assessment Scans, unpatched vulnerabilities accumulate, providing attackers with known and exploitable entry points.", "compensating_control_1": { "control_id": "VPM-06", "name": "Vulnerability Scanning", "description": "Mechanisms exist to detect vulnerabilities and configuration errors by routine vulnerability scanning of systems and applications.", "justification": "Vulnerability Scanning (VPM-06) provides vulnerability management that compensates for the absence of Internal Vulnerability Assessment Scans (VPM-06.7) by reducing the exploitable attack surface by addressing known weaknesses before they are leveraged. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "VPM-02", "name": "Vulnerability Remediation Process", "description": "Mechanisms exist to ensure that vulnerabilities are properly identified, tracked and remediated.", "justification": "Vulnerability Remediation Process (VPM-02) provides vulnerability management that compensates for the absence of Internal Vulnerability Assessment Scans (VPM-06.7) by reducing the exploitable attack surface by addressing known weaknesses before they are leveraged. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "VPM-06.8", "risk_if_not_implemented": "Without Acceptable Discoverable Information, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Acceptable Discoverable Information (VPM-06.8) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "VPM-06", "name": "Vulnerability Scanning", "description": "Mechanisms exist to detect vulnerabilities and configuration errors by routine vulnerability scanning of systems and applications.", "justification": "Vulnerability Scanning (VPM-06) provides vulnerability management that compensates for the absence of Acceptable Discoverable Information (VPM-06.8) by reducing the exploitable attack surface by addressing known weaknesses before they are leveraged. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "VPM-06.9", "risk_if_not_implemented": "Without Correlate Scanning Information, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "VPM-06", "name": "Vulnerability Scanning", "description": "Mechanisms exist to detect vulnerabilities and configuration errors by routine vulnerability scanning of systems and applications.", "justification": "Vulnerability Scanning (VPM-06) provides vulnerability management that compensates for the absence of Correlate Scanning Information (VPM-06.9) by reducing the exploitable attack surface by addressing known weaknesses before they are leveraged. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Correlate Scanning Information (VPM-06.9) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "VPM-07", "risk_if_not_implemented": "Without Penetration Testing, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "VPM-06", "name": "Vulnerability Scanning", "description": "Mechanisms exist to detect vulnerabilities and configuration errors by routine vulnerability scanning of systems and applications.", "justification": "Vulnerability Scanning (VPM-06) provides vulnerability management that compensates for the absence of Penetration Testing (VPM-07) by reducing the exploitable attack surface by addressing known weaknesses before they are leveraged. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of Penetration Testing (VPM-07) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "VPM-07.1", "risk_if_not_implemented": "Without Independent Penetration Agent or Team, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of Independent Penetration Agent or Team (VPM-07.1) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "VPM-07", "name": "Penetration Testing", "description": "Mechanisms exist to conduct penetration testing on Technology Assets, Applications and/or Services (TAAS).", "justification": "Penetration Testing (VPM-07) provides periodic assessment and assurance that compensates for the absence of Independent Penetration Agent or Team (VPM-07.1) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "VPM-08", "risk_if_not_implemented": "Without Technical Surveillance Countermeasures Security, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Technical Surveillance Countermeasures Security (VPM-08) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "VPM-07", "name": "Penetration Testing", "description": "Mechanisms exist to conduct penetration testing on Technology Assets, Applications and/or Services (TAAS).", "justification": "Penetration Testing (VPM-07) provides periodic assessment and assurance that compensates for the absence of Technical Surveillance Countermeasures Security (VPM-08) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "VPM-09", "risk_if_not_implemented": "Without Reviewing Vulnerability Scanner Usage, unpatched vulnerabilities accumulate, providing attackers with known and exploitable entry points.", "compensating_control_1": { "control_id": "IAC-21", "name": "Least Privilege", "description": "Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.", "justification": "Least Privilege (IAC-21) provides access control enforcement that compensates for the absence of Reviewing Vulnerability Scanner Usage (VPM-09) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of Reviewing Vulnerability Scanner Usage (VPM-09) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "VPM-10", "risk_if_not_implemented": "Without Red Team Exercises, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "VPM-07", "name": "Penetration Testing", "description": "Mechanisms exist to conduct penetration testing on Technology Assets, Applications and/or Services (TAAS).", "justification": "Penetration Testing (VPM-07) provides periodic assessment and assurance that compensates for the absence of Red Team Exercises (VPM-10) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of Red Team Exercises (VPM-10) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "WEB-01", "risk_if_not_implemented": "Without Web Security, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "NET-03", "name": "Boundary Protection", "description": "Mechanisms exist to monitor and control communications at the external network boundary and at key internal boundaries within the network.", "justification": "Boundary Protection (NET-03) provides network-level access restriction that compensates for the absence of Web Security (WEB-01) by limiting attacker reach and lateral movement opportunities across the environment. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Web Security (WEB-01) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "WEB-01.1", "risk_if_not_implemented": "Without Unauthorized Code, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Unauthorized Code (WEB-01.1) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-03", "name": "Boundary Protection", "description": "Mechanisms exist to monitor and control communications at the external network boundary and at key internal boundaries within the network.", "justification": "Boundary Protection (NET-03) provides network-level access restriction that compensates for the absence of Unauthorized Code (WEB-01.1) by limiting attacker reach and lateral movement opportunities across the environment. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "WEB-02", "risk_if_not_implemented": "Without Use of Demilitarized Zones (DMZ), residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "NET-03", "name": "Boundary Protection", "description": "Mechanisms exist to monitor and control communications at the external network boundary and at key internal boundaries within the network.", "justification": "Boundary Protection (NET-03) provides network-level access restriction that compensates for the absence of Use of Demilitarized Zones (DMZ) (WEB-02) by limiting attacker reach and lateral movement opportunities across the environment. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-06", "name": "Network Segmentation (macrosegementation)", "description": "Mechanisms exist to ensure network architecture utilizes network segmentation to isolate Technology Assets, Applications and/or Services (TAAS) to protect from other network resources.", "justification": "Network Segmentation (macrosegementation) (NET-06) provides network-level access restriction that compensates for the absence of Use of Demilitarized Zones (DMZ) (WEB-02) by limiting attacker reach and lateral movement opportunities across the environment. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "WEB-03", "risk_if_not_implemented": "Without Web Application Firewall (WAF), network defenses are weakened, enabling lateral movement and exploitation of unprotected pathways.", "compensating_control_1": { "control_id": "NET-03", "name": "Boundary Protection", "description": "Mechanisms exist to monitor and control communications at the external network boundary and at key internal boundaries within the network.", "justification": "Boundary Protection (NET-03) provides network-level access restriction that compensates for the absence of Web Application Firewall (WAF) (WEB-03) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Web Application Firewall (WAF) (WEB-03) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "WEB-05", "risk_if_not_implemented": "Without Cookie Management, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "IAC-25", "name": "Session Termination", "description": "Automated mechanisms exist to log out users, both locally on the network and for remote sessions, at the end of the session or after an organization-defined period of inactivity.", "justification": "Session Termination (IAC-25) provides overlapping security capability that compensates for the absence of Cookie Management (WEB-05) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "IAC-20", "name": "Access Enforcement", "description": "Mechanisms exist to enforce Logical Access Control (LAC) permissions that conform to the principle of \"least privilege.\"", "justification": "Access Enforcement (IAC-20) provides access control enforcement that compensates for the absence of Cookie Management (WEB-05) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "WEB-06", "risk_if_not_implemented": "Without Strong Customer Authentication (SCA), unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "IAC-06", "name": "Multi-Factor Authentication (MFA)", "description": "Automated mechanisms exist to enforce Multi-Factor Authentication (MFA) for:\n(1) Remote network access; \n(2) Third-party Technology Assets, Applications and/or Services (TAAS); and/ or\n(3) Non-console access to critical TAAS that store, transmit and/or process sensitive/regulated data.", "justification": "Multi-Factor Authentication (MFA) (IAC-06) provides access control enforcement that compensates for the absence of Strong Customer Authentication (SCA) (WEB-06) by restricting system and data access to authorized users through alternative identity and access mechanisms. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CRY-02", "name": "Automated Authentication Through Cryptographic Modules", "description": "Automated mechanisms exist to enable systems to authenticate to a cryptographic module.", "justification": "Automated Authentication Through Cryptographic Modules (CRY-02) provides cryptographic protection that compensates for the absence of Strong Customer Authentication (SCA) (WEB-06) by ensuring data confidentiality and integrity through alternative technical means. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "WEB-07", "risk_if_not_implemented": "Without Web Security Standard, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CFG-02", "name": "Secure Baseline Configurations", "description": "Mechanisms exist to develop, document and maintain secure baseline configurations for Technology Assets, Applications and/or Services (TAAS) that are consistent with industry-accepted system hardening standards.", "justification": "Secure Baseline Configurations (CFG-02) provides configuration hardening that compensates for the absence of Web Security Standard (WEB-07) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "TDA-06", "name": "Secure Software Development Practices (SSDP)", "description": "Mechanisms exist to develop applications based on Secure Software Development Practices (SSDP).", "justification": "Secure Software Development Practices (SSDP) (TDA-06) provides overlapping security capability that compensates for the absence of Web Security Standard (WEB-07) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "WEB-08", "risk_if_not_implemented": "Without Web Application Framework, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "TDA-06", "name": "Secure Software Development Practices (SSDP)", "description": "Mechanisms exist to develop applications based on Secure Software Development Practices (SSDP).", "justification": "Secure Software Development Practices (SSDP) (TDA-06) provides overlapping security capability that compensates for the absence of Web Application Framework (WEB-08) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CFG-02", "name": "Secure Baseline Configurations", "description": "Mechanisms exist to develop, document and maintain secure baseline configurations for Technology Assets, Applications and/or Services (TAAS) that are consistent with industry-accepted system hardening standards.", "justification": "Secure Baseline Configurations (CFG-02) provides configuration hardening that compensates for the absence of Web Application Framework (WEB-08) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "WEB-09", "risk_if_not_implemented": "Without Validation & Sanitization, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "TDA-18", "name": "Input Data Validation", "description": "Mechanisms exist to check the validity of information inputs.", "justification": "Input Data Validation (TDA-18) provides overlapping security capability that compensates for the absence of Validation & Sanitization (WEB-09) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "TDA-06", "name": "Secure Software Development Practices (SSDP)", "description": "Mechanisms exist to develop applications based on Secure Software Development Practices (SSDP).", "justification": "Secure Software Development Practices (SSDP) (TDA-06) provides overlapping security capability that compensates for the absence of Validation & Sanitization (WEB-09) by addressing related risk objectives through an alternative control mechanism aligned with Process applicability. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "WEB-10", "risk_if_not_implemented": "Without Secure Web Traffic, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CRY-03", "name": "Transmission Confidentiality", "description": "Cryptographic mechanisms exist to protect the confidentiality of data being transmitted.", "justification": "Transmission Confidentiality (CRY-03) provides cryptographic protection that compensates for the absence of Secure Web Traffic (WEB-10) by ensuring data confidentiality and integrity through alternative technical means. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "NET-03", "name": "Boundary Protection", "description": "Mechanisms exist to monitor and control communications at the external network boundary and at key internal boundaries within the network.", "justification": "Boundary Protection (NET-03) provides network-level access restriction that compensates for the absence of Secure Web Traffic (WEB-10) by limiting attacker reach and lateral movement opportunities across the environment. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "WEB-11", "risk_if_not_implemented": "Without Output Encoding, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "TDA-06", "name": "Secure Software Development Practices (SSDP)", "description": "Mechanisms exist to develop applications based on Secure Software Development Practices (SSDP).", "justification": "Secure Software Development Practices (SSDP) (TDA-06) provides overlapping security capability that compensates for the absence of Output Encoding (WEB-11) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "TDA-18", "name": "Input Data Validation", "description": "Mechanisms exist to check the validity of information inputs.", "justification": "Input Data Validation (TDA-18) provides overlapping security capability that compensates for the absence of Output Encoding (WEB-11) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "WEB-12", "risk_if_not_implemented": "Without Web Browser Security, residual security, compliance, or resilience risk may accumulate, potentially leading to control failures or non-compliance.", "compensating_control_1": { "control_id": "CFG-02", "name": "Secure Baseline Configurations", "description": "Mechanisms exist to develop, document and maintain secure baseline configurations for Technology Assets, Applications and/or Services (TAAS) that are consistent with industry-accepted system hardening standards.", "justification": "Secure Baseline Configurations (CFG-02) provides configuration hardening that compensates for the absence of Web Browser Security (WEB-12) by eliminating unnecessary services and enforcing secure settings to reduce inherent exposure. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "END-02", "name": "Endpoint Protection Measures", "description": "Mechanisms exist to protect the confidentiality, integrity, availability and safety of endpoint devices.", "justification": "Endpoint Protection Measures (END-02) provides overlapping security capability that compensates for the absence of Web Browser Security (WEB-12) by addressing related risk objectives through an alternative control mechanism aligned with Technology applicability. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "WEB-13", "risk_if_not_implemented": "Without Website Change Detection, security events may go undetected, allowing threats to persist unnoticed and increasing breach dwell time.", "compensating_control_1": { "control_id": "MON-18", "name": "File Activity Monitoring (FAM)", "description": "Automated mechanisms exist to monitor sensitive/regulated data in Technology Assets, Applications and/or Services (TAAS) and data repositories.", "justification": "File Activity Monitoring (FAM) (MON-18) provides detective monitoring capability that compensates for the absence of Website Change Detection (WEB-13) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Website Change Detection (WEB-13) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the technology-focused nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } }, { "control_id": "WEB-14", "risk_if_not_implemented": "Without Publicly Accessible Content Reviews, unauthorized users may gain access to systems or data, increasing risk of data breaches and insider threats.", "compensating_control_1": { "control_id": "MON-01", "name": "Continuous Monitoring", "description": "Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.", "justification": "Continuous Monitoring (MON-01) provides detective monitoring capability that compensates for the absence of Publicly Accessible Content Reviews (WEB-14) by identifying unauthorized, anomalous, or non-compliant activity that the primary control would have prevented. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." }, "compensating_control_2": { "control_id": "CPL-03", "name": "Security, Compliance & Resilience Assessments", "description": "Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's security, compliance and/or resilience policies, standards and other applicable requirements.", "justification": "Security, Compliance & Resilience Assessments (CPL-03) provides periodic assessment and assurance that compensates for the absence of Publicly Accessible Content Reviews (WEB-14) by providing structured evaluation of the environment to surface gaps and verify residual control effectiveness. Given the process-oriented nature of this control, this compensating control targets the same underlying risk objective through an alternative approach, helping to maintain an acceptable level of residual risk until the primary control can be implemented." } } ] }